MacOS Signed Installer

[tresf]

LMMS on MacOS is distributed in DMG format, which is a simple, drag-and-drop process for installation.

Unfortunately, the software icon will not run when first installed unless you Right Click, Open. This is due to Gatekeeper.

The way to fix this is to become a certified Apple developer and then sign our executable using an Apple certificate. For a standard business to become a "developer" this requires a D&B background check to validate identity. We operate similar to a business, but we're technically not, putting us in a Catch-22. This is a fairly common problem with open source projects such as LMMS as the developers are generally individuals and not a specific organizational entity.

Our first attempt is to reach out to Apple for a sponsored Developer Account. We've successfully gained sponsorship through NetworkRedux for our EV1 hosting package (normally hundreds USD/mo) as well as sponsored SSL certificate, so the idea of sponsorship isn't completely crazy. So... I've already reached out to sales and they provided this phone number ODAwLTYzMy0yMTUy(base64) to contact Apple Development team directly.

If this hits a dead-end, I personally would be willing to sponsor the developer account myself (about $100 USD/year), but it would be for a single individual (such as myself) instead of for the organization. This would be reflected in the certificate itself (which isn't normally displayed to the end-user on Apple).

[follower]

Another reason to consider signing the executable is to avoid a similar situation to the recent Handbrake malware incident which as I understand it is at least in part attributable to a non-signed executable: https://forum.handbrake.fr/viewtopic.php?f=33&t=36364

[follower]

Just discovered the VideoLAN organisation offers various build & signing support for audio projects so it might be worth getting in contact with them about this and #3602: https://github.com/HandBrake/HandBrake/issues/619#issuecomment-299862421 (From Handbrake issue regarding code-signing.)

[follower]

@tresf I wonder if this would be better/also labeled security (as per https://github.com/LMMS/lmms/issues/3601#issuecomment-306372431)?

Also, who would be a good person from LMMS to get in touch with VideoLAN re: https://github.com/LMMS/lmms/issues/3601#issuecomment-306384638?

[tresf]

better labeled security

Done.

who would be a good person from LMMS to get in touch with VideoLAN

Anyone, really. I personally (for a company I own) have a license to sign Mac executables, so I'm hesitant to even reach out to anyone. I wonder if it would make sense for an individual to just run with this as an independent developer for now? We should have enough in donations to fund a cert.

[follower]

I wonder if it would make sense for an individual to just run with this as an independent developer for now?

@tresf I feel if an organisation like @videolan is willing to support code-signing for FLOSS audio projects it would potentially be more future-proof to go with the non-individual option. Additionally, @videolan presumably can advise on best practices with this approach.

who would be a good person from LMMS to get in touch with VideoLAN

Anyone, really.

I wonder if mentioning @jbkempf is enough or if a more formal contact request is required? :)

[tresf]

it would potentially be more future-proof to go with the non-individual option.

Well, when I say "individual", what I actually mean is one of us would spearhead the subscription to Apple but we'd secretly share that login information with any other package maintainers. I know this goes against how Apple intends the certs to be distributed, but it's not really any different than an organization doing it (which they do!) with the exception that it's tied to an individual.

I wonder if mentioning @jbkempf is enough or if a more formal contact request is required? :)

:D

[jbkempf]

We can. Mail us.

[tresf]

@follower tag, you're it.

[follower]

@follower tag, you're it.

@tsref Dammit. :D

Mail us.

@jbkempf Thanks! Have just done so.

[tresf]

FYI, with macOS Catalina (10.15) not only do apps need to be digitally signed, but they have to pass strict Apple Notarization. This means LMMS can be even harder to run once Catalina is released this fall.

https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution

Notarization requires all code to be digitally signed (not just the installers, like it used to be) as well as some hardening techniques in regards to code.