Add `pkg` signing and notarization support to `fleetdm/fleetctl` docker image

[lucasmrod]

Goal

Add signing and notarization support to the fleetdm/fleetctl (beta) docker image. No stapling will be required on this iteration.

How?

#6229 describes the approach that we think will work on a Linux docker container.

[xpkoala]

@lucasmrod @roperzh Could I get clarification on this notarization work? Currently, after downloading a Mac package, I am required to allow the package to be installed via the Security Center. Is this the expected flow?

The package will install and work as expected after allowing it through the Security Center.

[roperzh]

@xpkoala seems like the package is signed but not notarized/stapled. I think this is not related to this specific issue but to the sandbox config tough, let me take a look.

[lucasmrod]

@roperzh This is ready to be re-tested by @xpkoala, right?

[roperzh]

Yes, I think the issue never was related to this but to sandbox.

@xpkoala it might be difficult for you to test this, since you'll need Apple credentials, for what is worth @zwass and myself tested this a couple of times already

[lucasmrod]

@roperzh

I think that by testing the packages downloaded from a Fleet Sandbox is the proof this is working as expected. (No need for Reed to setup credentials.) What do you think?

[roperzh]

@lucasmrod 👍 I agree, it's not 100% the same as Sandbox is using the Go API, (so not using this image at all) but I'd consider it good enough given the context.

[lucasmrod]

Ah good point. It does make sense for someone other than you (@roperzh) to test this.

[roperzh]

@zwass also successfully notarized packages using the Docker the image (twice I think)

[xpkoala]

Thanks for the assistance on this!