[SAC] Osgeo Code signing certificates

Larry Shaffer larrys at dakotacarto.com
Tue Apr 19 14:59:31 PDT 2016


Hi,

On Thu, Mar 24, 2016 at 3:33 PM, Larry Shaffer <larrys at dakotacarto.com>
wrote:

> Hi,
>
> On Wed, Mar 23, 2016 at 6:47 AM, Jürgen E. <jef at norbit.de> wrote:
>
>> Hi Richard,
>>
>> On Wed, 23. Mar 2016 at 08:59:29 +0100, Richard Duivenvoorde wrote:
>> > So Question: who should (and can) buy and put these certs in a safe, and
>> > make it possible for Larry to get one and create an installer?
>>
>> See also https://lists.osgeo.org/pipermail/board/2015-October/013445.html
>> and https://lists.osgeo.org/pipermail/board/2015-October/013363.html.
>>
>> Not sure if Larry meanwhile joined SAC and if there was any progress
>> on this already...
>
>
> Apologizes, as my work took me far away from this for quite some time. I
> have not joined SAC and I believe no action has taken place to procure any
> certificates. I will have time starting in April to work on setting up
> scripts for signing QGIS installers (at least for Mac).
>

I can work on this some starting now, but will have even more time after
FOSS4G-NA (after May 9th). Who is the 'go to' on the SAC that can spearhead
procuring code-signing certificates with the money already allocated?

I have done some more research. From what I have found, Apple *requires*
that the signing certificate for passing Mac Gatekeeper policies be an
Apple CA-signed certificate that has been generated from a CSR of only a
valid Apple Developer ID [0]. The code can be signed with a third-party
certificate (still securing the app against tampering), but such a signing
will NOT pass Gatekeeper, i.e. purchasing a non-Apple code-signing
certificate will be a wasted purchase for Mac distributions.

This means for code-signing Mac OSGeo applications an Apple Developer
account is required. However, there are several options now [1]: Free,
Individual, Organization or Enterprise. I recommend the OSGeo create an
Organization-level ($99/year) account at Apple and set up 'teams' for all
OSGeo projects wishing to distribute Mac apps/installers. I can help with
this, as I have gone through this process for Boundless, for the
code-signing of our Mac apps/installers.

If the SAC feels this is not appropriate for them to manage, maybe just the
QGIS project (pilot project for this) can set up the Apple account instead.

A more general code-signing cert can be used for Windows apps/installers.
More research needs done here, as a less expensive solution for the
certificate may be useable.

[0] http://stackoverflow.com/questions/11833481
[1] https://developer.apple.com/support/compare-memberships/

There is money authorized, for at least two certs for 3 years. How OSGeo
> projects can share them (if possible) is a technical/policy question that
> needs answered.
>

See above. I recommend earmarking at least 3 X $99/year for an Apple
Organization-level Developer ID account.

Regards,

Larry Shaffer
Dakota Cartography
Black Hills, South Dakota

QGIS Support/Development | Boundless <http://boundlessgeo.com/>
lshaffer at boundlessgeo.com



> Regards,
>
> Larry Shaffer
> Dakota Cartography
> Black Hills, South Dakota
>
> QGIS Support/Development | Boundless <http://boundlessgeo.com/>
> lshaffer at boundlessgeo.com
>
>
>
>>
>>
>> Jürgen
>>
>> --
>> Jürgen E. Fischer           norBIT GmbH             Tel.
>> +49-4931-918175-31
>> Dipl.-Inf. (FH)             Rheinstraße 13          Fax.
>> +49-4931-918175-50
>> Software Engineer           D-26506 Norden
>> http://www.norbit.de
>> QGIS release manager (PSC)  Germany                    IRC: jef on
>> FreeNode
>>
>> _______________________________________________
>> Sac mailing list
>> Sac at lists.osgeo.org
>> http://lists.osgeo.org/mailman/listinfo/sac
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/sac/attachments/20160419/4cf5a875/attachment.html>


More information about the Sac mailing list