Improve packaging + distribution of the local companion #9615
Labels
aspect: security
Anything related to preventing vulnerabilities
component: local app
meta: stale
This issue/PR is stale and will be closed soon
team: IDE
Comments
loujaybee
added
aspect: security
|
For Windows and macOS: Go for the regular code-signing step with a trusted CA. For Linux: Things might go a bit tricky, since each distro has its own packaging formats and way to sign packages. If Gitpod prefers to manage the package repo for Local Companion themselves and not use distro-specifics, maybe GPG + checksums on both monthly releases and nightly builds is enough on my opinion. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, the local companion is downloaded and installed as an executable, which can lead to security warnings. We need to ensure the app can be downloaded from trusted registries, and signed where necessary to ensure user trust and prevent security warnings or flagging by anti-virus software etc.
https://developer.apple.com/documentation/notaryapi/submitting_software_for_notarization_over_the_web
The text was updated successfully, but these errors were encountered: