Sign the OSX app

[Floppy]

Currently the app isn't signed, so gets flagged under the unknown developer security thing.

[Stephen-Gates]

+1 Tried making Comma Chameleon my default tool to open CSV files (1) for a demo (2) because Excel mangles data, but...

[drchriscole]

Saw this tool as highly recommended, but can't even open it.

[Floppy]

@drchriscole you can right click then option-click on open to enable the app, but yes, this is something we need to fix properly.

[Floppy]

Looks like https://www.npmjs.com/package/electron-osx-sign might be the thing to use

[Floppy]

@davetaz am I right in thinking we already have an apple developer license for the ODI because of the mobile apps?

[davetaz]

Correct, you should be an admin on it I think. Check your apple id at developer.apple.com. You should then be able to provision an app profile and somehow get the certificates needed for solving this.

[Floppy]

@davetaz brilliant, thanks.

[pezholio]

Just clocked this. Just one issue to flag, we might need to investigate how the releases are built as I think you need to build on OSX if you want to sign an app for OSX. I'm pretty sure Travis has some OSX images though

[Floppy]

Yep, need to build (or at least sign) on OSX. Hadn't considered doing travis build on OSX, that's an interesting possibility; I was thinking it would have to be a manual process (which obviously would suck). I'll take a look.

[Floppy]

electron-packager (which we use already) uses electron-osx-sign so there's no need to change that. Just need to be on the right OS and have the certificate.

[pezholio]

Ace 👍

[drchriscole]

@Floppy thanks. The right-click allowed me to run it. Nice trick! Thanks.

[quadrophobiac]

So I cannot duplicate the unidentified developer warning message - can someone who had this problem previously confirm if their Security & Privacy settings were set like so?

[Stephen-Gates]

To re-create:

• download app
• move to application directory
• go to finder, right click on .csv file
• choose open with Comma Chameleon

[quadrophobiac]

Thanks @Stephen-Gates, for whatever reason I can't replicate it exactly but I do have something that will let me check if my signing remedies it

[quadrophobiac]

I've used RB App Checker Lite to verify if the app is being signed correctly. For comparison here is the current package as generated by the gulp script, then that same package signed with electron-osx-sign

The above signature differences are replicated in a more manual signing flow where electron-packager and electron-sign are utilised

While the correct signatures have been applied I am seeing no difference in behaviour in terms of being the default opening app. I have updated releases - only MacOS Comma Chameleon-darwin-x64 has been signed - from this related branch if anyone here (@Stephen-Gates?) would care to test if any behaviour has changed. For now the same build flow has been utilised to update the releases page by a minor increment. https://github.com/theodi/comma-chameleon/releases/tag/0.5.2

Given I expect that the signing won't resolve the problems indicated thus far I think the issues in this ticket need separating out, one for app showing up as a Signed Identified App, and the other to relate to setting electron app as default for opening CSV files. There is also a question of how the current utilisation of csvlint should work - as a binary it should also be signed.

It may be necessary to change the build process wholesale by switching to electron-builder. It seems a lot of people defer to this after encountering many of the same issues I encountered trying to get this set up. It also has support for yarn, and may play well with dependabot (cc @floppy)

[Stephen-Gates]

@quadrophobiac

Downloaded App

Used Finder to open a CSV with Comma Chameleon

Didn't like it

Adjusted settings and still couldn't open csv file from finder but could open using File > Open in Comma Chameleon

[quadrophobiac]

Yeah that's the same issue I encountered. I've researched this and I don't see that there's anything else to be done in terms of signing.

[Stephen-Gates]

So is the solution to submit to the App Store?

[quadrophobiac]

In short I don't know at present - my gut says no, because mac app store and non-app store distribution are both supposed to be supported. Trouble is most guides assume that xcode is being used to sign apps. I'm trying to piece together tests that can deduce why this isn't working because the app store solution is beyond the scope left today

[quadrophobiac]

@Stephen-Gates can you try these steps

1. download the Comma Chameleon link I emailed you (it's a way of mocking the quarantine steps here)
2. Set your gatekeeper to Allow apps downloaded from: App Store
3. double click downloaded app You should see this alert
4. Change the Gatekeeper settings to Allow apps downloaded from: App Store and identified developers
5. double click downloaded app
6. You should get and thereafter the app should open fine.

None of this resolves the 'set as default CSV opening app' but I think it confirms that the app is displaying the requisite behaviour for a developer signed app.

Given the restrictions that Sierra brought to Gatekeeper working towards a Mac App store distribution is definitely the best solution to this problem overall. It's also possible that sandboxing might be needed, and doing that is part of the Mac App Store distro process. So if you can confirm that you see the above Stephen I'll move to close this issue

[Stephen-Gates]

Yep. I get the some as above @quadrophobiac

[quadrophobiac]

In response to the initial ticket

Currently the app isn't signed, so gets flagged under the unknown developer security thing. I think this is a separate issue to the open CSV by default. It's unclear from electron documentation how to accomplish this without submitting to the App Store. Creating a sandboxed app with the correct manifest details may resolve it. I noticed a closed issue - https://github.com/theodi/comma-chameleon/issues/75- on the same request, may warrant reopening it in light of this lack of functionality. In the meantime including the 'right click workaround' within the readme seems the most expedient solution to the problem