[SAC] Osgeo Code signing certificates

Tue Apr 19 21:42:12 PDT 2016

On 04/19/2016 02:59 PM, Larry Shaffer wrote:
> Hi,
> 
> On Thu, Mar 24, 2016 at 3:33 PM, Larry Shaffer <larrys at dakotacarto.com>
> wrote:
> 
>> Hi,
>>
>> On Wed, Mar 23, 2016 at 6:47 AM, Jürgen E. <jef at norbit.de> wrote:
>>
>>> Hi Richard,
>>>
>>> On Wed, 23. Mar 2016 at 08:59:29 +0100, Richard Duivenvoorde wrote:
>>>> So Question: who should (and can) buy and put these certs in a safe, and
>>>> make it possible for Larry to get one and create an installer?
>>>
>>> See also https://lists.osgeo.org/pipermail/board/2015-October/013445.html
>>> and https://lists.osgeo.org/pipermail/board/2015-October/013363.html.
>>>
>>> Not sure if Larry meanwhile joined SAC and if there was any progress
>>> on this already...
>>
>>
>> Apologizes, as my work took me far away from this for quite some time. I
>> have not joined SAC and I believe no action has taken place to procure any
>> certificates. I will have time starting in April to work on setting up
>> scripts for signing QGIS installers (at least for Mac).
>>
> 
> I can work on this some starting now, but will have even more time after
> FOSS4G-NA (after May 9th). Who is the 'go to' on the SAC that can spearhead
> procuring code-signing certificates with the money already allocated?
> 
> I have done some more research. From what I have found, Apple *requires*
> that the signing certificate for passing Mac Gatekeeper policies be an
> Apple CA-signed certificate that has been generated from a CSR of only a
> valid Apple Developer ID [0]. The code can be signed with a third-party
> certificate (still securing the app against tampering), but such a signing
> will NOT pass Gatekeeper, i.e. purchasing a non-Apple code-signing
> certificate will be a wasted purchase for Mac distributions.
> 
> This means for code-signing Mac OSGeo applications an Apple Developer
> account is required. However, there are several options now [1]: Free,
> Individual, Organization or Enterprise. I recommend the OSGeo create an
> Organization-level ($99/year) account at Apple and set up 'teams' for all
> OSGeo projects wishing to distribute Mac apps/installers. I can help with
> this, as I have gone through this process for Boundless, for the
> code-signing of our Mac apps/installers.
> 
> If the SAC feels this is not appropriate for them to manage, maybe just the
> QGIS project (pilot project for this) can set up the Apple account instead.
> 
> A more general code-signing cert can be used for Windows apps/installers.
> More research needs done here, as a less expensive solution for the
> certificate may be useable.
> 
> [0] http://stackoverflow.com/questions/11833481
> [1] https://developer.apple.com/support/compare-memberships/
> 
> There is money authorized, for at least two certs for 3 years. How OSGeo
>> projects can share them (if possible) is a technical/policy question that
>> needs answered.
>>
> 
> See above. I recommend earmarking at least 3 X $99/year for an Apple
> Organization-level Developer ID account.
> 
> Regards,
> 
> Larry Shaffer
> Dakota Cartography
> Black Hills, South Dakota
> 

I'd say if more than QGIS wants to use this then OSGeo should be the
registered org. Larry, you would be the main point of contact with
Apple. The treasurer of the board handles the money part.

Am I correct in thinking this cert needs to be utilized on a Mac? Seems
coordinating with William (kyngchaos) on the actual implementation would
make sense.

Perhaps we would store the credentials on the secure VM, as a backup?

Are these certs passphrase protected typically? Or can we opt to use
some of the osgeo admin ssh keys to unlock them?

Thanks,
Alex