ViennaRSS / vienna-rss

Vienna is a free and open-source RSS/Atom newsreader for macOS.
https://www.vienna-rss.com
Apache License 2.0
1.85k stars 227 forks source link

Code signing #49

Closed barijaona closed 12 years ago

barijaona commented 12 years ago

Vienna would better implement code signing for meeting Mountain Lion's Gatekeeper requirements.

barijaona commented 12 years ago

Apple's documentation is not very clear regarding applications downloaded outside of Mac App Store... Many docs strongly suggest to have them signed with an Apple Developer ID, but I read here https://developer.apple.com/library/mac/#documentation/security/Conceptual/CodeSigningGuide/Procedures/Procedures.html#//apple_ref/doc/uid/TP40005929-CH4-SW1 :

if your company already has a third-party signing identity that you use to sign code on other systems, you can use it with the Mac OS X codesign command.

I am still using Snow Leopard. To make sure that Vienna runs without a warning under Mountain Lion, do I have to pay 100 $ to get an Apple Developer ID or can I use for instance a free certificate issued by Certum, whose root certificate is included in OS X ? http://www.certum.eu/certum/cert,offer_en_open_source_cs.xml seems to be an interesting option...

TheSpyder commented 12 years ago

I'm running Lion, and I have access to a Mountain Lion machine at work. I'm happy to test code signed builds or techniques for code signing if you need me to :)

It's not as simple as $100 for the Developer ID, the certificates are only valid for 12 months so it's actually $100 a year while the app is under active development.

TheSpyder commented 12 years ago

I did some digging and there are a few claims that while the Developer ID certificate process still requires a paid developer account, it's only because Mountain Lion hasn't been released yet. I'm dubious about that though - why would Apple lock out open source software until the release date?

There are other OSS apps which are signed - Adium for example - maybe it's worth asking them if they used a third party cert.

barijaona commented 12 years ago

The commands "codesign -vv AppnameHere.app" and "codesign -dvv AppnameHere.app" allow us to check the status of an application.

Here is what I see on Snow Leopard : Adium and Firefox are signed with Apple Developer ID and are considered valid... But Opera and Microsoft Office apps are signed with a Verisign certificate and are also considered valid... And a build of ViennaBeta that I signed with a Centrum certificate is considered valid...

Can you check if Opera is valid in Mountain Lion ?

My opinion : Apple risks to be successfully sued by competitors if they try to enforce a monopoly as the sole authority on all Mac apps. They could do this on app stores, because it was a new package offered for a new market and they could reasonably claim "anything else didn't work" ; but locking a lucrative market (100 $ per year) while there is no compelling advantage for the end user to deal with a certificate signed by Apple over a certificate signed by Verisign/Thawte is a quite different story.

TheSpyder commented 12 years ago

Both MS Word and Opera load fine with gatekeeper turned on. The Vienna Beta does as well, but I think that's because I ran Vienna from xcode in the past. Vienna from the website does not run with gatekeeper on.

Interestingly Notational Velocity also runs fine, and it appears to be fully self-signed:

(master)nada:Applications spyder$ codesign -dvv Notational\ Velocity.app
Executable=/Users/spyder/Applications/Notational Velocity.app/Contents/MacOS/Notational Velocity
Identifier=net.notational.velocity
Format=bundle with Mach-O universal (i386 ppc x86_64)
CodeDirectory v=20100 size=4692 flags=0x0(none) hashes=228+3 location=embedded
Signature size=1677
Authority=Notational Velocity
Signed Time=01/04/2011 2:41:20 PM
Info.plist entries=26
Sealed Resources rules=4 files=189
Internal requirements count=1 size=224

If you throw up a build signed by Certum I'm happy to make sure it runs. ML will be released in a matter of hours, so this is kinda important :)

TheSpyder commented 12 years ago

I found a bunch of unsigned apps that work just fine with gatekeeper on - and after significant confusion I've figured out why.

You know how when apps are downloaded, it prompts you to allow them to execute on first load? This is now the gatekeeper flag. If you disable gatekeeper, load the app (accepting the prompt) and then re-enable gatekeeper, the unsigned app is still allowed to run.

I proved this by downloading a fresh copy of Vienna and extracting it twice. After loading one with gatekeeper off, gatekeeper allows it but blocks the other copy.

barijaona commented 12 years ago

Yes, testing is tricky with this Gatekeeper ACL. Glad you found a reliable method.

Can you test with this ViennaBeta build ? https://github.com/downloads/barijaona/vienna-rss/ViennaBeta3.0b.2815.zip

TheSpyder commented 12 years ago

Sadly it's still reporting it as an unidentified developer :(

TheSpyder commented 12 years ago

Oh dear. https://developer.apple.com/library/mac/#documentation/ToolsLanguages/Conceptual/OSXWorkflowGuide/DistributingApplicationsOutside/DistributingApplicationsOutside.html#//apple_ref/doc/uid/TP40011201-CH12-SW2

If your application is not signed with a Developer ID certificate issued by Apple, it will not launch on systems that have this security option selected.

TheSpyder commented 12 years ago

aha! it's not ideal, but there is a way to get an app out of quarantine without turning off gatekeeper completely: http://stackoverflow.com/questions/11097453/mac-os-mountain-lion-is-it-possible-to-code-sign-applications-for-gatekeeper-wi

barijaona commented 12 years ago

Just to be sure : if you install into your keychain the level 3 certum certificate (just double click the attachment downloaded by the link https://www.certum.pl/l3.crt), then redownload my build (https://github.com/downloads/barijaona/vienna-rss/ViennaBeta3.0b.2815.zip), does Gatekeekper still block running ?

TheSpyder commented 12 years ago

Sadly, no :(

I even tried installing it as a system certificate, no dice.

barijaona commented 12 years ago

OK. My understanding so far :

  1. documents or apps downloaded through a web browser get the com.apple.quarantine extended attribute : you can see it with the command xattr -l filename
  2. for applications signed with an Apple ID (and probably apps signed by a few specific signatories that Apple considers reliable), this attribute is automatically removed at first launch
  3. for unsigned applications or apps whose signature is untrusted by Apple, you can remove the attribute by right-clicking and choosing 'Open'
  4. removing the attibute can also be done with xattr -d -r com.apple.quarantine filename

Can you confirm that ? (for instance, by downloading fresh copies of Firefox and Vienna)

TheSpyder commented 12 years ago

Yes, my reading of the documentation indicates gatekeeper is completely tied to quarantine. When in quarantine, unsigned apps are blocked completely; signed apps show the "are you sure" prompt similar to Lion.

If I remove quarantine from ViennaBeta.app manually, it loads without a problem.

After loading FireFox the quarantine attribute is still attached even though I am no longer prompted when opening it. Maybe there's a database of accepted apps somewhere (this would make sense, since developer certs can be revoked).

barijaona commented 12 years ago

So, does the build of ViennaBeta I signed prompt a warning and run normally afterwards ? What is displayed ?

TheSpyder commented 12 years ago

If I use xattr to remove quarantine, it doesn't prompt at all. If I leave quarantine enabled it is blocked from running unless I right click -> open.

The dialogs look like this: https://skitch.com/thespyder/ee7ur/beta-blocked https://skitch.com/thespyder/ee7uk/beta-right-click-open

barijaona commented 12 years ago

Signing with a non Apple ID signature is better than nothing... I'll publish a build with a Certum certificate, until someone gets an Apple ID

barijaona commented 12 years ago

Solved as of build 2817, which is signed with an Apple ID.