Notarizing the mac build

[TerryGeng]

After macOS 10.15, Apple requires all software to be notarized before distributing. Otherwise, the user will be prompted with a scaring warning:

The process of notarizing an app can be found here: https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution

In addition, useful information about notarizing apps automatically in a CI setup can be found at https://blog.zeplin.io/dev-journal-automate-notarizing-macos-apps-94b0b144ba9d

This process takes two steps:

First, we need to properly sign our app with a valid Apple Developer ID. We need to apply for one if we haven't done this before. https://developer.apple.com/programs/enroll/. A fee of $99 is charged :( for membership.

Then with that ID, we execute

export CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/usr/bin/codesign_allocate"
codesign --force --sign "Developer ID Application: <my name>" /path/to/my.app

https://stackoverflow.com/questions/13204407/how-to-codesign-an-existing-mac-os-x-app-file-for-gatekeeper

After signing the app, we can start to get it notarized. In short, we need to

1. zip our Mumble.app container, then
2. uploading the zip file to Apple's public notarizing service. That is, passing it to xcrun altool --notarize-app -t osx -f Example.app.zip --primary-bundle-id <Bundle identifier> -u <Apple ID username> -p <Apple ID password> --output-format xml where the Bundle identifier is something located in Info.plist.
3. Then the notarizing request would be queued. We can run xcrun altool --notarization-info <Request identifier> -u <Apple ID username> -p <Apple ID password> --output-format xml to retrieve the status of this task.
4. After the notarizing is done, we need to attach Apple's certificate to the app with xcrun stapler staple Example.app

These steps are certainly not hard. But the $99 is more like blackmail. If you don't pay, your users will be scared with a warning box. This is certainly not fun, even disgusting. People are complaining about this (see https://buckleyisms.com/blog/apple-should-provide-notarization-for-open-source-apps/) as well.

There are certainly many open source apps that don't give it a damn. I think it is up the the mumble team's choice whether to pay this $99 and deliver the users a warning box-free experience.

[dardevelin]

@dardevelin what you are saying is incorrect.Mumble builds are no longer notarized. Apple has essentially screwed us over by always blocking the notarization process for one reason or another and therefore it was always really painful to draft releases that were supposed to get notarized.

And as it was time to renew our certificate, we decided to not do that and as a consequence don't notarize any future Mumble builds.

Therefore, the steps mentioned are indeed necessary to get around Apple's ridiculous "security" feature.

Ok thanks I officially will stop using mumble had enough with the years. So long and thanks for all the fish

[toby63]

@dardevelin what you are saying is incorrect.Mumble builds are no longer notarized. Apple has essentially screwed us over by always blocking the notarization process for one reason or another and therefore it was always really painful to draft releases that were supposed to get notarized. And as it was time to renew our certificate, we decided to not do that and as a consequence don't notarize any future Mumble builds. Therefore, the steps mentioned are indeed necessary to get around Apple's ridiculous "security" feature.

Ok thanks I officially will stop using mumble had enough with the years. So long and thanks for all the fish

Thats really childish, not the Mumble Team is to blame here, it is Apple. If you are not clever enough to see why Apple does this, here is the theory: They want to push their own stuff, so Open Source Applications of all kinds are in the way.

[dardevelin]

@toby63 I don't believe it's childish to acknowledge that there is no interest in notarising the APP and that I shouldn't be waisting your time in continuously attempting to see it done.

I have seen more "text" written about how "evil of apple, how bad of apple" than "search of solutions".

I recall when this community had a collaborative spirt, this would back then be a challenge to be solved as team. Someone would post the flag, communicate the barriers, others would come and join to find solutions together as team. Nowadays, the attitude is "Your use case is hard" screw it, go unserved.

This is in no way an isolated matter either, the "fights over automatic gain control" that it was pure insistence, despite a large part of the community wanting "local volume adjustment" as an option not even as a replacement. That discussion "forget the implementation" took years.

In this thread, first it was "oh the Tax" people are like I am happy to give the money if that's the obstacle. It moved into "we didn't have time" to make it to this release "when releases are essential "free" when you already build nightly anyways". And after 1 notarised year "let's throw away the learnings about notarisation" and screw the users that actually need it.

But you are right I am childish. Thanks

[Krzmbrzl]

You do you. But a few answers to what you said:

when releases are essential "free" when you already build nightly anyways"

They would be if you didn't have to mess with all this signing stuff that works completely different for every platform. That's actually quite time consuming, especially on macOS where the flags that you used last time don't work anymore, because now you have to agree to some new terms but where you can do this, you'll have to find out first, which again takes time. And this every time.

And after 1 notarised year "let's throw away the learnings about notarisation"

It was a test to see if we can make it work properly and the test showed: no we can't.

I recall when this community had a collaborative spirt, this would back then be a challenge to be solved as team.

Well then please go ahead and volunteer to take care of the macOS signing. We can provide you with the built binaries and you can can do all the signing related stuff. Then we can upload that as the official release to our website. If this process "is essentially free" anyway, it shouldn't be that much of a burden on you.

---

And then a few words in general: people often seem to forget that everyone working on Mumble generally does this in their free time and everything you do get from us developers is due to us spending our free time and offering the result for free. Therefore, this attitude of "you owe us xy" is completely ridiculous. If you really want something implemented in Mumble that badly, take some money in the hands and hire a developer to do it for you (if you can't do it yourself). Then, and only then, do you have the right to demand things from a developer. In every other situation you are more than welcome to voice suggestions or constructive criticism or contribute yourself. But that's it.

[dardevelin]

You do you. But a few answers to what you said:

when releases are essential "free" when you already build nightly anyways"

They would be if you didn't have to mess with all this signing stuff that works completely different for every platform. That's actually quite time consuming, especially on macOS where the flags that you used last time don't work anymore, because now you have to agree to some new terms but where you can do this, you'll have to find out first, which again takes time. And this every time.

And after 1 notarised year "let's throw away the learnings about notarisation"

It was a test to see if we can make it work properly and the test showed: no we can't.

I recall when this community had a collaborative spirt, this would back then be a challenge to be solved as team.

Well then please go ahead and volunteer to take care of the macOS signing. We can provide you with the built binaries and you can can do all the signing related stuff. Then we can upload that as the official release to our website. If this process "is essentially free" anyway, it shouldn't be that much of a burden on you.

---

And then a few words in general: people often seem to forget that everyone working on Mumble generally do this in their free time and everything you do get from us developers is due to us spending our free time and offering the result for free. Therefore, this attitude of "you owe us xy" is completely ridiculous. If you really want something implemented in Mumble that badly, take some money in the hands and hire a developer to do it for you (if you can't do it yourself). Then, and only then, do you have the right to demand things from a developer. In every other situation you are more than welcome to voice suggestions or constructive criticism or contribute yourself. But that's it.

Precisely for understanding the latter I said I will not use it any longer. In respect of your unwillingness to do it and not having time to commit to do it myself.

I have spent time contributing to Foss, including gcc , Linux kernel, Qt, VLC, and so many other gnome apps.

In the past, also contributed to mumble by finding and propose fixes to security vulnerability along with friends.

Which required me to consult a lawyer to make sure I wouldn't be breaching contract. (That's quite expensive FYI).

Those are efforts I put in which I don't "need" a pat on the back for, just mentioning because I am not just another "whinny" user that demands something for free. I simply pointed out that with that decision I can no longer use mumble. I believe in feedback and "highlighting what are the reasons to stop using the project" are helpful to "grow understanding of what people value"

Yet what did I get being called "childish" ... if am "cleaver enough".

Attempt high ground Shame, but "open source" while using GitHub over Gitlab, azure over open suse service or canonical or even redhat. Supporting windows as first platform over and ahead of Linux.

Do you at least acknowledged that it's not a very good argument to make ?

[Krzmbrzl]

I'm not criticising you for your original statement that you will quit using Mumble. That much is absolutely your choice and stating the reasons for it is also fine.

I don't agree with the statement of you being childish because of this.

My comment was targeted towards what has been said in your reply to toby.

Attempt high ground Shame, but "open source" while using GitHub over Gitlab, azure over open suse service or canonical or even redhat. Supporting windows as first platform over and ahead of Linux.

Do you at least acknowledged that it's not a very good argument to make ?

I do not. Because I don't see how what I said can be put into this context. I don't think I argued that the way we do things is the ultimate and only correct way of doing open source, so I don't see what you are getting at here.

In any case case, I think everything worth saying has been said now and continuing this discussion is probably pointless. :shrug:

[toby63]

Yet what did I get being called "childish" ... if am "clever enough".

I feel the need to clarify that I am not a part of the Mumble team, so as @Krzmbrzl pointed out, no one from the Mumble team said that to you, but I did :wink:. I think its your own fault using an OS thats a golden cage, yet you blame others. Write to Apple and complain to them.

[felix91gr]

Mm. Supporting windows first is what makes sense here.

1) Largest use case is gamers, and games are still a windows-first endeavor 2) C++ makes it hard to equally support different platforms. Remembering that this is a community effort is very important here – every extra effort is provided through pure volunteer's care. I'm thankful for linux support being as good as it is. I have no complaints :)

[InTheMorning]

If I understood correctly, Apple users who wish to have a notarized version available just need to hire someone new to trust and to take care of the notarizing process for the rest of the Apple users community?

[Krzmbrzl]

Yeah. We would gladly cooperate with anyone that wants to take up the signing process.

[davidebeatrici]

Mm. Supporting windows first is what makes sense here.

1. Largest use case is gamers, and games are still a windows-first endeavor

Right.

2. C++ makes it hard to equally support different platforms. Remembering that this is a community effort is very important here – every extra effort is provided through pure volunteer's care. I'm thankful for linux support being as good as it is. I have no complaints :)

C++ actually helps a lot, especially when it comes to abstraction. The Host{Linux,Windows} and Process{Linux,Windows} classes (used by positional audio plugins) are a great example of that.

The difficulty mostly consists in interfacing with whatever API the operating system provides.

And this is where the trouble begins on macOS, especially since Apple is firm on using Objective-C.

If I understood correctly, Apple users who wish to have a notarized version available just need to hire someone new to trust and to take care of the notarizing process for the rest of the Apple users community?

@Krzmbrzl and I poured plenty of hours into modifying our signing script(s) to make them work for notarization. We succeeded and released notarized binaries for a while, as promised (we received an explicit donation for an Apple Developer subscription).

The original idea was to proceed on that route, renewing the subscription ourselves every year, but the will to do so gradually decreased because every single time we wanted to produce the binaries we ran into at least one new issue and had to spend a substantial amount of time in order to troubleshoot it and find a solution or perhaps even a workaround.

@dardevelin I like challenges and I'm pretty sure @Krzmbrzl does too. We have always been trying to support at least the major operating systems while making the experience as flawless as possible for our users.

But when we realize a specific OS is being locked down on purpose by the company that owns it, we honestly just don't see the point in supporting their software (and in turn business) anymore.

In any case, the experience we gained is not wasted and the relevant signing script is in our repository: https://github.com/mumble-voip/mumble/blob/bf4ad2bc72b5a8a5d4e2c610dbae1fdfcb3a1bc3/scripts/sign_macOS.py

Yeah. We would gladly cooperate with anyone that wants to take up the signing process.

Important note to anyone willing to do so: from experience, as mentioned several times, it can be a time consuming task.

For that reason, it would be ideal if you're already familiar with the overall signing and notarization process.

[Krzmbrzl]

we honestly just don't see the point in supporting their software (and in turn business) anymore.

Just to clarify: We are not dropping macOS support as a whole. This "support" Davide referred to was targeted towards following the best practices for releasing software on that OS.

[sysfu]

Found a workaround, hat tip to this stack overflow poster

xattr -d com.apple.quarantine mumble-server-binary