Code Signing is Not Optional
I’ve heard from way too many projects that they can’t sign their applications and binaries. This isn’t true. What it really means is that it’s a hassle for them to do so, or costs them a few bucks In 2025 this is not OK. Code signing, developer attestation, and reproducible builds are mandatory. Open source is not an excuse. The problems of supply chain attacks and malware are far too serious to allow unsigned, unattested software on our devices. Letting projects get away with this because they’re open source and no one pays them is like letting home gardeners pour poisonous pesticides into the water supply. If a hobby project can’t be bothered to navigate code signing requirements, then it shouldn’t be allowed on other people’s computers, any more than we allow home built autos that don’t meet mandatory safety requirements on the public highways or hobbyist drones to fly around airports. There are costs associated with production software, and if you’re not able to pay those costs, don’t ship.
Of course, it’s not just open source developers that have to do this. It’s all software, closed source commercial and enterprise included. And it’s not just a question of ticking the checkboxes. You have to do this right. Recently I’ve noticed a common UI problem in a lot of commercial software when it comes to app signing. Take a look. Do you see it?
Who are these developers? Some I recognize like Microsoft and Google. These are good. They identify a company I know and a specific product that I’ve chosen to install. But a lot I don’t. The worst of all is run.sh. What the hell is that? (Notice I’ve disabled it.) Apps need to be signed with clear names that identify the developer and the product. For instance, would you guess that PhotoMinds LLC is Arq? I didn’t so I disabled it. If it said Arq I would have let it keep running. Rogue Amoeba Audio Capture Engine I think has something to do with a screen recorder I used a month ago, but I shouldn’t have to google it to find out for sure.
Applications need to be signed and they need to be signed with names of both company and product. Don’t make users guess what’s running on their computer.
