<div dir="ltr">Hi Richard,<div class="gmail_extra">
<br><div class="gmail_quote">On Sun, Oct 4, 2015 at 10:27 AM, Richard Duivenvoorde <span dir="ltr"><<a href="mailto:richard@duif.net" target="_blank">richard@duif.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
Hi William, Larry,<br>
<br>
@William, not sure if you read psc lists normally, but we are talking<br>
about this thread [0]<br>
I'm writing this to you both as you are both our OSX packagers<br>
<br>
In short:<br>
- Larry asked if it was possible to sign the mac installers with a<br>
certificate<br>
- in [0] there was some discussion about it, culminating in: 'let<br>
<a href="http://qgis.org" rel="noreferrer" target="_blank">qgis.org</a>' buy a certificate, either apple only (cheap) or one for all<br>
os's (more expensive) [4]<br>
- there was also the question if it would be possible to make the mac<br>
installers directly downloadable from <a href="http://qgis.org" rel="noreferrer" target="_blank">qgis.org</a> servers<br>
<br>
-1-<br>
Personally IF <a href="http://qgis.org" rel="noreferrer" target="_blank">qgis.org</a> can buy a (5 year) cert from apple now, let's do<br>
that. When other OS's require a certifiate signing also, we can always<br>
switch to another certificate.<br>
So either Larry or William, do you have any experience with getting this<br>
kind of cert's from Apple? I once had a personal dev license, and I<br>
needed to fax my company credentials to america for that :-(<br>
So I'm prepared, but please guide me, or let me know what we need to get<br>
one of the apple's cert's<br></blockquote><div><br></div><div>As I mentioned in the beginning of that previous discussion thread, I utilize the Apple certificates for code signing Mac applications and package installers for Boundless, where I am currently employed. They have an organization membership and, like the QGIS project, are normally distributing outside of the Mac App Store. This is usually due to the incompatibility between many copyleft open source licenses and Apple's restrictive secondary licensing for App Store distribution.</div><div><br></div><div>Once an organization developer account is set up (something I have not been involved with yet), you add team members and generate Developer ID certificates for applications and installers. See [0] for info on enrolling in an org dev account, [1] for info on managing an organization and team members and [2] on how to manage setting up certificates. While the documentation is extensive, the process if really quite straightforward. The code signing docs [3, 4] are something that William and I reference when actually scripting the signing of the code/packages.</div><div><br></div><div>You may want to check if a developer account has to remain *active* for all of the years a certificate is in effect, i.e. if the account is closed, say to save the QGIS project money, will the certificate drop into a revoke list. If the account has to remain active, then the cert cost jumps to $99/year, which while still pretty good pricing, may be significant reasoning for looking into a general code signing certificate from a vendor that can be used on multiple platforms.</div><div><br></div><div>Several reasons for having an org account:</div><div><br></div><div>* QGIS project has control over certificate management/issuing.</div><div>* You issue Developer ID certificates relative to cert signing requests from team members, e.g. William and I, which you can also revoke at any time in the future.</div><div>* Certificates will be issued by Apple as 'QGIS Project' (or whatever the official entity name is), not under a separate developer identity.</div><div><br></div><div>The two certificates we are interested in are referred to in the docs as 'Developer ID' certificates:</div><div class="gmail_quote"><br></div>* Developer ID Application <-- signing .app bundles for drag/drop type installs<br>* Developer ID Installer <-- singing installer.pkg type installs</div><div class="gmail_quote"><br></div><div class="gmail_quote">William mostly (entirely?) uses .pkg installers, while I may be utilizing both. The difficult part is signing a very complex QGIS.app bundle directly, especially if it contains other embedded Unix-style installs, like GRASS, etc. It is generally simpler to just sign package installers, as it is just signing a payload archive. Again, the certificate verification is only for initial installation to the Mac, so a package installer could install a completely un-signed, bundled application, which is not against any Apple restriction (as of yet).</div><div class="gmail_quote"><div><br></div><div>Note: if you read about app sandboxing in the code signing docs, keep in mind that, to my knowledge, we are *not* sandboxing any of the installations.</div><div><br></div><div>[0] <a href="https://developer.apple.com/support/compare-memberships/">https://developer.apple.com/support/compare-memberships/</a></div><div>[1] <a href="https://developer.apple.com/library/mac/documentation/IDEs/Conceptual/AppDistributionGuide/ManagingYourTeam/ManagingYourTeam.html#//apple_ref/doc/uid/TP40012582-CH16-SW1">https://developer.apple.com/library/mac/documentation/IDEs/Conceptual/AppDistributionGuide/ManagingYourTeam/ManagingYourTeam.html#//apple_ref/doc/uid/TP40012582-CH16-SW1</a></div><div>[2] <a href="https://developer.apple.com/library/mac/documentation/IDEs/Conceptual/AppDistributionGuide/MaintainingCertificates/MaintainingCertificates.html#//apple_ref/doc/uid/TP40012582-CH31-SW1">https://developer.apple.com/library/mac/documentation/IDEs/Conceptual/AppDistributionGuide/MaintainingCertificates/MaintainingCertificates.html#//apple_ref/doc/uid/TP40012582-CH31-SW1</a></div><div><br></div><div>[3] <a href="https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html">https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html</a></div><div>[4] <a href="https://developer.apple.com/library/mac/technotes/tn2206/_index.html">https://developer.apple.com/library/mac/technotes/tn2206/_index.html</a><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
-2-<br>
If we (@Alex, ok?) give you an ssh account on the download server of<br>
<a href="http://qgis.org" rel="noreferrer" target="_blank">qgis.org</a>, is it then OK for you to put all needed downloadables/lib<br>
packages there?<br>
AND provide the information that you now provide on your personal web<br>
pages in the documentation at [1]<br></blockquote><div><br></div><div>Yes, although my nightly documentation would be located at:</div><div><a href="http://qgis.org/en/site/forusers/alldownloads.html#qgis-macos-testing">http://qgis.org/en/site/forusers/alldownloads.html#qgis-macos-testing</a><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
You can provide pretty specific info per OS or QGIS version like we do<br>
for the different Linux distro's: [2].<br>
<br>
Opinions? Ideas? or Pointers?</blockquote><div> </div><div><br></div><div>Regards,</div><div><br></div><div>Larry Shaffer<br>Dakota Cartography<br>Black Hills, South Dakota<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Regards,<br>
<br>
Richard Duivenvoorde<br>
( /me writing in my role as PSC Infrastructure Manager here )<br>
<br>
[0] <a href="https://lists.osgeo.org/pipermail/qgis-psc/2015-October/003300.html" rel="noreferrer" target="_blank">https://lists.osgeo.org/pipermail/qgis-psc/2015-October/003300.html</a><br>
[1] <a href="http://qgis.org/en/site/forusers/download.html#mac" rel="noreferrer" target="_blank">http://qgis.org/en/site/forusers/download.html#mac</a><br>
[2] <a href="http://qgis.org/en/site/forusers/alldownloads.html#debian-ubuntu" rel="noreferrer" target="_blank">http://qgis.org/en/site/forusers/alldownloads.html#debian-ubuntu</a><br>
[4] <a href="https://www.globalsign.com/en/code-signing-certificate/" rel="noreferrer" target="_blank">https://www.globalsign.com/en/code-signing-certificate/</a><br>
</blockquote></div><br></div></div>