search

kanriapp / kanri

🪐 Modern offline Kanban board app for Windows, MacOS and Linux. Built with simplicity and user experience in mind.
https://kanriapp.com
GNU General Public License v3.0
657 stars 50 forks source link

Kanri cannot be opened (cannot be verified) #617

Open badlydrawnrob opened 1 month ago

badlydrawnrob commented 1 month ago

“kanri” cannot be opened because the developer cannot be verified. macOS cannot verify that this app is free from malware.

I'd love to use this app, but this kind of thing puts me off. Would be helpful for new users if your developer profile was verified with Apple. I think there's a real need (for me at least) for an offline Kanban as Trello desktop doesn't allow this at the moment.

I know there's a workaround for this and I'm sure it's a valid app, but Googling for "Kanri mac app safe" doesn't garner confidence enough to install it.

Steps to reproduce the behavior:

  1. Download Intel version
  2. Open .dmg and drag into Applications
  3. Attempt to open app

Expected behavior Launches without complaint. For instance, with MeisterTask I get a verification status bar and the below screenshot. It gives me a little more confidence in the app.

TL;DR if you're a fledgling startup and there's not much track record online, customers may feel a little wary about downloading (and that's coming from someone who often downloads node packages and has used homebrew before).

Screenshot 2024-08-12 at 15 35 25
trobonox commented 1 month ago

Thanks for reaching out and sharing your concerns.

Unfortunately the only way to remove this error is by signing the app with a certificate. On macOS, this is only available to developers enrolled in the Apple Developer Program which costs $99 a year. As this project makes no money as of now, paying this fee is not really sustainable at the moment.

I will further look into this issue, maybe I can bring someone onto the team that already has an Apple Developer subscription and could provide me with a signing certificate. If there's any updates, I'll make sure to let you know.

badlydrawnrob commented 1 month ago

@trobonox Totally understand about cost. I've also built a free tool for beginners to learn how to code, and alas, I make no money from it (yet!). I had a quick look around at workable solutions, and tried sandbox-exec (which is deprecated but should still work).

;; Kanri potential sandbox configuration file ...
(version 1) 
(deny default)

;; Let's allow file read and write in specific locations and not 
;; all over my filesystem!
;; Please note you can add more (regex "^/Users/<user-name>/xxxxxxxxxxx") lines depending 
;; on what your MyApp needs to function properly.
(allow file-write* file-read-data file-read-metadata
  (regex "^/Users/<user-name>/Applications/kanri/")
  (regex "^/Applications/kanri.app"))

;; You can also add a separate section for reading and writing files outside your
;; user_name account directory.
(allow file-read-data file-read-metadata
  (regex "^/Users/<user-name>/Library/Application Support/tech.trobonox.kanri")
  (regex "^/Users/<user-name>/Library/Caches/tech.trobonox.kanri")
  (regex "^/Users/<user-name>/Library/Logs/tech.trobonox.kanri")
  (regex "^/Users/<user-name>/Library/Preferences/tech.trobonox.kanri.plist")
  (regex "^/Users/<user-name>/Library/WebKit/tech.trobonox.kanri"))

;; Everything else is disabled

I've tried to sandbox-exec -f kanri.sb /Applications/kanri.app/Contents/MacOS/kanri-bin but unfortunately I'm getting a permission denied when I try to run it. I don't really know what I'm doing at this level of system code though, so I don't know if it's still a realistic option!

I've scanned with Bitdefender and have a firewall running, so as long as you're following the security notes on Tauri, should be fine. I'm even wary of using homebrew these days (I lived in China for 3 years!) and try and download at a reliable source where possible. Then again, I use npm but try to use npx to (I think) limit the risk.

On the theme of making money, after trying four different apps (two of which buggy; most of which needing access to internet — Trello, even) there's plenty of space for another app in the market so keep going!

It bugs me that everything asks for an internet connection these days: music, apps, tv, everything!

trobonox commented 1 month ago

Thanks for your insights! Quite strange that it doesn't work in the sandbox, there might be some extra things Tauri is doing under the hood that prevent it from working.

On the note of security, I have static code analysis and Dependabot security alerts enabled for the repo, regularly update my dependencies and have the Tauri security measures in place as far as I know (I have set a CSP and use a fairly restrictive allowlist). I'm not a security researcher but care about my users and try my best to implement security in any way I can.

badlydrawnrob commented 4 weeks ago

@trobonox Just to follow this up, it's not that Kanri wasn't working when I created a .sb sandbox file, it's that terminal wouldn't allow me to setup/verify that .sb file (in order to sandbox Kanri), and I haven't managed to find a way to stop it complaining with permission denied. The sandbox-exec command is deprecated but should still work as I think MacOs is still using that under the hood.

If anyone knows how to get it working, I'm all ears!