[Qgis-psc] signing and downloads of QGIS Mac OS X installer
Richard Duivenvoorde
richard at duif.net
Wed Oct 7 08:56:49 PDT 2015
We just talked about this on the PSC meeting about this.
Our stand now:
- Anita will contact/speak the OSGeo board and see if an OSGeo.org cert
is possible (to us, an Apple one seems cheapest, and easiest
maintainable. We do not see a need for more general certificates yet
(debian is already signed with gpg))
- if possible PSC would prefer one full signed stable installer,
eventually next to the modular one (@William is that possible at all?).
This to make an easy QGIS install for non tech users.
So ideally all (both all in one installers and the osgeo modules) would
be signed with the osgeo cert then.
- At least these full nightly and stable full packages should be
downloadable from a qgis.org / osgeo server. So Alex: yes please: bigger
space/bandwidth is cool :-)
Can we set these goals for now? Or any objections?
Regards,
Richard
On 07-10-15 16:47, Alex Mandel wrote:
> This does seem like something to consider talking to the OSGeo board about.
>
> FYI, I'm working on increased space and bandwidth for downloads from the
> OSGeo servers if you want to host the files there.
>
> Thanks,
> Alex
>
> On 10/06/2015 11:50 PM, Richard Duivenvoorde wrote:
>>
>>
>> Pulling this to psc list again...
>> (@psc see thread below, replying to Williams comment on signing GDAL and
>> python modules with QGIS or not)
>>
>> Mmm, I'm not a mac user, so cannot comment on the value of having
>> separate modules. My experience with mac users is they are either very
>> techy (so probably want this), but most are not technical at all (and
>> those we want to address I think).
>>
>> We could make a 'full (signed) QGIS install' vs a modularized one?
>>
>> But another option would be to have osgeo or a combined osgeo/qgis
>> certificate?
>> How does for example Postgis do this?
>>
>> Or maybe do a small OSGEO kickstarter project to raise 1780 dollar to
>> have 10 years of full all OS certificates?
>>
>> Or am I starting to run out of QGIS-line now :-)
>>
>> Regards,
>>
>> Richard
>>
>>
>> On 06-10-15 17:45, William Kyngesburye wrote:
>>> 1
>>>
>>> I replied to Larry in the other thread (I’m not on the PSC list).
>>>
>>> I’ve thought about code signing, never looked into it. I have a free developer account, and was hoping it would be possible to get a certificate without a paid account, it’s not clear if that’s possible.
>>>
>>> An org certificate would be nice, and I didn’t realize other cert companies could do Apple code signing. The trick with an org cert would be, again, if I could use it on a free dev account. Though I don’t have a financial problem with a paid dev account.
>>>
>>> We use DigiCert where I work. I see they have code signing certs for $178/yr for a 3 year cert. …ah, the globalsign price was just 1 yr, their 3 yr price is $175/yr.
>>>
>>> One problem with the org cert is it wouldn’t cover the external GDAL Complete frameworks and extra python modules (I suppose it could, but they’re not really QGIS products). So I may still need to get my own cert. Yes, there is the all-in-one way, but I still prefer the separation because GDAL and the python modules are very useful on their own and for other software like Postgis and GRASS.
>>>
>>> 2
>>>
>>> I would be OK with qgis hosting of files. Is there download count tracking? I tried to do that for a while, first with a plugin for Dokuwiki (which broke after a few updates), then analyzing the web logs (major hassle).
>>>
>>>> On Oct 5, 2015, at 2:48 AM, Larry Shaffer <larrys at dakotacarto.com> wrote:
>>>>
>>>> Hi Richard,
>>>>
>>>> On Sun, Oct 4, 2015 at 10:27 AM, Richard Duivenvoorde <richard at duif.net> wrote:
>>>>
>>>> Hi William, Larry,
>>>>
>>>> @William, not sure if you read psc lists normally, but we are talking
>>>> about this thread [0]
>>>> I'm writing this to you both as you are both our OSX packagers
>>>>
>>>> In short:
>>>> - Larry asked if it was possible to sign the mac installers with a
>>>> certificate
>>>> - in [0] there was some discussion about it, culminating in: 'let
>>>> qgis.org' buy a certificate, either apple only (cheap) or one for all
>>>> os's (more expensive) [4]
>>>> - there was also the question if it would be possible to make the mac
>>>> installers directly downloadable from qgis.org servers
>>>>
>>>> -1-
>>>> Personally IF qgis.org can buy a (5 year) cert from apple now, let's do
>>>> that. When other OS's require a certifiate signing also, we can always
>>>> switch to another certificate.
>>>> So either Larry or William, do you have any experience with getting this
>>>> kind of cert's from Apple? I once had a personal dev license, and I
>>>> needed to fax my company credentials to america for that :-(
>>>> So I'm prepared, but please guide me, or let me know what we need to get
>>>> one of the apple's cert's
>>>>
>>>> As I mentioned in the beginning of that previous discussion thread, I utilize the Apple certificates for code signing Mac applications and package installers for Boundless, where I am currently employed. They have an organization membership and, like the QGIS project, are normally distributing outside of the Mac App Store. This is usually due to the incompatibility between many copyleft open source licenses and Apple's restrictive secondary licensing for App Store distribution.
>>>>
>>>> Once an organization developer account is set up (something I have not been involved with yet), you add team members and generate Developer ID certificates for applications and installers. See [0] for info on enrolling in an org dev account, [1] for info on managing an organization and team members and [2] on how to manage setting up certificates. While the documentation is extensive, the process if really quite straightforward. The code signing docs [3, 4] are something that William and I reference when actually scripting the signing of the code/packages.
>>>>
>>>> You may want to check if a developer account has to remain *active* for all of the years a certificate is in effect, i.e. if the account is closed, say to save the QGIS project money, will the certificate drop into a revoke list. If the account has to remain active, then the cert cost jumps to $99/year, which while still pretty good pricing, may be significant reasoning for looking into a general code signing certificate from a vendor that can be used on multiple platforms.
>>>>
>>>> Several reasons for having an org account:
>>>>
>>>> * QGIS project has control over certificate management/issuing.
>>>> * You issue Developer ID certificates relative to cert signing requests from team members, e.g. William and I, which you can also revoke at any time in the future.
>>>> * Certificates will be issued by Apple as 'QGIS Project' (or whatever the official entity name is), not under a separate developer identity.
>>>>
>>>> The two certificates we are interested in are referred to in the docs as 'Developer ID' certificates:
>>>>
>>>> * Developer ID Application <-- signing .app bundles for drag/drop type installs
>>>> * Developer ID Installer <-- singing installer.pkg type installs
>>>>
>>>> William mostly (entirely?) uses .pkg installers, while I may be utilizing both. The difficult part is signing a very complex QGIS.app bundle directly, especially if it contains other embedded Unix-style installs, like GRASS, etc. It is generally simpler to just sign package installers, as it is just signing a payload archive. Again, the certificate verification is only for initial installation to the Mac, so a package installer could install a completely un-signed, bundled application, which is not against any Apple restriction (as of yet).
>>>>
>>>> Note: if you read about app sandboxing in the code signing docs, keep in mind that, to my knowledge, we are *not* sandboxing any of the installations.
>>>>
>>>> [0] https://developer.apple.com/support/compare-memberships/
>>>> [1] https://developer.apple.com/library/mac/documentation/IDEs/Conceptual/AppDistributionGuide/ManagingYourTeam/ManagingYourTeam.html#//apple_ref/doc/uid/TP40012582-CH16-SW1
>>>> [2] https://developer.apple.com/library/mac/documentation/IDEs/Conceptual/AppDistributionGuide/MaintainingCertificates/MaintainingCertificates.html#//apple_ref/doc/uid/TP40012582-CH31-SW1
>>>>
>>>> [3] https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html
>>>> [4] https://developer.apple.com/library/mac/technotes/tn2206/_index.html
>>>>
>>>>
>>>> -2-
>>>> If we (@Alex, ok?) give you an ssh account on the download server of
>>>> qgis.org, is it then OK for you to put all needed downloadables/lib
>>>> packages there?
>>>> AND provide the information that you now provide on your personal web
>>>> pages in the documentation at [1]
>>>>
>>>> Yes, although my nightly documentation would be located at:
>>>> http://qgis.org/en/site/forusers/alldownloads.html#qgis-macos-testing
>>>>
>>>> You can provide pretty specific info per OS or QGIS version like we do
>>>> for the different Linux distro's: [2].
>>>>
>>>> Opinions? Ideas? or Pointers?
>>>>
>>>>
>>>> Regards,
>>>>
>>>> Larry Shaffer
>>>> Dakota Cartography
>>>> Black Hills, South Dakota
>>>>
>>>> Regards,
>>>>
>>>> Richard Duivenvoorde
>>>> ( /me writing in my role as PSC Infrastructure Manager here )
>>>>
>>>> [0] https://lists.osgeo.org/pipermail/qgis-psc/2015-October/003300.html
>>>> [1] http://qgis.org/en/site/forusers/download.html#mac
>>>> [2] http://qgis.org/en/site/forusers/alldownloads.html#debian-ubuntu
>>>> [4] https://www.globalsign.com/en/code-signing-certificate/
>>>>
>>>
>>> -----
>>> William Kyngesburye <kyngchaos*at*kyngchaos*dot*com>
>>> http://www.kyngchaos.com/
>>>
>>> "Time is an illusion - lunchtime doubly so."
>>>
>>> - Ford Prefect
>>>
>>>
>>
>
>
More information about the Qgis-psc
mailing list