[SAC] Osgeo Code signing certificates
Larry Shaffer
larrys at dakotacarto.com
Tue Apr 19 14:59:31 PDT 2016
Hi,
On Thu, Mar 24, 2016 at 3:33 PM, Larry Shaffer <larrys at dakotacarto.com>
wrote:
> Hi,
>
> On Wed, Mar 23, 2016 at 6:47 AM, Jürgen E. <jef at norbit.de> wrote:
>
>> Hi Richard,
>>
>> On Wed, 23. Mar 2016 at 08:59:29 +0100, Richard Duivenvoorde wrote:
>> > So Question: who should (and can) buy and put these certs in a safe, and
>> > make it possible for Larry to get one and create an installer?
>>
>> See also https://lists.osgeo.org/pipermail/board/2015-October/013445.html
>> and https://lists.osgeo.org/pipermail/board/2015-October/013363.html.
>>
>> Not sure if Larry meanwhile joined SAC and if there was any progress
>> on this already...
>
>
> Apologizes, as my work took me far away from this for quite some time. I
> have not joined SAC and I believe no action has taken place to procure any
> certificates. I will have time starting in April to work on setting up
> scripts for signing QGIS installers (at least for Mac).
>
I can work on this some starting now, but will have even more time after
FOSS4G-NA (after May 9th). Who is the 'go to' on the SAC that can spearhead
procuring code-signing certificates with the money already allocated?
I have done some more research. From what I have found, Apple *requires*
that the signing certificate for passing Mac Gatekeeper policies be an
Apple CA-signed certificate that has been generated from a CSR of only a
valid Apple Developer ID [0]. The code can be signed with a third-party
certificate (still securing the app against tampering), but such a signing
will NOT pass Gatekeeper, i.e. purchasing a non-Apple code-signing
certificate will be a wasted purchase for Mac distributions.
This means for code-signing Mac OSGeo applications an Apple Developer
account is required. However, there are several options now [1]: Free,
Individual, Organization or Enterprise. I recommend the OSGeo create an
Organization-level ($99/year) account at Apple and set up 'teams' for all
OSGeo projects wishing to distribute Mac apps/installers. I can help with
this, as I have gone through this process for Boundless, for the
code-signing of our Mac apps/installers.
If the SAC feels this is not appropriate for them to manage, maybe just the
QGIS project (pilot project for this) can set up the Apple account instead.
A more general code-signing cert can be used for Windows apps/installers.
More research needs done here, as a less expensive solution for the
certificate may be useable.
[0] http://stackoverflow.com/questions/11833481
[1] https://developer.apple.com/support/compare-memberships/
There is money authorized, for at least two certs for 3 years. How OSGeo
> projects can share them (if possible) is a technical/policy question that
> needs answered.
>
See above. I recommend earmarking at least 3 X $99/year for an Apple
Organization-level Developer ID account.
Regards,
Larry Shaffer
Dakota Cartography
Black Hills, South Dakota
QGIS Support/Development | Boundless <http://boundlessgeo.com/>
lshaffer at boundlessgeo.com
> Regards,
>
> Larry Shaffer
> Dakota Cartography
> Black Hills, South Dakota
>
> QGIS Support/Development | Boundless <http://boundlessgeo.com/>
> lshaffer at boundlessgeo.com
>
>
>
>>
>>
>> Jürgen
>>
>> --
>> Jürgen E. Fischer norBIT GmbH Tel.
>> +49-4931-918175-31
>> Dipl.-Inf. (FH) Rheinstraße 13 Fax.
>> +49-4931-918175-50
>> Software Engineer D-26506 Norden
>> http://www.norbit.de
>> QGIS release manager (PSC) Germany IRC: jef on
>> FreeNode
>>
>> _______________________________________________
>> Sac mailing list
>> Sac at lists.osgeo.org
>> http://lists.osgeo.org/mailman/listinfo/sac
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/sac/attachments/20160419/4cf5a875/attachment.html>
More information about the Sac
mailing list