Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MacOS precompiled tarballs need to be signed to run with Gatekeeper enabled, or Hugo won't run. #13448

Open
akirch24 opened this issue Feb 25, 2025 · 2 comments
Open

MacOS precompiled tarballs need to be signed to run with Gatekeeper enabled, or Hugo won't run. #13448

akirch24 opened this issue Feb 25, 2025 · 2 comments
Labels
Bug
Milestone
v0.145.0

Comments

@akirch24
Copy link

In recent versions of MacOS, Apple has implemented a tool called Gatekeeper. It is now on by default. More info:
Apple MacOS Gatekeeper
With Gatekeeper enabled, unsigned software will not run. To resolve this Hugo will need to add signing/packaging to their build process for MacOS artifacts.

Steps to reproduce:

  1. go to Hugo downloads page: https://github.com/gohugoio/hugo/releases/tag/v0.144.2
  2. In Settings>Security Settings, confirm towards the bottom that Security>Allow Applications From: is App Store and Known Developers
  3. download Hugo for macOS
  4. untar hugo
  5. invoke Hugo with ./Hugo using any arguments or none at all
  6. MacOS Gatekeeper prevents Hugo from launching displaying the following dialog:
    Image

Steps to fix:

  1. get a developer ID and use Xcode to sign the application
  2. produce a dmg or pkg file. The tool to use here is usually pkgbuild, which has a manpage on MacOS.
  3. distribute the dmg or pkg file.

What version of Hugo are you using (hugo version)?

% ./hugo version
zsh: killed     ./Hugo version
% ls
LICENSE					README.md				hugo					hugo_0.144.2_darwin-universal.tar

Does this issue reproduce with the latest release?

As far as I can tell this is the latest release.
@bep bep removed the NeedsTriage label Feb 25, 2025
@bep bep added this to the v0.145.0 milestone Feb 25, 2025
@bep
Copy link
Member

bep commented Feb 25, 2025
edited
Loading

So, I have the building blocks needed to enable signing and notarization this; I both sign and notarise hugoreleaser, but it's a little bit of an extra hassle to set up ... You can certainly override (open anyway ...) this for a given binary; I have Gatekeeper enabled, but I just downloaded and executed the latest hugo.

Also, you can use brew to install Hugo (I think they builds from source and then do "local signing" or something).

@trelane
Copy link

trelane commented Feb 25, 2025
edited
Loading

Bep,

Hugely appreciate the quick response. We have MDM via Intune, but this will likely also be a problem centrally managing with JAMF. We have a workaround by forcing it to be allowed. We're trying to avoid Brew and centrally manage applications for security. For users with Gatekeeper enforcing, and no local admin rights, this will be a showstopper until they can get help from their IT Department.
Package signing is a pain, but everything I can see indicates we're headed towards a Zero Trust model for just about everything.

Andrew

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug
Projects
None yet
Milestone
v0.145.0
Development

No branches or pull requests
3 participants
@bep @trelane @akirch24