[Qgis-psc] Code signing for Mac version

Larry Shaffer larrys at dakotacarto.com
Tue Sep 29 09:45:40 PDT 2015


Hi,

As part of my work at Boundless, I manage the code signing of the Mac
QGIS.app bundle and package installers. I would like to see this done for
the community version as well.

Currently there is no code signing of drag-drop applications or package
installers for QGIS, so users have to switch away from the recommended
default setting to allow any installation (see attachment).

Code signing setup requires:

* Mac developer account with Apple (~$99 USD/year)
* Issued certificates for Applications and Installers
* Signing drag/drop .app bundles and .pkg installers on both 10.7 and
10.9.5+ [0]

Packages are signed with the 'productsign' tool and application bundles
with the 'codesign' tool after certificates are imported into user's
Keychain. No use of Xcode.app is required, unless you want to use it to
initially request the certificates, though that can all be done online.

Installers are much easier to code sign than drag/drop .app bundles, since
the signing is of an archived payload, whereas everything in the .app
bundle needs signed, which make signing bundled utilities like GRASS
difficult as they don't follow bundle layout recommendations. I have
successfully signed a QGIS.app with GRASS 6 embedded on Mac OSX 10.10, and
the methodology used should work for OTB/GRASS7/SAGA/etc.

For the nightly, I would like to offer a code signed drag/drop QGIS.app
with GRASS7 bundled, since it's linked to for the internal plugin.

Application bundles do not need signed if installed via a .pkg installer,
only the installer needs signed. The signing is used by Mac's Gatekeeper
sentry software when a user installs something, and is not in play after
software is installed.

The questions are:

* Should code singing be done? (obviously +1 from me)
* Whose account should manage the certs? (I have one, though the PSC should
probably set one up to be autonomous to packagers)
* Should it be incorporated in 2.12 packaging? (I think there is plenty of
time to do so)

[0]
https://developer.apple.com/library/mac/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG205

Reference:
[1]
https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html
[2]
http://successfulsoftware.net/2012/08/30/how-to-sign-your-mac-os-x-app-for-gatekeeper/


Regards,

Larry Shaffer
Dakota Cartography
Black Hills, South Dakota
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20150929/acb0fdd5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gatekeeper-notice_qgis-283-pkg.png
Type: image/png
Size: 23623 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20150929/acb0fdd5/attachment.png>


More information about the Qgis-psc mailing list