Open badlydrawnrob opened 1 month ago
Thanks for reaching out and sharing your concerns.
Unfortunately the only way to remove this error is by signing the app with a certificate. On macOS, this is only available to developers enrolled in the Apple Developer Program which costs $99 a year. As this project makes no money as of now, paying this fee is not really sustainable at the moment.
I will further look into this issue, maybe I can bring someone onto the team that already has an Apple Developer subscription and could provide me with a signing certificate. If there's any updates, I'll make sure to let you know.
@trobonox Totally understand about cost. I've also built a free tool for beginners to learn how to code, and alas, I make no money from it (yet!). I had a quick look around at workable solutions, and tried sandbox-exec
(which is deprecated but should still work).
;; Kanri potential sandbox configuration file ...
(version 1)
(deny default)
;; Let's allow file read and write in specific locations and not
;; all over my filesystem!
;; Please note you can add more (regex "^/Users/<user-name>/xxxxxxxxxxx") lines depending
;; on what your MyApp needs to function properly.
(allow file-write* file-read-data file-read-metadata
(regex "^/Users/<user-name>/Applications/kanri/")
(regex "^/Applications/kanri.app"))
;; You can also add a separate section for reading and writing files outside your
;; user_name account directory.
(allow file-read-data file-read-metadata
(regex "^/Users/<user-name>/Library/Application Support/tech.trobonox.kanri")
(regex "^/Users/<user-name>/Library/Caches/tech.trobonox.kanri")
(regex "^/Users/<user-name>/Library/Logs/tech.trobonox.kanri")
(regex "^/Users/<user-name>/Library/Preferences/tech.trobonox.kanri.plist")
(regex "^/Users/<user-name>/Library/WebKit/tech.trobonox.kanri"))
;; Everything else is disabled
I've tried to sandbox-exec -f kanri.sb /Applications/kanri.app/Contents/MacOS/kanri-bin
but unfortunately I'm getting a permission denied
when I try to run it. I don't really know what I'm doing at this level of system code though, so I don't know if it's still a realistic option!
I've scanned with Bitdefender and have a firewall running, so as long as you're following the security notes on Tauri, should be fine. I'm even wary of using homebrew
these days (I lived in China for 3 years!) and try and download at a reliable source where possible. Then again, I use npm
but try to use npx
to (I think) limit the risk.
On the theme of making money, after trying four different apps (two of which buggy; most of which needing access to internet — Trello, even) there's plenty of space for another app in the market so keep going!
It bugs me that everything asks for an internet connection these days: music, apps, tv, everything!
Thanks for your insights! Quite strange that it doesn't work in the sandbox, there might be some extra things Tauri is doing under the hood that prevent it from working.
On the note of security, I have static code analysis and Dependabot security alerts enabled for the repo, regularly update my dependencies and have the Tauri security measures in place as far as I know (I have set a CSP and use a fairly restrictive allowlist). I'm not a security researcher but care about my users and try my best to implement security in any way I can.
@trobonox Just to follow this up, it's not that Kanri wasn't working when I created a .sb
sandbox file, it's that terminal wouldn't allow me to setup/verify that .sb
file (in order to sandbox Kanri), and I haven't managed to find a way to stop it complaining with permission denied
. The sandbox-exec
command is deprecated but should still work as I think MacOs is still using that under the hood.
If anyone knows how to get it working, I'm all ears!
I'd love to use this app, but this kind of thing puts me off. Would be helpful for new users if your developer profile was verified with Apple. I think there's a real need (for me at least) for an offline Kanban as Trello desktop doesn't allow this at the moment.
I know there's a workaround for this and I'm sure it's a valid app, but Googling for "Kanri mac app safe" doesn't garner confidence enough to install it.
Steps to reproduce the behavior:
.dmg
and drag into ApplicationsExpected behavior Launches without complaint. For instance, with MeisterTask I get a verification status bar and the below screenshot. It gives me a little more confidence in the app.
TL;DR if you're a fledgling startup and there's not much track record online, customers may feel a little wary about downloading (and that's coming from someone who often downloads
node
packages and has usedhomebrew
before).