[Qgis-psc] signing and downloads of QGIS Mac OS X installer

Wed Oct 7 10:23:44 PDT 2015

Hi,

On Wed, Oct 7, 2015 at 9:56 AM, Richard Duivenvoorde <richard at duif.net>
wrote:

>
> We just talked about this on the PSC meeting about this.
>
> Our stand now:
>
> - Anita will contact/speak the OSGeo board and see if an OSGeo.org cert
> is possible (to us, an Apple one seems cheapest, and easiest
> maintainable. We do not see a need for more general certificates yet
> (debian is already signed with gpg))
>
> - if possible PSC would prefer one full signed stable installer,
> eventually next to the modular one (@William is that possible at all?).
> This to make an easy QGIS install for non tech users.
> So ideally all (both all in one installers and the osgeo modules) would
> be signed with the osgeo cert then.
>

At Boundless, we offer a bundled, signed Mac QGIS.app drag/drop installer
with GRASS6 embedded, though its minimum system requirement is Mac OS X
10.9.

I spoke with my employers at Boundless and they have offered to *donate*
the use of their high-end Mac build server to produce QGIS Project
nightlies, as well as fully bundled QGIS Project applications for standard
and LTR releases (with all major Processing lib support). Since they are
also releasing their own branded builds of the same releases to their
customers, I will essentially be paid to work on the community releases, as
well as the nightlies.

*All added packaging functionality will be open source and contributed back
to the QGIS Project*. I believe we can also offer access to the Jenkins
instance on the build server to the PSC. All unit tests will be run and
sent to QGIS's CDash. They don't necessarily want to host the downloads of
the finished build artifacts, so uploading those to an OSGeo or QGIS
download server is ideal.

*Please let me know if the QGIS PSC is OK with Boundless providing these
packages.* If OK, then I can work on getting this ready for the 2.12
release and move the nightly builds to their server. They would like some
recognition for doing the donated packaging. I suggested that the DMG
installer window could have something like "Packaged by Boundless for the
QGIS Project" as part of a background image, and a note and link in the
README. Beyond those small acknowledgements, the applications themselves
would have *absolutely no branding*. Boundless wants to support FOSS4G
projects and this is one way they can help.

Regards,

Larry Shaffer
Dakota Cartography
Black Hills, South Dakota

QGIS Support/Development | Boundless <http://boundlessgeo.com/>
lshaffer at boundlessgeo.com
@boundlessgeo <http://twitter.com/boundlessgeo/>

- At least these full nightly and stable full packages should be
> downloadable from a qgis.org / osgeo server. So Alex: yes please: bigger
> space/bandwidth is cool :-)
>
> Can we set these goals for now? Or any objections?
>
> Regards,
>
> Richard
>
>
> On 07-10-15 16:47, Alex Mandel wrote:
> > This does seem like something to consider talking to the OSGeo board
> about.
> >
> > FYI, I'm working on increased space and bandwidth for downloads from the
> > OSGeo servers if you want to host the files there.
> >
> > Thanks,
> > Alex
> >
> > On 10/06/2015 11:50 PM, Richard Duivenvoorde wrote:
> >>
> >>
> >> Pulling this to psc list again...
> >> (@psc see thread below, replying to Williams comment on signing GDAL and
> >> python modules with QGIS or not)
> >>
> >> Mmm, I'm not a mac user, so cannot comment on the value of having
> >> separate modules. My experience with mac users is they are either very
> >> techy (so probably want this), but most are not technical at all (and
> >> those we want to address I think).
> >>
> >> We could make a 'full (signed) QGIS install' vs a modularized one?
> >>
> >> But another option would be to have osgeo or a combined osgeo/qgis
> >> certificate?
> >> How does for example Postgis do this?
> >>
> >> Or maybe do a small OSGEO kickstarter project to raise 1780 dollar to
> >> have 10 years of full all OS certificates?
> >>
> >> Or am I starting to run out of QGIS-line now :-)
> >>
> >> Regards,
> >>
> >> Richard
> >>
> >>
> >> On 06-10-15 17:45, William Kyngesburye wrote:
> >>> 1
> >>>
> >>> I replied to Larry in the other thread (I’m not on the PSC list).
> >>>
> >>> I’ve thought about code signing, never looked into it.  I have a free
> developer account, and was hoping it would be possible to get a certificate
> without a paid account, it’s not clear if that’s possible.
> >>>
> >>> An org certificate would be nice, and I didn’t realize other cert
> companies could do Apple code signing.  The trick with an org cert would
> be, again, if I could use it on a free dev account.  Though I don’t have a
> financial problem with a paid dev account.
> >>>
> >>> We use DigiCert where I work.  I see they have code signing certs for
> $178/yr for a 3 year cert. …ah, the globalsign price was just 1 yr, their 3
> yr price is $175/yr.
> >>>
> >>> One problem with the org cert is it wouldn’t cover the external GDAL
> Complete frameworks and extra python modules (I suppose it could, but
> they’re not really QGIS products).  So I may still need to get my own
> cert.  Yes, there is the all-in-one way, but I still prefer the separation
> because GDAL and the python modules are very useful on their own and for
> other software like Postgis and GRASS.
> >>>
> >>> 2
> >>>
> >>> I would be OK with qgis hosting of files.  Is there download count
> tracking?  I tried to do that for a while, first with a plugin for Dokuwiki
> (which broke after a few updates), then analyzing the web logs (major
> hassle).
> >>>
> >>>> On Oct 5, 2015, at 2:48 AM, Larry Shaffer <larrys at dakotacarto.com>
> wrote:
> >>>>
> >>>> Hi Richard,
> >>>>
> >>>> On Sun, Oct 4, 2015 at 10:27 AM, Richard Duivenvoorde <
> richard at duif.net> wrote:
> >>>>
> >>>> Hi William, Larry,
> >>>>
> >>>> @William, not sure if you read psc lists normally, but we are talking
> >>>> about this thread [0]
> >>>> I'm writing this to you both as you are both our OSX packagers
> >>>>
> >>>> In short:
> >>>> - Larry asked if it was possible to sign the mac installers with a
> >>>> certificate
> >>>> - in [0] there was some discussion about it, culminating in: 'let
> >>>> qgis.org' buy a certificate, either apple only (cheap) or one for all
> >>>> os's (more expensive) [4]
> >>>> - there was also the question if it would be possible to make the mac
> >>>> installers directly downloadable from qgis.org servers
> >>>>
> >>>> -1-
> >>>> Personally IF qgis.org can buy a (5 year) cert from apple now, let's
> do
> >>>> that. When other OS's require a certifiate signing also, we can always
> >>>> switch to another certificate.
> >>>> So either Larry or William, do you have any experience with getting
> this
> >>>> kind of cert's from Apple? I once had a personal dev license, and I
> >>>> needed to fax my company credentials to america for that :-(
> >>>> So I'm prepared, but please guide me, or let me know what we need to
> get
> >>>> one of the apple's cert's
> >>>>
> >>>> As I mentioned in the beginning of that previous discussion thread, I
> utilize the Apple certificates for code signing Mac applications and
> package installers for Boundless, where I am currently employed. They have
> an organization membership and, like the QGIS project, are normally
> distributing outside of the Mac App Store. This is usually due to the
> incompatibility between many copyleft open source licenses and Apple's
> restrictive secondary licensing for App Store distribution.
> >>>>
> >>>> Once an organization developer account is set up (something I have
> not been involved with yet), you add team members and generate Developer ID
> certificates for applications and installers. See [0] for info on enrolling
> in an org dev account, [1] for info on managing an organization and team
> members and [2] on how to manage setting up certificates. While the
> documentation is extensive, the process if really quite straightforward.
> The code signing docs [3, 4] are something that William and I reference
> when actually scripting the signing of the code/packages.
> >>>>
> >>>> You may want to check if a developer account has to remain *active*
> for all of the years a certificate is in effect, i.e. if the account is
> closed, say to save the QGIS project money, will the certificate drop into
> a revoke list. If the account has to remain active, then the cert cost
> jumps to $99/year, which while still pretty good pricing, may be
> significant reasoning for looking into a general code signing certificate
> from a vendor that can be used on multiple platforms.
> >>>>
> >>>> Several reasons for having an org account:
> >>>>
> >>>> * QGIS project has control over certificate management/issuing.
> >>>> * You issue Developer ID certificates relative to cert signing
> requests from team members, e.g. William and I, which you can also revoke
> at any time in the future.
> >>>> * Certificates will be issued by Apple as 'QGIS Project' (or whatever
> the official entity name is), not under a separate developer identity.
> >>>>
> >>>> The two certificates we are interested in are referred to in the docs
> as 'Developer ID' certificates:
> >>>>
> >>>> * Developer ID Application  <-- signing .app bundles for drag/drop
> type installs
> >>>> * Developer ID Installer  <-- singing installer.pkg type installs
> >>>>
> >>>> William mostly (entirely?) uses .pkg installers, while I may be
> utilizing both. The difficult part is signing a very complex QGIS.app
> bundle directly, especially if it contains other embedded Unix-style
> installs, like GRASS, etc. It is generally simpler to just sign package
> installers, as it is just signing a payload archive. Again, the certificate
> verification is only for initial installation to the Mac, so a package
> installer could install a completely un-signed, bundled application, which
> is not against any Apple restriction (as of yet).
> >>>>
> >>>> Note: if you read about app sandboxing in the code signing docs, keep
> in mind that, to my knowledge, we are *not* sandboxing any of the
> installations.
> >>>>
> >>>> [0] https://developer.apple.com/support/compare-memberships/
> >>>> [1]
> https://developer.apple.com/library/mac/documentation/IDEs/Conceptual/AppDistributionGuide/ManagingYourTeam/ManagingYourTeam.html#//apple_ref/doc/uid/TP40012582-CH16-SW1
> >>>> [2]
> https://developer.apple.com/library/mac/documentation/IDEs/Conceptual/AppDistributionGuide/MaintainingCertificates/MaintainingCertificates.html#//apple_ref/doc/uid/TP40012582-CH31-SW1
> >>>>
> >>>> [3]
> https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html
> >>>> [4]
> https://developer.apple.com/library/mac/technotes/tn2206/_index.html
> >>>>
> >>>>
> >>>> -2-
> >>>> If we (@Alex, ok?) give you an ssh account on the download server of
> >>>> qgis.org, is it then OK for you to put all needed downloadables/lib
> >>>> packages there?
> >>>> AND provide the information that you now provide on your personal web
> >>>> pages in the documentation at [1]
> >>>>
> >>>> Yes, although my nightly documentation would be located at:
> >>>> http://qgis.org/en/site/forusers/alldownloads.html#qgis-macos-testing
> >>>>
> >>>> You can provide pretty specific info per OS or QGIS version like we do
> >>>> for the different Linux distro's: [2].
> >>>>
> >>>> Opinions? Ideas? or Pointers?
> >>>>
> >>>>
> >>>> Regards,
> >>>>
> >>>> Larry Shaffer
> >>>> Dakota Cartography
> >>>> Black Hills, South Dakota
> >>>>
> >>>> Regards,
> >>>>
> >>>> Richard Duivenvoorde
> >>>> ( /me writing in my role as PSC Infrastructure Manager here )
> >>>>
> >>>> [0]
> https://lists.osgeo.org/pipermail/qgis-psc/2015-October/003300.html
> >>>> [1] http://qgis.org/en/site/forusers/download.html#mac
> >>>> [2] http://qgis.org/en/site/forusers/alldownloads.html#debian-ubuntu
> >>>> [4] https://www.globalsign.com/en/code-signing-certificate/
> >>>>
> >>>
> >>> -----
> >>> William Kyngesburye <kyngchaos*at*kyngchaos*dot*com>
> >>> http://www.kyngchaos.com/
> >>>
> >>> "Time is an illusion - lunchtime doubly so."
> >>>
> >>> - Ford Prefect
> >>>
> >>>
> >>
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20151007/f47a85d8/attachment.html>