Merge branch 'master' into danj/user_shell_version

gravitational · Sep 28, 2024 · 84d1c60 · 84d1c60
2 parents 384d766 + a0314d9
commit 84d1c60
Show file tree

Hide file tree

Showing 11 changed files with 213 additions and 138 deletions.
diff --git a/assets/aws/Makefile b/assets/aws/Makefile
@@ -2,7 +2,7 @@
 # This must be a _released_ version of Teleport, i.e. one which has binaries
 # available for download on https://goteleport.com/download
 # Unreleased versions will fail to build.
-TELEPORT_VERSION ?= 16.4.1
+TELEPORT_VERSION ?= 16.4.2
 
 # Teleport UID is the UID of a non-privileged 'teleport' user
 TELEPORT_UID ?= 1007

diff --git a/examples/aws/terraform/AMIS.md b/examples/aws/terraform/AMIS.md
@@ -6,116 +6,116 @@ This list is updated when new AMI versions are released.
 ### OSS
 
 ```
-# ap-northeast-1 v16.4.1 arm64 OSS: ami-084d883e764da3c7b
-# ap-northeast-1 v16.4.1 x86_64 OSS: ami-07dfdbb3f66bace6f
-# ap-northeast-2 v16.4.1 arm64 OSS: ami-066fe85289a4a9d42
-# ap-northeast-2 v16.4.1 x86_64 OSS: ami-011371fd2df123c64
-# ap-northeast-3 v16.4.1 arm64 OSS: ami-0bc4806fd43e34203
-# ap-northeast-3 v16.4.1 x86_64 OSS: ami-0f14fdfa27941ab8c
-# ap-south-1 v16.4.1 arm64 OSS: ami-02d1674fae53babd3
-# ap-south-1 v16.4.1 x86_64 OSS: ami-0da0901f92d64c534
-# ap-southeast-1 v16.4.1 arm64 OSS: ami-06850d98114770a86
-# ap-southeast-1 v16.4.1 x86_64 OSS: ami-02c6b44215d409767
-# ap-southeast-2 v16.4.1 arm64 OSS: ami-00bcc99a9d15ea090
-# ap-southeast-2 v16.4.1 x86_64 OSS: ami-074fbb9a117d12391
-# ca-central-1 v16.4.1 arm64 OSS: ami-042ba80ad1fcaa989
-# ca-central-1 v16.4.1 x86_64 OSS: ami-0d236b5c8a1d190bc
-# eu-central-1 v16.4.1 arm64 OSS: ami-076bd9c8362cd08f6
-# eu-central-1 v16.4.1 x86_64 OSS: ami-0f3eadb1099cad74f
-# eu-north-1 v16.4.1 arm64 OSS: ami-07a61e5fd8c1b554c
-# eu-north-1 v16.4.1 x86_64 OSS: ami-03023c58946f6e56b
-# eu-west-1 v16.4.1 arm64 OSS: ami-0474dd0015b15108e
-# eu-west-1 v16.4.1 x86_64 OSS: ami-0208f6f76c6762d3e
-# eu-west-2 v16.4.1 arm64 OSS: ami-002f92c36d2464e99
-# eu-west-2 v16.4.1 x86_64 OSS: ami-0b8d8fd1f16daf401
-# eu-west-3 v16.4.1 arm64 OSS: ami-0da3dbb97dbf81732
-# eu-west-3 v16.4.1 x86_64 OSS: ami-01546fb76bbd77171
-# sa-east-1 v16.4.1 arm64 OSS: ami-076a52a7f5831a1f6
-# sa-east-1 v16.4.1 x86_64 OSS: ami-0aa7f74651399217f
-# us-east-1 v16.4.1 arm64 OSS: ami-0e340f39635a3f3c3
-# us-east-1 v16.4.1 x86_64 OSS: ami-0a18dd69f98d0df65
-# us-east-2 v16.4.1 arm64 OSS: ami-011cfa254550d2685
-# us-east-2 v16.4.1 x86_64 OSS: ami-0cf0aaf01a3bc4d12
-# us-west-1 v16.4.1 arm64 OSS: ami-0f04ca10d6a125dc3
-# us-west-1 v16.4.1 x86_64 OSS: ami-031579d318fd73bed
-# us-west-2 v16.4.1 arm64 OSS: ami-0bf00d0d3b66fa7a1
-# us-west-2 v16.4.1 x86_64 OSS: ami-021bbcd8b0c12a677
+# ap-northeast-1 v16.4.2 arm64 OSS: ami-0d1de5cd0605b958f
+# ap-northeast-1 v16.4.2 x86_64 OSS: ami-0e769a7784849f3e0
+# ap-northeast-2 v16.4.2 arm64 OSS: ami-01298b051053f2969
+# ap-northeast-2 v16.4.2 x86_64 OSS: ami-09a8ec4a8492b7f28
+# ap-northeast-3 v16.4.2 arm64 OSS: ami-04d26b07bed60854c
+# ap-northeast-3 v16.4.2 x86_64 OSS: ami-0fd0dd89b47197b3e
+# ap-south-1 v16.4.2 arm64 OSS: ami-039d2a0fcac05ab0f
+# ap-south-1 v16.4.2 x86_64 OSS: ami-0353819ca42c545d6
+# ap-southeast-1 v16.4.2 arm64 OSS: ami-0e835afaf3b2a8122
+# ap-southeast-1 v16.4.2 x86_64 OSS: ami-0c1e9d4b1829fac38
+# ap-southeast-2 v16.4.2 arm64 OSS: ami-048112590e6c49bc6
+# ap-southeast-2 v16.4.2 x86_64 OSS: ami-0b2823ef543169820
+# ca-central-1 v16.4.2 arm64 OSS: ami-09cdb7f226b6d844b
+# ca-central-1 v16.4.2 x86_64 OSS: ami-0b7f3b5b58a9581f1
+# eu-central-1 v16.4.2 arm64 OSS: ami-074c95cee9b734842
+# eu-central-1 v16.4.2 x86_64 OSS: ami-0ec9a5fa7aa178449
+# eu-north-1 v16.4.2 arm64 OSS: ami-0e174691d8bf21f14
+# eu-north-1 v16.4.2 x86_64 OSS: ami-090deb053b969834a
+# eu-west-1 v16.4.2 arm64 OSS: ami-0b60eb58c65186255
+# eu-west-1 v16.4.2 x86_64 OSS: ami-0d5079cae18df4e8e
+# eu-west-2 v16.4.2 arm64 OSS: ami-02545246ac2f9bb4a
+# eu-west-2 v16.4.2 x86_64 OSS: ami-043fc01015e11792b
+# eu-west-3 v16.4.2 arm64 OSS: ami-05bd0071d67c37f5d
+# eu-west-3 v16.4.2 x86_64 OSS: ami-0a73e639a465ceb26
+# sa-east-1 v16.4.2 arm64 OSS: ami-0f35cb5d97ab41581
+# sa-east-1 v16.4.2 x86_64 OSS: ami-068ffa780e5fac3c0
+# us-east-1 v16.4.2 arm64 OSS: ami-00371973dd749a763
+# us-east-1 v16.4.2 x86_64 OSS: ami-0814b347511012792
+# us-east-2 v16.4.2 arm64 OSS: ami-0af0148ea0b32bd61
+# us-east-2 v16.4.2 x86_64 OSS: ami-03554afe3402ff36a
+# us-west-1 v16.4.2 arm64 OSS: ami-0e4b811cab62e2d90
+# us-west-1 v16.4.2 x86_64 OSS: ami-064341cbd9fd111d9
+# us-west-2 v16.4.2 arm64 OSS: ami-02833fa4cf6dc2368
+# us-west-2 v16.4.2 x86_64 OSS: ami-0ea331385c4338da6
 ```
 
 ### Enterprise
 
 ```
-# ap-northeast-1 v16.4.1 arm64 Enterprise: ami-025370bc648b23a63
-# ap-northeast-1 v16.4.1 x86_64 Enterprise: ami-0b33043ec004a5865
-# ap-northeast-2 v16.4.1 arm64 Enterprise: ami-0490adb3ba29ff0f1
-# ap-northeast-2 v16.4.1 x86_64 Enterprise: ami-09e7e926ec411bb4f
-# ap-northeast-3 v16.4.1 arm64 Enterprise: ami-0409380a8da1419f1
-# ap-northeast-3 v16.4.1 x86_64 Enterprise: ami-0e3333f1667c0d600
-# ap-south-1 v16.4.1 arm64 Enterprise: ami-077ade4f5da5e912c
-# ap-south-1 v16.4.1 x86_64 Enterprise: ami-025ac95d32bac30ba
-# ap-southeast-1 v16.4.1 arm64 Enterprise: ami-0bd77f04ea1cad7c3
-# ap-southeast-1 v16.4.1 x86_64 Enterprise: ami-07e51e87a7124e6f0
-# ap-southeast-2 v16.4.1 arm64 Enterprise: ami-057ff33b1841a087c
-# ap-southeast-2 v16.4.1 x86_64 Enterprise: ami-0f8f6ed2aa3f97058
-# ca-central-1 v16.4.1 arm64 Enterprise: ami-0423c2e2643a14ae5
-# ca-central-1 v16.4.1 x86_64 Enterprise: ami-0e66676008eb62498
-# eu-central-1 v16.4.1 arm64 Enterprise: ami-0c77c521cc08dc879
-# eu-central-1 v16.4.1 x86_64 Enterprise: ami-0e6390bfae8b2fee5
-# eu-north-1 v16.4.1 arm64 Enterprise: ami-0742d069d96d6f501
-# eu-north-1 v16.4.1 x86_64 Enterprise: ami-0a73bf2e81604cacb
-# eu-west-1 v16.4.1 arm64 Enterprise: ami-015a8e09bef859c7b
-# eu-west-1 v16.4.1 x86_64 Enterprise: ami-0654a9817cf855ee7
-# eu-west-2 v16.4.1 arm64 Enterprise: ami-013c9adba1e2fada7
-# eu-west-2 v16.4.1 x86_64 Enterprise: ami-0accd8971c0631b79
-# eu-west-3 v16.4.1 arm64 Enterprise: ami-0ff2436909c06e464
-# eu-west-3 v16.4.1 x86_64 Enterprise: ami-08b5625dd3b24d8cc
-# sa-east-1 v16.4.1 arm64 Enterprise: ami-01fdaa3f8d6c17c92
-# sa-east-1 v16.4.1 x86_64 Enterprise: ami-080d8f2e70a337341
-# us-east-1 v16.4.1 arm64 Enterprise: ami-0e6842842d35aa747
-# us-east-1 v16.4.1 x86_64 Enterprise: ami-014b8db436a9941e1
-# us-east-2 v16.4.1 arm64 Enterprise: ami-0ce74e0df30a3e087
-# us-east-2 v16.4.1 x86_64 Enterprise: ami-04be16ee84e2a0663
-# us-west-1 v16.4.1 arm64 Enterprise: ami-00ae7e6ab2178cdaf
-# us-west-1 v16.4.1 x86_64 Enterprise: ami-0c38962acc21a88b4
-# us-west-2 v16.4.1 arm64 Enterprise: ami-0b6b7aa58a5f1a031
-# us-west-2 v16.4.1 x86_64 Enterprise: ami-084ad3342ff4738d1
+# ap-northeast-1 v16.4.2 arm64 Enterprise: ami-0e112fdb8c42b07ca
+# ap-northeast-1 v16.4.2 x86_64 Enterprise: ami-06964f38d5618ccfc
+# ap-northeast-2 v16.4.2 arm64 Enterprise: ami-064991b83695fadf9
+# ap-northeast-2 v16.4.2 x86_64 Enterprise: ami-04ef642d6b86ce904
+# ap-northeast-3 v16.4.2 arm64 Enterprise: ami-007c7e8e0281f4b1e
+# ap-northeast-3 v16.4.2 x86_64 Enterprise: ami-08f9627950aa3badc
+# ap-south-1 v16.4.2 arm64 Enterprise: ami-04f4cbb5a1ef25c4e
+# ap-south-1 v16.4.2 x86_64 Enterprise: ami-0affd666c472fb28b
+# ap-southeast-1 v16.4.2 arm64 Enterprise: ami-091ef5538af89fe3e
+# ap-southeast-1 v16.4.2 x86_64 Enterprise: ami-0dea565a5ac9d342a
+# ap-southeast-2 v16.4.2 arm64 Enterprise: ami-0881a65f61eb82cb5
+# ap-southeast-2 v16.4.2 x86_64 Enterprise: ami-0755cba93afc15923
+# ca-central-1 v16.4.2 arm64 Enterprise: ami-0a429c22485874a4c
+# ca-central-1 v16.4.2 x86_64 Enterprise: ami-094dbbd2e13c12c54
+# eu-central-1 v16.4.2 arm64 Enterprise: ami-0b4769874251fd05c
+# eu-central-1 v16.4.2 x86_64 Enterprise: ami-0abe6616a3a8cf285
+# eu-north-1 v16.4.2 arm64 Enterprise: ami-0ca51ab8dedabc13e
+# eu-north-1 v16.4.2 x86_64 Enterprise: ami-04e63095d0bdb026b
+# eu-west-1 v16.4.2 arm64 Enterprise: ami-0a122ae78b30a9491
+# eu-west-1 v16.4.2 x86_64 Enterprise: ami-0c5f4a872aa57d170
+# eu-west-2 v16.4.2 arm64 Enterprise: ami-06d1e32caf88b2dff
+# eu-west-2 v16.4.2 x86_64 Enterprise: ami-067d9a06498755b05
+# eu-west-3 v16.4.2 arm64 Enterprise: ami-0348bd4ca8a69233d
+# eu-west-3 v16.4.2 x86_64 Enterprise: ami-03b5bf89af3a0bad4
+# sa-east-1 v16.4.2 arm64 Enterprise: ami-0c04062d00c5ff1af
+# sa-east-1 v16.4.2 x86_64 Enterprise: ami-069bd779e5a614cce
+# us-east-1 v16.4.2 arm64 Enterprise: ami-08dc881bcfa7836e5
+# us-east-1 v16.4.2 x86_64 Enterprise: ami-077d848391f091b90
+# us-east-2 v16.4.2 arm64 Enterprise: ami-0d7e383c8623c812c
+# us-east-2 v16.4.2 x86_64 Enterprise: ami-054cfac92dd5cb3cf
+# us-west-1 v16.4.2 arm64 Enterprise: ami-0ea1e30c8775e4b73
+# us-west-1 v16.4.2 x86_64 Enterprise: ami-093c927235b8acabd
+# us-west-2 v16.4.2 arm64 Enterprise: ami-0a69c7b0710c6ce0f
+# us-west-2 v16.4.2 x86_64 Enterprise: ami-064274e43d303f3f8
 ```
 
 ### Enterprise FIPS
 
 ```
-# ap-northeast-1 v16.4.1 arm64 Enterprise FIPS: ami-097c58e178e840f02
-# ap-northeast-1 v16.4.1 x86_64 Enterprise FIPS: ami-0f3534c7a6995dba8
-# ap-northeast-2 v16.4.1 arm64 Enterprise FIPS: ami-069956671063840f7
-# ap-northeast-2 v16.4.1 x86_64 Enterprise FIPS: ami-00e2141a1245f7611
-# ap-northeast-3 v16.4.1 arm64 Enterprise FIPS: ami-0544402707d23bdd4
-# ap-northeast-3 v16.4.1 x86_64 Enterprise FIPS: ami-0b39552116a3b0f9e
-# ap-south-1 v16.4.1 arm64 Enterprise FIPS: ami-055b2f144c10dfaab
-# ap-south-1 v16.4.1 x86_64 Enterprise FIPS: ami-0ae8f18a37a7f745c
-# ap-southeast-1 v16.4.1 arm64 Enterprise FIPS: ami-0c6b3b33f3a90994f
-# ap-southeast-1 v16.4.1 x86_64 Enterprise FIPS: ami-09583dc61fc9c7565
-# ap-southeast-2 v16.4.1 arm64 Enterprise FIPS: ami-045639bf36d2e1029
-# ap-southeast-2 v16.4.1 x86_64 Enterprise FIPS: ami-03be67c16b5ab274b
-# ca-central-1 v16.4.1 arm64 Enterprise FIPS: ami-06a145fe5f21937a4
-# ca-central-1 v16.4.1 x86_64 Enterprise FIPS: ami-00949e6df148fee13
-# eu-central-1 v16.4.1 arm64 Enterprise FIPS: ami-0fe7532ed2579d262
-# eu-central-1 v16.4.1 x86_64 Enterprise FIPS: ami-0fda1dfbf5dc7e6bc
-# eu-north-1 v16.4.1 arm64 Enterprise FIPS: ami-0ecef0c9c2ff363a0
-# eu-north-1 v16.4.1 x86_64 Enterprise FIPS: ami-0c4fd9dd948c677a3
-# eu-west-1 v16.4.1 arm64 Enterprise FIPS: ami-0aa9453a94dc48f43
-# eu-west-1 v16.4.1 x86_64 Enterprise FIPS: ami-0e55403caaaf498c8
-# eu-west-2 v16.4.1 arm64 Enterprise FIPS: ami-01ca65fd958466d71
-# eu-west-2 v16.4.1 x86_64 Enterprise FIPS: ami-01daf5bd8fef951f0
-# eu-west-3 v16.4.1 arm64 Enterprise FIPS: ami-0266e85706981ce98
-# eu-west-3 v16.4.1 x86_64 Enterprise FIPS: ami-032fbb9f920a665ba
-# sa-east-1 v16.4.1 arm64 Enterprise FIPS: ami-0199cecca8a53e70d
-# sa-east-1 v16.4.1 x86_64 Enterprise FIPS: ami-00674a36504c9bc64
-# us-east-1 v16.4.1 arm64 Enterprise FIPS: ami-03213597bda2bb832
-# us-east-1 v16.4.1 x86_64 Enterprise FIPS: ami-07980da3aa36b88f6
-# us-east-2 v16.4.1 arm64 Enterprise FIPS: ami-00e4d80bbc3a558f1
-# us-east-2 v16.4.1 x86_64 Enterprise FIPS: ami-02abeec16e547b6bb
-# us-west-1 v16.4.1 arm64 Enterprise FIPS: ami-096b0804dce576fd5
-# us-west-1 v16.4.1 x86_64 Enterprise FIPS: ami-06b50c8e7dcbedc96
-# us-west-2 v16.4.1 arm64 Enterprise FIPS: ami-076614a976e6b75e8
-# us-west-2 v16.4.1 x86_64 Enterprise FIPS: ami-0b596e0a03b6fa7ae
+# ap-northeast-1 v16.4.2 arm64 Enterprise FIPS: ami-00a21ff1672297330
+# ap-northeast-1 v16.4.2 x86_64 Enterprise FIPS: ami-0cb623092634935f7
+# ap-northeast-2 v16.4.2 arm64 Enterprise FIPS: ami-045dd1656ac1c8892
+# ap-northeast-2 v16.4.2 x86_64 Enterprise FIPS: ami-0686f7158b83838e7
+# ap-northeast-3 v16.4.2 arm64 Enterprise FIPS: ami-0c0ab315ba2a452a4
+# ap-northeast-3 v16.4.2 x86_64 Enterprise FIPS: ami-0b682986b4c0adef7
+# ap-south-1 v16.4.2 arm64 Enterprise FIPS: ami-0cf17bc28ae528908
+# ap-south-1 v16.4.2 x86_64 Enterprise FIPS: ami-0520964fb5e732fd8
+# ap-southeast-1 v16.4.2 arm64 Enterprise FIPS: ami-0d911b39191bff6f5
+# ap-southeast-1 v16.4.2 x86_64 Enterprise FIPS: ami-078dca4294630b313
+# ap-southeast-2 v16.4.2 arm64 Enterprise FIPS: ami-057d7d9f63083c5fb
+# ap-southeast-2 v16.4.2 x86_64 Enterprise FIPS: ami-0ea1d2fdd96a39ade
+# ca-central-1 v16.4.2 arm64 Enterprise FIPS: ami-0a3956800f6009a56
+# ca-central-1 v16.4.2 x86_64 Enterprise FIPS: ami-0d8563355cd8d970c
+# eu-central-1 v16.4.2 arm64 Enterprise FIPS: ami-0138f85d1816a8c33
+# eu-central-1 v16.4.2 x86_64 Enterprise FIPS: ami-050c16c8f1f2e8019
+# eu-north-1 v16.4.2 arm64 Enterprise FIPS: ami-0906b20c1687cd6f0
+# eu-north-1 v16.4.2 x86_64 Enterprise FIPS: ami-08475f6614084a0f5
+# eu-west-1 v16.4.2 arm64 Enterprise FIPS: ami-074371697db81d536
+# eu-west-1 v16.4.2 x86_64 Enterprise FIPS: ami-0c5c3b38c07b97dc4
+# eu-west-2 v16.4.2 arm64 Enterprise FIPS: ami-0cdde6aa6d566eeb5
+# eu-west-2 v16.4.2 x86_64 Enterprise FIPS: ami-01777624814f67e41
+# eu-west-3 v16.4.2 arm64 Enterprise FIPS: ami-062d7d5fee2c1d1c5
+# eu-west-3 v16.4.2 x86_64 Enterprise FIPS: ami-054ab2d0bac58fcd7
+# sa-east-1 v16.4.2 arm64 Enterprise FIPS: ami-0a8572c8e97151dff
+# sa-east-1 v16.4.2 x86_64 Enterprise FIPS: ami-0f15dee213ade88f1
+# us-east-1 v16.4.2 arm64 Enterprise FIPS: ami-01ce840d09416d215
+# us-east-1 v16.4.2 x86_64 Enterprise FIPS: ami-089264ba53b41ab45
+# us-east-2 v16.4.2 arm64 Enterprise FIPS: ami-070988dfd8d085109
+# us-east-2 v16.4.2 x86_64 Enterprise FIPS: ami-088cc09b919cac5b2
+# us-west-1 v16.4.2 arm64 Enterprise FIPS: ami-0c8835fb17d1ab7a2
+# us-west-1 v16.4.2 x86_64 Enterprise FIPS: ami-01cbfa34b58ba561a
+# us-west-2 v16.4.2 arm64 Enterprise FIPS: ami-0d3c94e7dc76ff62e
+# us-west-2 v16.4.2 x86_64 Enterprise FIPS: ami-063883b5f46c6f156
 ```
diff --git a/examples/aws/terraform/ha-autoscale-cluster/README.md b/examples/aws/terraform/ha-autoscale-cluster/README.md
@@ -46,7 +46,7 @@ export TF_VAR_cluster_name="teleport.example.com"
 # OSS: aws ec2 describe-images --owners 146628656107 --filters 'Name=name,Values=teleport-oss-*'
 # Enterprise: aws ec2 describe-images --owners 146628656107 --filters 'Name=name,Values=teleport-ent-*'
 # FIPS 140-2 images are also available for Enterprise customers, look for '-fips' on the end of the AMI's name
-export TF_VAR_ami_name="teleport-ent-16.4.1-arm64"
+export TF_VAR_ami_name="teleport-ent-16.4.2-arm64"
 
 # AWS SSH key name to provision in installed instances, should be available in the region
 export TF_VAR_key_name="example"

diff --git a/examples/aws/terraform/starter-cluster/README.md b/examples/aws/terraform/starter-cluster/README.md
@@ -98,7 +98,7 @@ TF_VAR_license_path ?= "/path/to/license"
 # OSS: aws ec2 describe-images --owners 146628656107 --filters 'Name=name,Values=teleport-oss-*'
 # Enterprise: aws ec2 describe-images --owners 146628656107 --filters 'Name=name,Values=teleport-ent-*'
 # FIPS 140-2 images are also available for Enterprise customers, look for '-fips' on the end of the AMI's name
-TF_VAR_ami_name ?= "teleport-ent-16.4.1-arm64"
+TF_VAR_ami_name ?= "teleport-ent-16.4.2-arm64"
 
 # Route 53 hosted zone to use, must be a root zone registered in AWS, e.g. example.com
 TF_VAR_route53_zone ?= "example.com"

diff --git a/integrations/event-handler/Makefile b/integrations/event-handler/Makefile
@@ -46,8 +46,19 @@ RELEASE_MESSAGE = "Building with GOOS=$(OS) GOARCH=$(ARCH)."
 build:
 	GOOS=$(OS) GOARCH=$(ARCH) $(CGOFLAG) go build -o $(BUILDDIR)/teleport-event-handler $(BUILDFLAGS)
 
+# darwin-signed-build is a wrapper around the build target that ensures it is codesigned
+include ../../darwin-signing.mk
+.PHONY: darwin-signed-build
+darwin-signed-build: BINARIES=$(BINARY)
+darwin-signed-build: build
+	$(NOTARIZE_BINARIES)
+
 .PHONY: release
+ifeq ($(OS),darwin)
+release: darwin-signed-build
+else
 release: build
+endif
 	@echo "---> $(RELEASE_MESSAGE)"
 	mkdir $(RELEASE_NAME)
 	cp -rf $(BINARY) \

diff --git a/integrations/terraform/Makefile b/integrations/terraform/Makefile
@@ -121,9 +121,20 @@ endif
 	rm -r ./tfschema/github.com/
 	@go run ./gen/main.go
 
-.PHONY: release
+# darwin-signed-build is a wrapper around the build target that ensures it is codesigned
+include ../../darwin-signing.mk
+.PHONY: darwin-signed-build
+darwin-signed-build: BINARIES=$(BUILDDIR)/terraform-provider-teleport
 ifeq ($(OS)-$(ARCH),darwin-universal)
-release: build-darwin-universal
+darwin-signed-build: build-darwin-universal
+else
+darwin-signed-build: build
+endif
+	$(NOTARIZE_BINARIES)
+
+.PHONY: release
+ifeq ($(OS),darwin)
+release: darwin-signed-build
 else
 release: build
 endif

diff --git a/lib/devicetrust/authz/authz.go b/lib/devicetrust/authz/authz.go
@@ -19,16 +19,14 @@
 package authz
 
 import (
-	"sync"
-
 	"github.com/gravitational/trace"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/crypto/ssh"
 
 	"github.com/gravitational/teleport"
 	"github.com/gravitational/teleport/api/constants"
 	"github.com/gravitational/teleport/api/types"
-	"github.com/gravitational/teleport/lib/devicetrust/config"
+	dtconfig "github.com/gravitational/teleport/lib/devicetrust/config"
 	"github.com/gravitational/teleport/lib/tlsca"
 )
 
@@ -73,9 +71,7 @@ func VerifySSHUser(dt *types.DeviceTrust, cert *ssh.Certificate) error {
 }
 
 func verifyDeviceExtensions(dt *types.DeviceTrust, username string, verified bool) error {
-	mode := config.GetEffectiveMode(dt)
-	maybeLogModeMismatch(mode, dt)
-
+	mode := dtconfig.GetEnforcementMode(dt)
 	switch {
 	case mode != constants.DeviceTrustModeRequired:
 		return nil // OK, extensions not enforced.
@@ -88,15 +84,3 @@ func verifyDeviceExtensions(dt *types.DeviceTrust, username string, verified boo
 		return nil
 	}
 }
-
-var logModeOnce sync.Once
-
-func maybeLogModeMismatch(effective string, dt *types.DeviceTrust) {
-	if dt == nil || dt.Mode == "" || effective == dt.Mode {
-		return
-	}
-
-	logModeOnce.Do(func() {
-		log.Warnf("Device Trust: mode %q requires Teleport Enterprise. Using effective mode %q.", dt.Mode, effective)
-	})
-}
diff --git a/lib/devicetrust/authz/authz_test.go b/lib/devicetrust/authz/authz_test.go
@@ -174,13 +174,13 @@ func runVerifyUserTest(t *testing.T, method string, verify func(dt *types.Device
 			assertErr: assertNoErr,
 		},
 		{
-			name:      "OSS mode never enforced",
+			name:      "OSS mode=required (Enterprise Auth)",
 			buildType: modules.BuildOSS,
 			dt: &types.DeviceTrust{
-				Mode: constants.DeviceTrustModeRequired, // Invalid for OSS, treated as "off".
+				Mode: constants.DeviceTrustModeRequired,
 			},
 			ext:       userWithoutExtensions,
-			assertErr: assertNoErr,
+			assertErr: assertDeniedErr,
 		},
 		{
 			name:      "Enterprise mode=off",

diff --git a/lib/devicetrust/config/config.go b/lib/devicetrust/config/config.go
@@ -42,6 +42,18 @@ func GetEffectiveMode(dt *types.DeviceTrust) string {
 	return dt.Mode
 }
 
+// GetEnforcementMode returns the configured device trust mode, disregarding the
+// provenance of the binary if the mode is set.
+// Used for device enforcement checks. Guarantees that OSS binaries paired with
+// an Enterprise Auth will correctly enforce device trust.
+func GetEnforcementMode(dt *types.DeviceTrust) string {
+	// If absent use the defaults from GetEffectiveMode.
+	if dt == nil || dt.Mode == "" {
+		return GetEffectiveMode(dt)
+	}
+	return dt.Mode
+}
+
 // ValidateConfigAgainstModules verifies the device trust configuration against
 // the current modules.
 // This method exists to provide feedback to users about invalid configurations,