[SAC] Osgeo Code signing certificates

Larry Shaffer larrys at dakotacarto.com
Wed Apr 20 03:11:50 PDT 2016


Hi Alex,

On Tue, Apr 19, 2016 at 10:42 PM, Alex Mandel <tech_dev at wildintellect.com>
wrote:

> On 04/19/2016 02:59 PM, Larry Shaffer wrote:
> > Hi,
> >
> > On Thu, Mar 24, 2016 at 3:33 PM, Larry Shaffer <larrys at dakotacarto.com>
> > wrote:
> >
> >> Hi,
> >>
> >> On Wed, Mar 23, 2016 at 6:47 AM, Jürgen E. <jef at norbit.de> wrote:
> >>
> >>> Hi Richard,
> >>>
> >>> On Wed, 23. Mar 2016 at 08:59:29 +0100, Richard Duivenvoorde wrote:
> >>>> So Question: who should (and can) buy and put these certs in a safe,
> and
> >>>> make it possible for Larry to get one and create an installer?
> >>>
> >>> See also
> https://lists.osgeo.org/pipermail/board/2015-October/013445.html
> >>> and https://lists.osgeo.org/pipermail/board/2015-October/013363.html.
> >>>
> >>> Not sure if Larry meanwhile joined SAC and if there was any progress
> >>> on this already...
> >>
> >>
> >> Apologizes, as my work took me far away from this for quite some time. I
> >> have not joined SAC and I believe no action has taken place to procure
> any
> >> certificates. I will have time starting in April to work on setting up
> >> scripts for signing QGIS installers (at least for Mac).
> >>
> >
> > I can work on this some starting now, but will have even more time after
> > FOSS4G-NA (after May 9th). Who is the 'go to' on the SAC that can
> spearhead
> > procuring code-signing certificates with the money already allocated?
> >
> > I have done some more research. From what I have found, Apple *requires*
> > that the signing certificate for passing Mac Gatekeeper policies be an
> > Apple CA-signed certificate that has been generated from a CSR of only a
> > valid Apple Developer ID [0]. The code can be signed with a third-party
> > certificate (still securing the app against tampering), but such a
> signing
> > will NOT pass Gatekeeper, i.e. purchasing a non-Apple code-signing
> > certificate will be a wasted purchase for Mac distributions.
> >
> > This means for code-signing Mac OSGeo applications an Apple Developer
> > account is required. However, there are several options now [1]: Free,
> > Individual, Organization or Enterprise. I recommend the OSGeo create an
> > Organization-level ($99/year) account at Apple and set up 'teams' for all
> > OSGeo projects wishing to distribute Mac apps/installers. I can help with
> > this, as I have gone through this process for Boundless, for the
> > code-signing of our Mac apps/installers.
> >
> > If the SAC feels this is not appropriate for them to manage, maybe just
> the
> > QGIS project (pilot project for this) can set up the Apple account
> instead.
> >
> > A more general code-signing cert can be used for Windows apps/installers.
> > More research needs done here, as a less expensive solution for the
> > certificate may be useable.
> >
> > [0] http://stackoverflow.com/questions/11833481
> > [1] https://developer.apple.com/support/compare-memberships/
> >
> > There is money authorized, for at least two certs for 3 years. How OSGeo
> >> projects can share them (if possible) is a technical/policy question
> that
> >> needs answered.
> >>
> >
> > See above. I recommend earmarking at least 3 X $99/year for an Apple
> > Organization-level Developer ID account.
> >
> > Regards,
> >
> > Larry Shaffer
> > Dakota Cartography
> > Black Hills, South Dakota
> >
>
> I'd say if more than QGIS wants to use this then OSGeo should be the
> registered org. Larry, you would be the main point of contact with
> Apple. The treasurer of the board handles the money part.
>

Yes, I can do that. However, there is a Free account now, but it will lack
a Developer ID. So, from what I understand, the code will be signed, but
the OSGeo or QGIS project would not be indicated as the software's
provenance.


> Am I correct in thinking this cert needs to be utilized on a Mac? Seems
> coordinating with William (kyngchaos) on the actual implementation would
> make sense.
>

The Apple cert for Mac, yes. A generic code-signing cert is more flexible
and would be useful for signing Windows installer package installers, e.g.
OSGeo4W or standalone QGIS. Currently on Windows, the default is not to
block non-signed, unidentified installers/programs, but this will likely
change.


> Perhaps we would store the credentials on the secure VM, as a backup?
>

Whatever works. At some point devs who package installers would need to be
trusted, since they need the private CSR key to do the actual signing. If a
cert/key is found to be misused, an admin can revoke the cert, as per usual
with PKI.


> Are these certs passphrase protected typically? Or can we opt to use
> some of the osgeo admin ssh keys to unlock them?
>

They work like a regular PKI cert and chain, just particular use for
code-signing, i.e. the private key (used during code signing) can be
encrypted. It is usually stored in the Mac Keychain, along with any CA
signing chain.


> Thanks,
> Alex
>
> _______________________________________________
> Sac mailing list
> Sac at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/sac
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/sac/attachments/20160420/c0d8b347/attachment.html>


More information about the Sac mailing list