| 12 Jun 2026 |
 Randy Eckenrode | Signing has to be done with a developer certificate issued by Apple or one you trusted manually. | 11:50:27 |
 WeetHet | * You won't be able to rebuild these bit for bit | 11:50:44 |
| WeetHet | NixOS can get a certificate, or? | 11:50:58 |
 Ben Sparks | bit for bit reproducibility is an extremely high target | 11:51:05 |
| WeetHet | It's 100$? | 11:51:06 |
| Randy Eckenrode | We don’t have a way to do that safely, so it would have to be done separately and provided as binaries (which I think is what WeetHet is getting at). | 11:51:18 |
| WeetHet | Yeah that's basically my idea | 11:51:35 |
| WeetHet | Still better than using binaries provided by apple | 11:52:00 |
| Randy Eckenrode | I don’t think we’d want to sign a bunch of binaries like that. If there’s a problem, Apple could revoke the certificate and break everything. | 11:52:11 |
| Randy Eckenrode | Probably the way to go is a cert we install, but we still don’t have a way to safely manage signing. | 11:52:44 |
| Randy Eckenrode | The issue is if you can make Nix sign arbitrary code, it undermines the security model behind entitlements. | 11:53:10 |
| WeetHet | The derivations that are signed this way would need to be approved by darwin-core? | 11:54:15 |
 K900 | Doesn't Apple require additional verification for those certs anyway? | 11:55:06 |
| WeetHet | Preferably this should be done together with requiring mandatory commit signing for everyone in nixpkgs so no one could just update a random file and fake a signature | 11:55:36 |
| WeetHet | * Preferably this should be done together with requiring mandatory commit signing for everyone in nixpkgs so no one could just update a random file and fake the author | 11:55:42 |
| K900 | That is never happening | 11:56:36 |
| Randy Eckenrode | If we did it separately. I’m thinking more generally like a signing service (akin to suid wrappers), which has been proposed and rejected for that reason. | 11:56:44 |
| WeetHet | I don't see why a separate subset of such packages can't exist | 11:57:12 |
| WeetHet | We would at least be able to distribute debug server finally | 11:57:23 |
| Randy Eckenrode | No. The verification is if you sell on the app store. They need a D&B number IIRC. | 11:57:26 |
| Randy Eckenrode | I could build debugserver and sign it with my certificate, but I would rather not be that one block at the bottom of the tower in that XKCD comic. | 11:58:39 |
| WeetHet | The certificate should be procured by the nixos foundation | 11:59:25 |
| WeetHet | IMHO | 11:59:28 |
| Randy Eckenrode | Some entitlements work with ad hoc signatures. We should enable those if we can. | 12:00:18 |
| WeetHet | Btw have you seen macOS 27? | 12:00:57 |
| WeetHet | I hate the reverted sidebars | 12:01:03 |
| WeetHet | If you make a new design language at least stick to it instead of just mixing the old one together with the new one | 12:01:40 |
| WeetHet | Like now we have liquid glass buttons on top of acrylic surfaces | 12:02:34 |
| WeetHet | Which just looks horrible | 12:02:42 |
| WeetHet | Oh, and the sidebars still behave like they are above the window surface, so some objects can go behind them even though they aren't visually | 12:07:23 |
