[Qgis-psc] Code signing for Mac version

Tue Sep 29 11:19:00 PDT 2015

Hi Sandro,

On Tue, Sep 29, 2015 at 11:07 AM, Sandro Santilli <strk at keybit.net> wrote:

> On Tue, Sep 29, 2015 at 10:45:40AM -0600, Larry Shaffer wrote:
>
> > Currently there is no code signing of drag-drop applications or package
> > installers for QGIS, so users have to switch away from the recommended
> > default setting to allow any installation (see attachment).
> >
> > Code signing setup requires:
> >
> > * Mac developer account with Apple (~$99 USD/year)
> ...
>
> > * Should code singing be done? (obviously +1 from me)
>
> To me those who want to use Free Software should get to undersand what
> it means and thus do not rely on trusting Apple as the provider of
> the binary software they use.
>

I'm not talking about the Mac App store here. Apple is providing no
software, nor is it (re)distributing the packages. This is about code
signing the distribution packages in a way that is inexpensive and provides
a 'normal' Mac user experience, which includes developers dealing with the
default way a Mac is configured.

Forcing users to 'understand' what it means to use free and open source
software by *requiring* them to turn off security features in their OS is
not a very reasonable approach to the situation IMO.

The developer account at $99 USD/year is a bit off, as this is only a means
of getting a code signing certificate that already has the root certificate
authority installed on Macs. We are free to chose a different code signing
certificate from a vendor, but even the cheapest (startssl.com Class 2 at
$59.90 for 2 years) doesn't even come close to Apple's certs, which are
good for 5 years. This means an Apple developer account could be signed up
for every 5 years, then closed, i.e. cert for $20/year.

> I hope there's a way for mac owners to add trust of other authorities,
> say for example OSGeo.org, if this is not the case I'd rather see
> those users pay for downloading a signed version. 100 USD for copy
> might be a good price for that.
>

OSGeo, could provide a self-signed root certificate bundle for users to
install, or maintain an intermediate signing authority from a trusted root,
and any OSGeo project could use that to code sign Mac software (or any
software); but, it would require users to install and trust the root or
intermediate certificate, which would require admin privileges on the box.
While that's a reasonable approach for development versions, like
nightlies, it is most certainly *not* a normal Mac or Windows user
experience.

For nightlies, it would be a means of warning general users that the
software is not a regular distro, which is an approach many software
development groups use (self-signed code signing root cert for dev releases
versus a preinstalled trusted root cert for stable releases). For
general/stable releases it is definitely not a normal thing to do.

Sandro, please try to keep your comments about this more productive and
less incendiary.

Regards,

Larry Shaffer
Dakota Cartography
Black Hills, South Dakota

> --strk;
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20150929/d317a410/attachment.html>