macOS signed installer - Githubissues

paranext / paranext-core

Electron client, extension host, and C# library for Paranext

https://paranext.github.io/paranext-core/

MIT License

17 stars 2 forks source link

macOS signed installer #1172

Open merchako opened 1 month ago

merchako commented 1 month ago

User Story As a new macOS user, I want install Platform and Paratext Studio as signed apps so that I don't need to take advance actions to circumvent macOS security.

Description SIL developer Chris Hubbard writes:

FYI, I tried to download and run Platform.Bible from https://github.com/paranext/paranext-core/releases. I am on MacStudio with Apple Silicon. I tried downloading the arm64 version and got this message:

I tried the universal app and was able to run it. This isn't complaining about the developer is not verified (which happens with the universal app). I know how to work around that (right-click on app and select open) ...

Tasks

[ ] figure out how to do apps signing in macOS.
[ ] Add macOS signing to Platform and Paratext Studio

tombogle commented 1 month ago

I think the problem -- or at least part of it -- is that we have not yet gotten complete clarity as to which organization's signing certificate would be used. Up until recently, we thought a "neutral"/consortium org would officially own Platform, but now it looks like that will not be the case. For Paratext 10 Studio, it will be jointly owned and developed by UBS and SIL, but since you can't have a jointly owned certificate, one of the two organizations' certificates will need to be used. Paratext 9 and earlier have been signed by UBS, so I think that is probably the intention for 10 as well.

irahopkinson commented 2 weeks ago

@GlennPruitt says "If possible, I would like to use the same signing cert for P10 as we do for P9." Those certs are used for Windows signing. Can we use the same certs for macOS signing?

chrisvire commented 2 weeks ago

@irahopkinson macOS does not use Windows certificates. You have to have an Apple App Store account (SIL has an account that has a nonprofit waiver so that it does not cost the normal $99/year). You have to create a signing certificate that has a chain of trust back to Apple. You have to codesign binaries and then notarize the distribution dmg (specifying the teamId, username, password of a user in the account).

I have done this for the app-builders (Scripture App Builder, etc).

chrisvire commented 2 weeks ago

This shouldn't be considered an enhancement. It should be required for deploying on macOS.

GlennPruitt commented 2 weeks ago

Chris, thanks for shedding light on this. I have moved this to be in our Q1 milestone so that it can be done prior to our first beta.

chrisvire commented 2 weeks ago

@GlennPruitt: When the time comes, let me know if you would like certificates and credentials from SIL's store.