[Qgis-psc] Code signing for Mac version

Larry Shaffer larrys at dakotacarto.com
Tue Sep 29 18:30:24 PDT 2015


Hi William,

On Tue, Sep 29, 2015 at 6:13 PM, William Kyngesburye <woklist at kyngchaos.com>
wrote:

> I've been thinking about it also lately.  I was thinking about doing it
> myself, but a QGIS certificate would be nice.  Though I understand that it
> probably doesn't sit well with the hardcore GPL folks (no, there's no way
> to add external trust for code signing, but it's not tied to Apple
> distribution).
>
> Though the default is not really a big problem - the default is Apple and
> identified devs, but it's actually easy to override *individually*, you
> don't have to disable the whole thing and allow anything.  One of those
> little help items I haven't gotten around to documenting...


It is a big problem if you expect any regular user to open Terminal and run

xattr -d com.apple.quarantine
</path/to/download/that/developer/didnt/bother/signing>
prior to installing the software.

Regards,

Larry Shaffer
Dakota Cartography
Black Hills, South Dakota


> On Sep 29, 2015, at 11:45 AM, Larry Shaffer <larrys at dakotacarto.com>
> wrote:
>
> > Hi,
> >
> > As part of my work at Boundless, I manage the code signing of the Mac
> QGIS.app bundle and package installers. I would like to see this done for
> the community version as well.
> >
> > Currently there is no code signing of drag-drop applications or package
> installers for QGIS, so users have to switch away from the recommended
> default setting to allow any installation (see attachment).
> >
> > Code signing setup requires:
> >
> > * Mac developer account with Apple (~$99 USD/year)
> > * Issued certificates for Applications and Installers
> > * Signing drag/drop .app bundles and .pkg installers on both 10.7 and
> 10.9.5+ [0]
> >
> > Packages are signed with the 'productsign' tool and application bundles
> with the 'codesign' tool after certificates are imported into user's
> Keychain. No use of Xcode.app is required, unless you want to use it to
> initially request the certificates, though that can all be done online.
> >
> > Installers are much easier to code sign than drag/drop .app bundles,
> since the signing is of an archived payload, whereas everything in the .app
> bundle needs signed, which make signing bundled utilities like GRASS
> difficult as they don't follow bundle layout recommendations. I have
> successfully signed a QGIS.app with GRASS 6 embedded on Mac OSX 10.10, and
> the methodology used should work for OTB/GRASS7/SAGA/etc.
> >
> > For the nightly, I would like to offer a code signed drag/drop QGIS.app
> with GRASS7 bundled, since it's linked to for the internal plugin.
> >
> > Application bundles do not need signed if installed via a .pkg
> installer, only the installer needs signed. The signing is used by Mac's
> Gatekeeper sentry software when a user installs something, and is not in
> play after software is installed.
> >
> > The questions are:
> >
> > * Should code singing be done? (obviously +1 from me)
> > * Whose account should manage the certs? (I have one, though the PSC
> should probably set one up to be autonomous to packagers)
> > * Should it be incorporated in 2.12 packaging? (I think there is plenty
> of time to do so)
> >
> > [0]
> https://developer.apple.com/library/mac/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG205
> >
> > Reference:
> > [1]
> https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html
> > [2]
> http://successfulsoftware.net/2012/08/30/how-to-sign-your-mac-os-x-app-for-gatekeeper/
> >
> >
> > Regards,
> >
> > Larry Shaffer
> > Dakota Cartography
> > Black Hills, South Dakota
> > <gatekeeper-notice_qgis-283-pkg.png>
>
> -----
> William Kyngesburye <kyngchaos*at*kyngchaos*dot*com>
> http://www.kyngchaos.com/
>
> "History is an illusion caused by the passage of time, and time is an
> illusion caused by the passage of history."
>
> - Hitchhiker's Guide to the Galaxy
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20150929/ea506b72/attachment.html>


More information about the Qgis-psc mailing list