CodeResources-alike way to simplify secure script loading

[arubdesu]

Not a problem per-se, just a usability enhancement - currently, using the hash-based method of specifying the fingerprint of each script means a new MDM payload must be pushed with each revision, which can cause extra traffic and inflexibility where how scripts are distributed must stay in lockstep with the hashes specified. (An MDM update can be an uncertain thing timing and reliability-wise.) Right now I'm just excluding those hash keys from the payload when iterating on scripts, but our whole bootstrap is run by outset, so this slows us down and leaves the moving parts slightly under-verified before release.

In addition to the 'flat' way an MDM config can be told about scripts and hashes, the ability to (ideally, with a teamID of a signing cert/developer account) only have outset validate that signing by an org-controlled cert has been accurately applied to a (suggested/example naming/path) '/usr/local/outset/share/OutsetResources.plist' file with those hashes and paths in it. This mirrors both signing processes some of us already deal with re: MDM payloads, and Apple's CodeResources model of essentially compiling a manifest of files to validate signing for, which speeds up and (somewhat) simplifies maintenance. This file being updated as an admin iterates over configs can be distributed without needing to bump hashes in an MDM payload that must be bumped with each iteration, reducing traffic on what can be a more cumbersome moving part.

A less attractive option would be signing the artifacts themselves and having outset BOTH validate the signing and strip the signature so it can be passed to an interpreter, or using 'full' signed/compiled binaries, in both cases we'd still need to tell outset about our signing and it sounds like a clumsy thing that hurts maintainability of the (assumed majority) scripts we want to leverage.

I COULD mock up/spell out the moving parts and point to libraries like those used in projects like Santa, but I'm proposing that the idea is straightforward ENOUGH - please let me know if I should fill in blanks or try taking a crack at this myself.

[arubdesu]

I'm still interested in explaining this (I know things were a bit intense last week - let me know if I'm barking up a reasonable tree 😅

[arubdesu]

It's only been a bit, in the meantime I'm omitting the delivery of the signing profile/payload as I iterate on scripts, but I'd think there should be a good balance to be struck:
• I only want scripts I know about being run in outset (so I want to enforce SOME fingerprinting)
• reduced friction increases velocity, I don't want to have to roll out new payload contents on every iteration
No matter how this gets iterated on it's already multiple moving parts... I'm not sure my design ideas are the best but maybe the intent is worthwhile?