Missing notarization for MacOS

[afischer211]

After installation of Nagstamon with HomeBrew I can not directly start this app because of missing notarization. I must go over the finder for overriding this security step.

[HenriWahl]

Yes, as Nagstamon is not signed (yet?) this seems to be necessary.

[GertjanBijl]

This is not only an issue on MacOS, but also for Windows. I have to ask our IT department to whitelist Nagstamon every release again, otherwise I cannot use it. @HenriWahl, As I see at https://signmycode.com/offers/code-signing-certificates, the costs are about $225 for a 5-year certificate from Comodo (Sectigo) Code Signing. My boss is prepared to donate the money for the certificate if you are willing to use it.

[HenriWahl]

@GertjanBijl sorry for the late reply - sounds interesting. I will have a look at this code signing and let you (and your boss) know if I found out if this would work with the build process or how to make it work.

[HenriWahl]

@GertjanBijl I found a simple recipe at https://stackoverflow.com/questions/84847/how-do-i-create-a-self-signed-certificate-for-code-signing-on-windows to checkout if this works in general. Looks like yes but I still got a message that this software is unknown - the only change is that there is a vendor known now. Can you try this out on your site and check what your security software thinks about a binary that is signed this way?

[HenriWahl]

@GertjanBijl I did some recherche and found at https://signmycode.com/comodo-individual-code-signing at the table at the bottom that "Microsoft SmartScreen Reputation Boost Up" won't be fixed by the smaller types of certificates. Would this help anyway to get deployed in your environment?

[GertjanBijl]

Hi @HenriWahl , a self-signed certificate would not be acceptable for us, as we will never import your root-CA into all our certificate stores. Regarding the SmartScreen Reputation: With an OV certificate, SmartScreen reputation must be built organically, as users download and install your files. SmartScreen warnings may occur until enough software proves sufficiently popular with Windows users for SmartScreen to view it as “well known.” Unfortunately, Microsoft does not publish guidelines on what constitutes enough downloads to eliminate SmartScreen warnings. Microsoft has also indicated in the past that signing code is a “best practice” that you “can follow to help establish and maintain reputation for your applications.” Source: https://learn.microsoft.com/en-us/answers/questions/417016/reputation-with-ov-certificates-and-are-ev-certifi

For us, the OV certificate (=Comodo Code Signing) would be sufficient, but if you want to be sure to be trusted immediately, you might want to buy the EV certificate. Both support Apple OS X Signing (which was the original request by @afischer211).

[HenriWahl]

I tried but as I am not a company I only can buy the Individials certificate, which according to this feature overview table seems to be as valid as an OV certificate - at least in regard to the Windows SmartScreen.

[HenriWahl]

@GertjanBijl FYI I am in the process of getting that individual certificate but it seems to take some time.

[HenriWahl]

@GertjanBijl I finally managed to get signing working. Please check the latest testing release 3.11-20230328 which has signed setup and executable. I expect it still being warned about by Microsoft Defender Smartscreen, because it is no EV certificate but an individual one.

[HenriWahl]

@GertjanBijl any news regarding signed Nagstamon installer and your local security?

[GertjanBijl]

@HenriWahl, it seems to be working very well! Thank you for the effort!

[GertjanBijl]

Sorry for the double post, but note that I only tested the Windows installer and application, I did not test anything on Mac OS, so I don't know if the issue of @afischer211 is also fixed by this.

[HenriWahl]

@GertjanBijl nice to read it works. I clearly noticed less false positives on virustotal.com too so this is a win in general.

The original macOS notarization problem can't be solved by this software signing but will be with a Apple developer account. Because this costs even more than Windows codesigning I will start this process after some donations because it worked that well with Windows.