Keeweb: The OS X distribution should be signed

Created on 13 Apr 2016  ยท  27Comments  ยท  Source: keeweb/keeweb

Hello,

The OS X distribution should be signed by an Apple-identified developer ID.
See here: https://developer.apple.com/library/mac/documentation/IDEs/Conceptual/AppDistributionGuide/DistributingApplicationsOutside/DistributingApplicationsOutside.html

Not doing this means that when trying to open the app OS X will complain about the executable not being signed and OS X will refuse to open it. You then have to force it open by pressing Shift, a little known trick for common users.

This has utility outside of fixing this slight inconvenience. By downloading a signed binary, I can trust that it is from you. I personally pay attention to such errors and now that I've seen the binary isn't signed, I began wondering - can I trust the website, can I trust the connection I used for downloading the app, what if this is malware? Now I'm afraid running it, especially since I'm the kind of guy that doesn't have antivirus software installed (since I'm also the kind of guy that always installs stuff from trustworthy sources).

distribution enhancement security

Most helpful comment

Enjoy the signed version ๐ŸŽ

All 27 comments

And Windows as well.
There's only one trouble with it: https://developer.apple.com/support/purchase-activation/
https://github.com/keeweb/keeweb/wiki/FAQ#security
So... Future.

I see, 99 USD per year is quite expensive for a free project, but after the project stabilizes, at some point you might consider asking for donations to cover it.

I see this issue is still open, nevertheless the latest Windows installer seems to be signed by "Open Source Developer, Dmitrii Vitkovskii". Is that a temporary thing or should we expect future release to be signed by the same person?

Windows distribution is signed because Certum offers open-source project code signing certificates for โ‚ฌ14/yr. They can be used only on Windows, for macOS there's only one option, certs issued by Apple for $100. This is not something we can afford now.

That's great! Is "Dmitrii Vitkovskii" the correct signature then? I do not
see that name on any project pages.

Sure it's correct, how binaries could be there otherwise?

From a user's perspective it looks really bad that the only app on my computer that is unsigned.... Is a security app that deals with all my passwords. It seems like exactly the type of app you want extra protection against someone man in the middling a download or an update.. Also, it may be $99/year but that also lets you publish on the Mac App Store... which at the very least would be great resume fodder for the developer that uploads it to the store.. Not to mention widening the accessibility/reach of the app greatly.

EDIT: Also, according to this it looks like the certificate for signing is valid for 5 years. So you could pay $99 and continue signing new releases for 5 years if I understand correctly.

@NoahO already signed app will remain valid for 5 years, but there will be no possibility to sign new versions, so it's $100 per year.

@antelle Are you sure about that? Maybe they sign your developer certificate with Apple Key and then you can run "codesign" on anything you like for the next 5 years until your 5 year certificate runs out. I can't see them making apps need to be resigned after 5 years, it would mean utilities would stop working when they get abandoned, and users would never be able to run versions of software older than 5 years..

Interesting. I tried to google for it, but I can't find anything but 'it looks like'. I'll try to find more references about it.

I just realized I still have an active membership myself. I'll do some digging tomorrow. If there's anything you want me to try let me know.

I can confirm that the "Developer ID Application:" cert that I used to just sign Keeweb is valid 5 years from the date I downloaded it.

I used codesign --deep --force --sign "Developer ID Application: Noah..." KeeWeb.app

Then I airdropped it to my phone and back again, and it let me install it without turning off Gatekeeper or right clicking.

@NoahO could you please share the executable? I'd like to test it on another mac.

@NoahO I can confirm, it's working without any issue. Did you do anything special to get a certificate for 5 years, or it's issued to everyone with a developer account?

@antelle It's just a standard personal developer account and I downloaded the certificate within Xcode using the Accounts / Apple ID / View Details window. :)

Cool, then I'll try to get developer id (it will take some time though).

Hi,

@antelle maybe consider setting up donations page for covering the yearly Apple Developer fee

@martinl it looks like, it is for five years. So it should appear in the next version, now I need to solve some problems to get developer id.
We do have donations, here: https://github.com/keeweb/keeweb/blob/master/README.md#donations

So, I finally have Apple developer account. Moving to v1.5, next version will be signed.

@NoahO just checked Developer ID certificates, and both of them (for apps and installers) are valid for 5 years. Thanks for the tip! ๐ŸŽ

@antelle No problem ๐Ÿ˜€

When can we expect a signed release to be available? :)

In the first weeks of June, in v1.5.

Enjoy the signed version ๐ŸŽ

Could you please tell me how can we use this "certificateSubjectName" variable in our electron code and where? I want to sign my electron app, I am using windows platform to create a build.

Thanks.

@Neo13Pr Hi,
KeeWeb can be built only on macOS.
However, it looks like, your question is not connected to KeeWeb, if so, it would be more appropriate to open an issue either in electron repo, or somewhere in electron-userland. Or, if you're interested in KeeWeb in particular, you can email me directly, instead of commenting this old issue and notifying subscribed people about unrelated questions.

Was this page helpful?
0 / 5 - 0 ratings