<div dir="ltr">Hi,<div><br></div><div><div class="gmail_extra"><div class="gmail_quote">On Thu, Mar 24, 2016 at 3:33 PM, Larry Shaffer <span dir="ltr"><<a href="mailto:larrys@dakotacarto.com" target="_blank">larrys@dakotacarto.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div><div>Hi,</div></div>
<br><div class="gmail_quote"><span class="">On Wed, Mar 23, 2016 at 6:47 AM, Jürgen E. <span dir="ltr"><<a href="mailto:jef@norbit.de" target="_blank">jef@norbit.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Hi Richard,<br>
<span><br>
On Wed, 23. Mar 2016 at 08:59:29 +0100, Richard Duivenvoorde wrote:<br>
> So Question: who should (and can) buy and put these certs in a safe, and<br>
> make it possible for Larry to get one and create an installer?<br>
<br>
</span>See also <a href="https://lists.osgeo.org/pipermail/board/2015-October/013445.html" rel="noreferrer" target="_blank">https://lists.osgeo.org/pipermail/board/2015-October/013445.html</a><br>
and <a href="https://lists.osgeo.org/pipermail/board/2015-October/013363.html" rel="noreferrer" target="_blank">https://lists.osgeo.org/pipermail/board/2015-October/013363.html</a>.<br>
<br>
Not sure if Larry meanwhile joined SAC and if there was any progress<br>
on this already...</blockquote><div><br></div></span><div>Apologizes, as my work took me far away from this for quite some time. I have not joined SAC and I believe no action has taken place to procure any certificates. I will have time starting in April to work on setting up scripts for signing QGIS installers (at least for Mac).</div></div></div></div></blockquote><div><br></div><div>I can work on this some starting now, but will have even more time after FOSS4G-NA (after May 9th). Who is the 'go to' on the SAC that can spearhead procuring code-signing certificates with the money already allocated?</div><div><br></div><div>I have done some more research. From what I have found, Apple *requires* that the signing certificate for passing Mac Gatekeeper policies be an Apple CA-signed certificate that has been generated from a CSR of only a valid Apple Developer ID [0]. The code can be signed with a third-party certificate (still securing the app against tampering), but such a signing will NOT pass Gatekeeper, i.e. purchasing a non-Apple code-signing certificate will be a wasted purchase for Mac distributions.</div><div><br></div><div>This means for code-signing Mac OSGeo applications an Apple Developer account is required. However, there are several options now [1]: Free, Individual, Organization or Enterprise. I recommend the OSGeo create an Organization-level ($99/year) account at Apple and set up 'teams' for all OSGeo projects wishing to distribute Mac apps/installers. I can help with this, as I have gone through this process for Boundless, for the code-signing of our Mac apps/installers.</div><div><br></div><div>If the SAC feels this is not appropriate for them to manage, maybe just the QGIS project (pilot project for this) can set up the Apple account instead.</div><div><br></div><div>A more general code-signing cert can be used for Windows apps/installers. More research needs done here, as a less expensive solution for the certificate may be useable.</div><div><br></div><div>[0] <a href="http://stackoverflow.com/questions/11833481">http://stackoverflow.com/questions/11833481</a></div><div>[1] <a href="https://developer.apple.com/support/compare-memberships/">https://developer.apple.com/support/compare-memberships/</a> </div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div>There is money authorized, for at least two certs for 3 years. How OSGeo projects can share them (if possible) is a technical/policy question that needs answered.</div></div></div></div></blockquote><div><br></div><div>See above. I recommend earmarking at least 3 X $99/year for an Apple Organization-level Developer ID account. </div><div><br></div><div>Regards,</div><div><br></div><div><div><div class="gmail_signature">Larry Shaffer<br>Dakota Cartography<br>Black Hills, South Dakota</div></div><div class="gmail_signature"><br></div><div class="gmail_signature"><span style="font-size:12.8px;font-family:arial">QGIS Support/Development | <a href="http://boundlessgeo.com/" target="_blank">Boundless</a></span><div style="font-size:12.8px"><a href="mailto:lshaffer@boundlessgeo.com" target="_blank" style="font-size:12.8px">lshaffer@boundlessgeo.com</a></div><div><br></div></div></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div>Regards,</div><div><br></div><div>Larry Shaffer<br>Dakota Cartography<br>Black Hills, South Dakota<br></div><div><br></div><div><span style="font-family:arial">QGIS Support/Development | <a href="http://boundlessgeo.com/" target="_blank">Boundless</a></span><div><a href="mailto:lshaffer@boundlessgeo.com" style="font-size:12.8px" target="_blank">lshaffer@boundlessgeo.com</a></div></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span class=""><span><font color="#888888"><br>
<br>
Jürgen<br>
<br>
--<br>
Jürgen E. Fischer norBIT GmbH Tel. <a href="tel:%2B49-4931-918175-31" value="+49493191817531" target="_blank">+49-4931-918175-31</a><br>
Dipl.-Inf. (FH) Rheinstraße 13 Fax. <a href="tel:%2B49-4931-918175-50" value="+49493191817550" target="_blank">+49-4931-918175-50</a><br>
Software Engineer D-26506 Norden <a href="http://www.norbit.de" rel="noreferrer" target="_blank">http://www.norbit.de</a><br>
QGIS release manager (PSC) Germany IRC: jef on FreeNode<br>
</font></span><br></span><span class="">_______________________________________________<br>
Sac mailing list<br>
<a href="mailto:Sac@lists.osgeo.org" target="_blank">Sac@lists.osgeo.org</a><br>
<a href="http://lists.osgeo.org/mailman/listinfo/sac" rel="noreferrer" target="_blank">http://lists.osgeo.org/mailman/listinfo/sac</a><br></span></blockquote></div><br></div></div>
</blockquote></div><br></div></div></div>