That doesn't make sense though, the only way you can know is because you also built it - at which point you don't need the signed binaries! The code signing is only useful if you want to know the binaries were produced by a vendor you already trust.
You said you don't "have an in-house build". So I guess you do now, then why can't you distribute that build? That doesn't require reproducible builds, and has the same security benefits.
-
-
how do you know the in house build server is ok?
-
how do you know anything isn't compromised? Are we going to discuss "reflections on trusting trust", or are we going to talk about reproducible builds?
- 9 more replies
New conversation -
-
-
I said I don't have an in-house build/package/deploy system. I didn't say I don't have a build system.
-
Which part don't you have? The packaging is one more command, no?
- 18 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.