[Qgis-psc] Code signing for Mac version

Larry Shaffer larrys at dakotacarto.com
Thu Oct 1 10:22:09 PDT 2015 

Hi,

Responding to several comments here:

On Thu, Oct 1, 2015 at 1:51 AM, Tim Sutton  wrote:

> On Thu, Oct 1, 2015 at 1:23 AM, Richard Duivenvoorde wrote:

I was just wondering if buying a 'sign all OS packages' would be
> cheaper in the long run (as I predict that Windows will have the same
> stuff later on...).
>
> But let's stick for an Apple cert for now then!
>
> So who is going to buy that one (as qgis.org project) then?
> Larry, or should I or Andreas do that?
>
>
> My vote would be for QGIS.org <http://qgis.org/> to buy it and pass it
> along to Larry and William to use to sign the packages they build.
>

Agreed. It would be wise for the project manage this aspect, instead of
relying upon a particular packager for this.

My two cents: it would be better to have a single 'sign all OS packages'
code-signing cert, which Apple supports in it tools and client [0, first
note], though obviously not cheaper. This would also allow signing at least
the standalone NSIS installer for windows (though it is a bit tricky to
sign the uninstaller, as that is created upon install; there's a
workaround, though).

With Apple there is a distinction between an application cert and package
installer cert. Would need to investigate whether a third-party cert (like
from VeriSign) would work for both Apple-types of certs.

On Thu, Oct 1, 2015 at 1:23 AM, Richard Duivenvoorde wrote:

> >
> > I think the situation is the same as for windows users, and we
> > should just use the same donation hint and approach / wording. It
> > will be interesting to know how many OS X downloads there are in
> > the course of this too...
>
> I will write to both Larry and William if they can maybe upload their
> packages to the download server.


Fine by me. Just need access to the download server and my SSH pub key
added to authorized_keys so I can script the upload. Or, whatever works.

On Thu, Oct 1, 2015 at 1:55 AM, Sandro Santilli <strk at keybit.net> wrote:

> Unless the other one is not being paied already.
> I'm not familiar with "code-signing" certificates, how are they
> different from "key-signing" certificates used for SSL ?
> Are there different root certificates ? Can you sign a windows driver,
> an Apple application and an HTTPS key with the same certificate ?
>

The certificate, trust chain and issuer signing setup are the same for all
those certs, but for code signing the cert has extended usage flags to
indicate it can be used for that purpose [1, 2], which is part of what is
verified on the client OS side:

extendedKeyUsage = critical,codeSigning

>
> /me feels like Italy burocracy was exported to the outside world (scary).
>

Yes it is a total scam that in the 'web of trust' game you eventually have
to *pay* someone to vouch for you!  I hope your government isn't that
crazy. :-)

If I could find a reasonable way to do this for free, I would certainly
recommend that method. I don't like the idea of paying Apple, Microsoft,
VeriSign or anyone else just for their seal of approval. But alas, this is
how the client OS setup is for hundreds upon hundreds of thousands of QGIS
users.

[0]
https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html#//apple_ref/doc/uid/TP40005929-CH4-SW2

[1] https://en.wikipedia.org/wiki/Code_signing
[2]
http://pki-tutorial.readthedocs.org/en/latest/advanced/codesign.conf.html

Regards,

Larry Shaffer
Dakota Cartography
Black Hills, South Dakota

On Thu, Oct 1, 2015 at 2:01 AM, Richard Duivenvoorde <richard at duif.net>
wrote:

> On 01-10-15 09:55, Sandro Santilli wrote:
>
> >> Ok - so the Apple cert is still cheaper then.
> >
> > Unless the other one is not being paied already.
> > I'm not familiar with "code-signing" certificates, how are they
> > different from "key-signing" certificates used for SSL ?
> > Are there different root certificates ? Can you sign a windows driver,
> > an Apple application and an HTTPS key with the same certificate ?
>
> Sandro see
>
> https://lists.osgeo.org/pipermail/qgis-psc/2015-September/003274.html
>
> I asked and yes, they are 'different' (main diff is that the one we have
> is free and the other not :-) )
>
> Regards,
>
> Richard Duivenvoorde
>
> _______________________________________________
> Qgis-psc mailing list
> Qgis-psc at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/qgis-psc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20151001/27cc2ba0/attachment.html>

More information about the Qgis-psc mailing list