[Qgis-psc] Code signing for Mac version

Tim Sutton tim at qgis.org
Tue Sep 29 11:44:59 PDT 2015 

Hi


> On 29 Sep 2015, at 20:19, Larry Shaffer <larrys at dakotacarto.com> wrote:
> 
> Hi Sandro,
> 
> On Tue, Sep 29, 2015 at 11:07 AM, Sandro Santilli <strk at keybit.net <mailto:strk at keybit.net>> wrote:
> On Tue, Sep 29, 2015 at 10:45:40AM -0600, Larry Shaffer wrote:
> 
> > Currently there is no code signing of drag-drop applications or package
> > installers for QGIS, so users have to switch away from the recommended
> > default setting to allow any installation (see attachment).
> >
> > Code signing setup requires:
> >
> > * Mac developer account with Apple (~$99 USD/year)
> ...
> 
> > * Should code singing be done? (obviously +1 from me)
> 
> To me those who want to use Free Software should get to undersand what
> it means and thus do not rely on trusting Apple as the provider of
> the binary software they use.
> 
> I'm not talking about the Mac App store here. Apple is providing no software, nor is it (re)distributing the packages. This is about code signing the distribution packages in a way that is inexpensive and provides a 'normal' Mac user experience, which includes developers dealing with the default way a Mac is configured.
> 
> Forcing users to 'understand' what it means to use free and open source software by *requiring* them to turn off security features in their OS is not a very reasonable approach to the situation IMO.
> 
> The developer account at $99 USD/year is a bit off, as this is only a means of getting a code signing certificate that already has the root certificate authority installed on Macs. We are free to chose a different code signing certificate from a vendor, but even the cheapest (startssl.com <http://startssl.com/> Class 2 at $59.90 for 2 years) doesn't even come close to Apple's certs, which are good for 5 years. This means an Apple developer account could be signed up for every 5 years, then closed, i.e. cert for $20/year.
>  
> I hope there's a way for mac owners to add trust of other authorities,
> say for example OSGeo.org <http://osgeo.org/>, if this is not the case I'd rather see
> those users pay for downloading a signed version. 100 USD for copy
> might be a good price for that.
> 
> OSGeo, could provide a self-signed root certificate bundle for users to install, or maintain an intermediate signing authority from a trusted root, and any OSGeo project could use that to code sign Mac software (or any software); but, it would require users to install and trust the root or intermediate certificate, which would require admin privileges on the box. While that's a reasonable approach for development versions, like nightlies, it is most certainly *not* a normal Mac or Windows user experience.
> 
> For nightlies, it would be a means of warning general users that the software is not a regular distro, which is an approach many software development groups use (self-signed code signing root cert for dev releases versus a preinstalled trusted root cert for stable releases). For general/stable releases it is definitely not a normal thing to do.
> 
> Sandro, please try to keep your comments about this more productive and less incendiary.

I think that it would make more sense for us to sign the app bundles or installation packages as QGIS.org <http://qgis.org/> if possible than OSGEO.org <http://osgeo.org/> - mainly because there would be a 1:1 recognition between the software being installed and the authority that holds the license. I think USD 99 is a negligible amount to pay for signed packages and for the reasons Larry has already described, the user experience installing on OS X is very suboptimal at the moment. For a nice roadmap on OS X I would like to see in the long run:

* packages directly downloadable from QGIS.org <http://qgis.org/> (so we get to count installs and the user experience is consistent - many people I have spoken to have been a bit confused when being taken over to kyngchaos’s web site - though I am very grateful for the many years he has been helping us)
* packages delivered as a complete installation experience (including dependencies) in a single package - be it with an all in one .app bundle or an installation package. I prefer as a .app bundle myself.
* packages signed so that they work out of the box and don’t require a trip to the security preferences (for the reasons outlined above)
* ready to run package includes SAGA, OTB, R and whatever ‘best experience’ packages a user needs to be productive on OS X.


So your signing proposal gets a big +1 from me and I look forward to future proposals to improve the OS X experience.

Regards

Tim



> 
> Regards,
> 
> Larry Shaffer
> Dakota Cartography
> Black Hills, South Dakota
>  
> --strk;
> 
> _______________________________________________
> Qgis-psc mailing list
> Qgis-psc at lists.osgeo.org <mailto:Qgis-psc at lists.osgeo.org>
> http://lists.osgeo.org/mailman/listinfo/qgis-psc <http://lists.osgeo.org/mailman/listinfo/qgis-psc>



Tim Sutton
QGIS Project Steering Committee Member
tim at qgis.org




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20150929/c03c1d9c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PastedGraphic-1.tiff
Type: image/tiff
Size: 9882 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20150929/c03c1d9c/attachment.tiff>

More information about the Qgis-psc mailing list