security: remove hardcoded Apple Developer ID

nedimf · nedimf · commit 822a5459de78 · 2026-01-18T01:51:23.000+01:00
Removed hardcoded certificate hash from install.sh and Makefile.
Code signing now requires APPLE_DEVELOPER_ID environment variable.
diff --git a/Makefile b/Makefile
@@ -6,8 +6,8 @@ COMMIT=$(shell git rev-parse --short HEAD 2>/dev/null || echo "none")
 BUILD_TIME=$(shell date -u '+%Y-%m-%d_%H:%M:%S')
 LDFLAGS=-ldflags "-X main.version=$(VERSION) -X main.commit=$(COMMIT)"
 
-# Apple code signing (set via environment or use default)
-APPLE_DEVELOPER_ID ?= 9E5DE6F9BC4DF45371D1121683B21D1638CDB875
+# Apple code signing (set APPLE_DEVELOPER_ID env var to enable)
+# Example: APPLE_DEVELOPER_ID=YOUR_CERT_HASH make build-signed
 
 .PHONY: all build build-signed clean install test lint
 
@@ -18,15 +18,17 @@ build:
 	go build $(LDFLAGS) -o $(BINARY_NAME) .
 
 build-signed: build
-	@echo "Signing binary..."
-	@if [ "$$(uname)" = "Darwin" ]; then \
+	@if [ "$$(uname)" = "Darwin" ] && [ -n "$(APPLE_DEVELOPER_ID)" ]; then \
+		echo "Signing binary..."; \
 		codesign --force --options runtime --sign "$(APPLE_DEVELOPER_ID)" $(BINARY_NAME); \
 		echo "Binary signed successfully"; \
+	elif [ "$$(uname)" = "Darwin" ]; then \
+		echo "Skipping code signing (set APPLE_DEVELOPER_ID to enable)"; \
 	else \
 		echo "Skipping code signing (not macOS)"; \
 	fi
 
-install: build-signed
+install: build
 	@echo "Installing to ~/.local/bin..."
 	@mkdir -p ~/.local/bin
 	@cp $(BINARY_NAME) ~/.local/bin/$(BINARY_NAME)
diff --git a/install.sh b/install.sh
@@ -5,9 +5,9 @@ set -e
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 cd "$SCRIPT_DIR"
 
-# Apple Code Signing Configuration
-# Set these environment variables or they will use defaults
-APPLE_DEVELOPER_ID="${APPLE_DEVELOPER_ID:-9E5DE6F9BC4DF45371D1121683B21D1638CDB875}"
+# Apple Code Signing Configuration (optional)
+# Set APPLE_DEVELOPER_ID environment variable to enable signing
+# Example: export APPLE_DEVELOPER_ID="your-certificate-hash"
 
 echo "=========================================="
 echo "  Logdump Installation Script"
@@ -36,8 +36,8 @@ if ! go build -o logdump .; then
     exit 1
 fi
 
-# Sign the binary (macOS only)
-if [[ "$OSTYPE" == "darwin"* ]]; then
+# Sign the binary (macOS only, requires APPLE_DEVELOPER_ID)
+if [[ "$OSTYPE" == "darwin"* ]] && [[ -n "$APPLE_DEVELOPER_ID" ]]; then
     echo "Signing binary with Developer ID..."
     if command -v codesign &> /dev/null; then
         codesign --force --options runtime --sign "$APPLE_DEVELOPER_ID" logdump
@@ -50,6 +50,8 @@ if [[ "$OSTYPE" == "darwin"* ]]; then
     else
         echo "Warning: codesign not found, skipping signing"
     fi
+elif [[ "$OSTYPE" == "darwin"* ]]; then
+    echo "Skipping code signing (set APPLE_DEVELOPER_ID to enable)"
 fi
 
 # Install binary
