[Qgis-psc] signing and downloads of QGIS Mac OS X installer

Larry Shaffer larrys at dakotacarto.com
Mon Oct 5 00:48:33 PDT 2015 

Hi Richard,

On Sun, Oct 4, 2015 at 10:27 AM, Richard Duivenvoorde <richard at duif.net>
wrote:

>
> Hi William, Larry,
>
> @William, not sure if you read psc lists normally, but we are talking
> about this thread [0]
> I'm writing this to you both as you are both our OSX packagers
>
> In short:
> - Larry asked if it was possible to sign the mac installers with a
> certificate
> - in [0] there was some discussion about it, culminating in: 'let
> qgis.org' buy a certificate, either apple only (cheap) or one for all
> os's (more expensive) [4]
> - there was also the question if it would be possible to make the mac
> installers directly downloadable from qgis.org servers
>
> -1-
> Personally IF qgis.org can buy a (5 year) cert from apple now, let's do
> that. When other OS's require a certifiate signing also, we can always
> switch to another certificate.
> So either Larry or William, do you have any experience with getting this
> kind of cert's from Apple? I once had a personal dev license, and I
> needed to fax my company credentials to america for that :-(
> So I'm prepared, but please guide me, or let me know what we need to get
> one of the apple's cert's
>

As I mentioned in the beginning of that previous discussion thread, I
utilize the Apple certificates for code signing Mac applications and
package installers for Boundless, where I am currently employed. They have
an organization membership and, like the QGIS project, are normally
distributing outside of the Mac App Store. This is usually due to the
incompatibility between many copyleft open source licenses and Apple's
restrictive secondary licensing for App Store distribution.

Once an organization developer account is set up (something I have not been
involved with yet), you add team members and generate Developer ID
certificates for applications and installers. See [0] for info on enrolling
in an org dev account, [1] for info on managing an organization and team
members and [2] on how to manage setting up certificates. While the
documentation is extensive, the process if really quite straightforward.
The code signing docs [3, 4] are something that William and I reference
when actually scripting the signing of the code/packages.

You may want to check if a developer account has to remain *active* for all
of the years a certificate is in effect, i.e. if the account is closed, say
to save the QGIS project money, will the certificate drop into a revoke
list. If the account has to remain active, then the cert cost jumps to
$99/year, which while still pretty good pricing, may be significant
reasoning for looking into a general code signing certificate from a vendor
that can be used on multiple platforms.

Several reasons for having an org account:

* QGIS project has control over certificate management/issuing.
* You issue Developer ID certificates relative to cert signing requests
from team members, e.g. William and I, which you can also revoke at any
time in the future.
* Certificates will be issued by Apple as 'QGIS Project' (or whatever the
official entity name is), not under a separate developer identity.

The two certificates we are interested in are referred to in the docs as
'Developer ID' certificates:

* Developer ID Application  <-- signing .app bundles for drag/drop type
installs
* Developer ID Installer  <-- singing installer.pkg type installs

William mostly (entirely?) uses .pkg installers, while I may be utilizing
both. The difficult part is signing a very complex QGIS.app bundle
directly, especially if it contains other embedded Unix-style installs,
like GRASS, etc. It is generally simpler to just sign package installers,
as it is just signing a payload archive. Again, the certificate
verification is only for initial installation to the Mac, so a package
installer could install a completely un-signed, bundled application, which
is not against any Apple restriction (as of yet).

Note: if you read about app sandboxing in the code signing docs, keep in
mind that, to my knowledge, we are *not* sandboxing any of the
installations.

[0] https://developer.apple.com/support/compare-memberships/
[1]
https://developer.apple.com/library/mac/documentation/IDEs/Conceptual/AppDistributionGuide/ManagingYourTeam/ManagingYourTeam.html#//apple_ref/doc/uid/TP40012582-CH16-SW1
[2]
https://developer.apple.com/library/mac/documentation/IDEs/Conceptual/AppDistributionGuide/MaintainingCertificates/MaintainingCertificates.html#//apple_ref/doc/uid/TP40012582-CH31-SW1

[3]
https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html
[4] https://developer.apple.com/library/mac/technotes/tn2206/_index.html


> -2-
> If we (@Alex, ok?) give you an ssh account on the download server of
> qgis.org, is it then OK for you to put all needed downloadables/lib
> packages there?
> AND provide the information that you now provide on your personal web
> pages in the documentation at [1]
>

Yes, although my nightly documentation would be located at:
http://qgis.org/en/site/forusers/alldownloads.html#qgis-macos-testing


> You can provide pretty specific info per OS or QGIS version like we do
> for the different Linux distro's: [2].
>
> Opinions? Ideas? or Pointers?



Regards,

Larry Shaffer
Dakota Cartography
Black Hills, South Dakota


> Regards,
>
> Richard Duivenvoorde
> ( /me writing in my role as PSC Infrastructure Manager here )
>
> [0] https://lists.osgeo.org/pipermail/qgis-psc/2015-October/003300.html
> [1] http://qgis.org/en/site/forusers/download.html#mac
> [2] http://qgis.org/en/site/forusers/alldownloads.html#debian-ubuntu
> [4] https://www.globalsign.com/en/code-signing-certificate/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20151005/e0fee3ac/attachment.html>

More information about the Qgis-psc mailing list