I think Bitcoin Core had tools to do this for almost the past decade including reproducible builds with cross compilation from Linux toolchain to Windows and MacOS targets and verification?
Made something for creating detached code signatures for macOS/Windows binaries.
1. Reproducibly build program
2. Copy it
3. Codesign (+ notarize for macOS) the copy
4. Take a 'diff' between the 2
The '.diff' is just the signatures, which can be applied to the unsigned binaries at a later date (so others can verify build reproducibility)
Think I'll publish it to Debian and Home Brew once I add a few things; check it out!
https://github.com/05nelsonm/kmp-tor-binary/blob/master/tools/diff-cli/README.md
Had a unique issue which #[0] found. Tor binaries for macOS weren't signed or notarized, so when he went to run `kmp-tor` on macOS aarch64 GateKeeper said "nope, not happening".
Discussion
Yeah, Andrew Chow's signapple (macOS), and osslcodesign (windows).
Both programs have their own file format for the detached signatures, and require each to be installed by people applying the detached signatures. I went with a standardized way with a single file format for both.
I ended up using Rust's apple-codesign because there were some finicky things with signapple, no built in notarize capability, doesn't work with smart cards.
All in all, works out well. The diff-CLI tool is also just a wrapper around the core kotlin multiplatform library, so is usable in applications too!
osslsigncode*