Barrier: Unable to install on Mac since dmg is unsigned

I don't own a macOS machine, we build our release DMGs with azure pipelines.

@AdrianKoshka , Thank you for your quick response. Could you just sign the installer file with a certificate that identifies the developer?

I don't even know how to do this, I'm not a develop of barrier, I usually just try to manage issues, PRs, and maintain the flatpak.

For Windows there is a sign tool. PFB link
https://docs.microsoft.com/en-us/dotnet/framework/tools/signtool-exe

That's Microsoft's sign tool, I assume for windows. ._.

Could you use codesign to sign the dmg file for Mac?
https://stackoverflow.com/questions/23824815/how-to-add-codesigning-to-dmg-file-in-mac

I don't imagine so because:

I don't own a macOS machine

https://support.apple.com/en-us/HT202491, and scroll down to "_How to open an app that hasn’t been notarized or is from an unidentified developer_"

@TitanFail , that setting is blocked on my Mac provided by my organisation. Plus it is a good practice to sign one's applications.

Unfortunately, not many of the developers on this project _own_ a macOS unit, AFAIK. I guess its something to put on the roadmap though. I'm sorry that we can't do anything _right now_ though.

I'm tempted to get a macOS machine for Barrier development, but I can't exactly afford it right now :smile:. I have enough machines already!

Perhaps your organisation could whitelist Barrier; is that an option for the short-term?

@shymega , I had tried that before opening this issue. InfoSec already refused.
You shouldn't have to buy new hardware to test on Mac. One can run Mac on a VM.
https://wp.sjkp.dk/running-macos-using-virtual-box-in-azure/

I can help if you want it set up in Azure.

@Ayanmullick even if is it technically feasible that's definitely not legal https://www.virtualbox.org/manual/ch03.html#intro-macosxguests

 Mac OS X is commercial, licensed software and contains both license and technical restrictions that limit its use to certain hardware and usage scenarios. You must understand and comply with these restrictions.

In particular, Apple prohibits the installation of most versions of Mac OS X on non-Apple hardware. 

@truatpasteurdotfr , I thought that restriction was for commercial use.

I have a MacOS VM and can look into the signing requirements. The most difficult part will be making signing automatic on Azure.

Thanks @p12tic , I just need a signed dmg to install on a Macbook pro. The Azure suggestion was just for testing.

What @p12tic means is that we use Azure Pipelines to make releases, and signing .dmgs automatically upon release may be a bit tricky. We'll see.

To open unsigned apps on macOS:

1. Right click on the app
2. Press and hold command key
3. Click Open

@daankortenbach , that setting is blocked on my Mac provided by my organisation. InfoSec already refused an exception for me. Plus it is a good practice to sign one's applications.

@Ayanmullick I just put in a pull request #648 that changes the build to use macdeployqt which has the ability to codesign app bundles. It would be trivial to add codesigning to building the mac release if it gets merged, but there would still need to be a valid certificate which would require an Apple Developer Program membership which costs money. Most open-source programs don't have the money for an Apple Developer account. If you really need to have the functionality and don't mind paying you could try the program Barrier was forked from since it is a paid app and is probably signed.

You could see if your company will let you use a trusted certificate to compile and compile it yourself. Or if your company doesn't validate the certificate trust chain you could just build it with a self-signed certificate. I'd be happy to post a build with a self-signed certificate, but that pretty much defeats the purpose of requiring signed applications.

@AdrianKoshka if the Barrier project doesn't have any funding to open an Apple Developer account for signing it might be worthwhile to setup a way to receive donations toward that.

@simons-public , Thank you for your response. I would like to try the build with the self-signed certificate, if possible.

@Ayanmullick No problem, when I get off work later tonight and I'll build and post one for you from the 0deaaad commit with a self-signed certificate.

@Ayanmullick the self-signed dmg/app is posted here

@simons-public, You were right. My employer checks for Apple Dev Program Membership. :(

Thank you for your help. 👍