[SAC] so code signing
Larry Shaffer
larrys at dakotacarto.com
Tue Oct 25 15:03:30 PDT 2016
Hi,
On Tue, Oct 25, 2016 at 3:30 PM, Jody Garnett <jody.garnett at gmail.com>
wrote:
> Excellent, Larry is your point of contact (think you two sorted out the
> macOS last time so you know the drill).
>
> Larry are we missing anything?
>
Ostensibly, standard third-party code signing certs could be used for
Apple, too (as they are apt to advertise). But, this is NOT the case. While
the code can be signed, it will not pass Apple's Gatekeeper architecture,
which requires an Apple-issued cert. So, currently we use the Apple dev
account, via the OSGeo, to generate the certs for QGIS and GeoServer for
macOS due to this limitation imposed by Apple.
It also goes the other way too. We can not use the Apple cert for
code-signing on Win (technically, we could, but there would not be the
Apple Certificate Authorities on Win OS, so would fail to verify). It would
be about the same as using a self-signed cert.
Until these proprietary OS companies get together on this, and change their
ways, we are stuck with needing two separate signing cert setups.
Regards,
Larry Shaffer
Dakota Cartography
Black Hills, South Dakota
Boundless Desktop and QGIS Support/Development
Boundless Spatial <http://boundlessgeo.com/>
> --
> Jody Garnett
>
> On 25 October 2016 at 14:27, Michael Smith <michael.smith.erdc at gmail.com>
> wrote:
>
>> I can work on this. Has anyone gone through the process to see what info
>> is needed? I ask as before we did the OS X dev account I had to get a DUNS
>> id. Just wondering if there is any base info we need for the purchase.
>>
>> If not, I should be able to do this tomorrow (afk this evening).
>>
>> Michael Smith
>> Remote Sensing/GIS Center
>> US Army Corps of Engineers
>>
>> On Oct 25, 2016, at 4:58 PM, Jody Garnett <jody.garnett at gmail.com> wrote:
>>
>> Afternoon Michael,
>>
>> The GeoServer project is now in position to make use of a certificate for
>> signing windows 10 applications (indeed the signing issue came up during
>> testing of our release candidate).
>>
>> Can I ask that you purchase a certificate we can use on windows? Larry
>> provided https://www.digicert.com/code-signing/code-signing.htm and
>> example of a cost effective provider.
>>
>> I think it would be appropriate to purchase this for 2-3 years?
>>
>> If we purchase this on behalf of the GeoServer project (that has a tight
>> deadline) we can ask SAC to manage the certifcate (and carefully share it
>> with the QGIS and OSGeo4Win team.
>>
>> Larry am I missing anything? Who is responsible for the QGIS community
>> windows releases?
>>
>> Related tickets:
>> - https://trac.osgeo.org/osgeo/ticket/1813
>> - https://osgeo-org.atlassian.net/browse/GEOS-7812
>>
>>
>> --
>> Jody Garnett
>>
>> On 27 May 2016 at 03:37, Michael Smith <michael.smith.erdc at gmail.com>
>> wrote:
>>
>>> All,
>>>
>>> OSGeo now has an Apple Developer Organization account. I can provide
>>> access to projects to get code signing certificates for OS X applications.
>>>
>>> OSGeo should do the same for Windows applications as well, whether
>>> through the the EV Signing certificate described below or some other route
>>> but it's now one of those infrastructure components that OSGeo should
>>> provide to projects (the question of full or incubated projects also needs
>>> to be discussed).
>>>
>>> Just let me know what you all think is the best route and I'll follow
>>> the steps to get a Windows signing certificate for OSGeo.
>>>
>>> Michael Smith
>>> OSGeo Treasurer
>>>
>>> > On May 27, 2016, at 6:21 AM, Fenoy Gerald <gerald.fenoy at geolabs.fr>
>>> wrote:
>>> >
>>> > Dear Jody, Dear all,
>>> > I have to say first that I know only a little about all this Code
>>> signing certificate but have learnt a bit later this week.
>>> >
>>> > When using Windows 10, which was not really my cup of tea, I have
>>> noticed that some installer of our applications, such as QGIS itself, give
>>> the privilege to the end user who try to install it to see a ugly
>>> smartscreen saying that the application is unsafe and can damage your
>>> computer (it is probably better said than what I expressed here, but I have
>>> the message in french locally :) ).
>>> >
>>> > So, learning that we need a real certificate to sign an application I
>>> have bought an OV code signing certificate, at that step I unfortunately
>>> noticed that I cannot register ZOO-Project as a provider cause I don’t have
>>> any phone bill, official address and so on which are required when you
>>> acquire such kind of a certificate. So finally I have decided to move on by
>>> using GeoLabs SARL for which I have everything required even if it doesn’t
>>> really fit for this application. Still, I have build again then signed the
>>> application with it and I have still this silly smartscreeen appearing. So
>>> I learned a bit more and contacted back the SSL provider I have dealt with,
>>> they confirmed that only 5 CA (in the whole world) are allowed to provide
>>> the *key* EV-Certificate required to sign your windows application. Note
>>> that the provider I use provide EV-SSL but not EV-Certificate for code
>>> signing as they are not allowed to provide such certificates by Microsoft.
>>> >
>>> > Anyway, I thought to myself fine, I will simply pass a contract with
>>> another provider, still with the same issue that I have to use my personal
>>> or my company name (which are not a real solution as the software is made
>>> by a community, where not everyone is involved in GeoLabs SARL in any way
>>> nor under my name). So I went to the 5 CA and checked for pricing and what
>>> is offered for the announced price. When I went on the digicert website [1]
>>> to order a code signing certificate for my company I have seen this, for
>>> 224$ per year, you can have an "EV Code Signing Certificate » (perfect it
>>> is exactly what I was looking for) but I got the surprise that it provides
>>> a little bit more than code signing for Windows platform only. Indeed, they
>>> textually said that within the 224$ US contract you will have access to
>>> this: « Supports Microsoft Authenticode, Office VBA, Java, Adobe AIR,
>>> Apple's Mac OS, and Mozilla objects. » .
>>> >
>>> > So it seems that by registering to this certificate provider
>>> (digicert) we can have a signature which can be used on the 2 platforms
>>> (MacOS X and Windows). I am aware that we are all much more familiar with
>>> MacOS X than with Windows but still I think it makes sens to provide
>>> support for code signing for both.
>>> >
>>> > Note also that even if GeoLabs SARL is getting an EV Code Signing
>>> Certificate it can be only considerate as a wrong solution as it is not
>>> handled only by GeoLabs SARL and it is not its responsibility to provide
>>> such kind of signature I think.
>>> >
>>> > I hope that OSGeo can a provide solution for our projects for code
>>> signing without favoriting any platform on top of the other. Open Source
>>> can work anywhere so I don’t think it makes much sens to have only the
>>> MacOS X developper account to solve the issue only for MacOS X platform.
>>> >
>>> > Still, I have another question, like the more important by now for the
>>> ZOO-Project itself: supposing that OSGeo provides a solution for its
>>> softwares for code signing, I suppose that it will be available only for
>>> incubated project, right ? For me it makes sense to have only incubated
>>> project getting the capability to sign the app with OSgeo as Producer of
>>> the application. But, in such a case, I would like to know cause it will
>>> mean that we will have to find another way around the issue and probably go
>>> for a company’s EV Code Signing Certificate even if it does not really fit
>>> with our purpose.
>>> >
>>> > I do apologie for not stepping in this thread earlier but I have get
>>> the information few hours ago only (for both windows and MacOS platforms I
>>> mean).
>>> >
>>> > I hope to hear back from you,
>>> > Best regards,
>>> >
>>> > [1] https://www.digicert.com/order/order-1.php
>>> >
>>> >> Le 20 avr. 2016 à 21:23, Jody Garnett <jody.garnett at gmail.com> a
>>> écrit :
>>> >>
>>> >> Has their been any progress on the code signing certificate stuff for
>>> QGIS? I am going through GeoServer 2.9-beta2 release process - and the mac
>>> platform is getting increasingly restricted.
>>> >>
>>> >> (Not that I disagree, the restriction warns users if they are running
>>> code that has not been signed - I kind of like the idea of user's being
>>> asked if they trust OSGeo when installing GeoServer).
>>> >>
>>> >> I guess whatever has been worked out for QGIS we would like a piece
>>> of for GeoServer. It may also be worth reaching out to other applications
>>> (especially desktop applications) once we have a procedure in place.
>>> >> --
>>> >> Jody Garnett
>>> >> _______________________________________________
>>> >> Sac mailing list
>>> >> Sac at lists.osgeo.org
>>> >> http://lists.osgeo.org/mailman/listinfo/sac
>>> >
>>> > _______________________________________________
>>> > Sac mailing list
>>> > Sac at lists.osgeo.org
>>> > http://lists.osgeo.org/mailman/listinfo/sac
>>> _______________________________________________
>>> Sac mailing list
>>> Sac at lists.osgeo.org
>>> http://lists.osgeo.org/mailman/listinfo/sac
>>>
>>
>> _______________________________________________
>> Sac mailing list
>> Sac at lists.osgeo.org
>> http://lists.osgeo.org/mailman/listinfo/sac
>>
>>
>> _______________________________________________
>> Sac mailing list
>> Sac at lists.osgeo.org
>> http://lists.osgeo.org/mailman/listinfo/sac
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/sac/attachments/20161025/519d8e44/attachment.html>
More information about the Sac
mailing list