Fuck Apple and especially macOS Catalina. It only will get worse (https://www.osnews.com/story/131830/macos-10-15-slow-by-design/).

Thank you for layout out this possibility @TerryGeng :)

Imo this is just ridiculous. I'm already very hostile towards MacOS due to me not liking the way it functions (though that of course is personal preference) plus them not allowing to use MacOS in a VM (which would allow us to test and develop Mumble on MacOS as well).
If on top of that they come around and wanting to make us pay in order to get rid of that silly warning message, I tend more towards dropping mac-support completely than paying this fee.

However as this would only affect the Mumble users on MacOS instead of Apple as a whole, I am of course not promoting to drop MacOS support here though. However if we ever reach the point at which the payment is required in order for the application to run at all (or something that goes strongly in that direction), I'd be the first in line that votes to drop the OS entirely.
Let's just hope that this won't happen though :point_up:

TL;DR: I'm very strongly against paying Apple for this bullshit. Even if someone else was to pay the bill (We shouldn't support this kind of strategy).

@Krzmbrzl Yeah. That's true. I feel very uncomfortable to see this situation because I really like the products of Apple in general. And for the reason that I need to run some software on macOS (or Windows, which I don't like as well), it would be very hard for me to switch to other open source platforms. I believe this is the case for a lot of Mac users.

However if we ever reach the point at which the payment is required in order for the application to run at all

I think Apple is not too silly to understand that it is absolutely unbeneficial to piss off the open source community. So I don't really think they will be too ruthless to seal the way of running an App whose author doesn't pay the protection money.

Based on the discussion on #mumble, I suggest we make a highly visible message on the download page on mumble.info, stating that this warning box is expected. Users should not rely on Apple's Gatekeeper to verify the app. Instead they should download the signature file from mumble.info and verify by themselves. In order to run the app, they should click the System Preference -> Security -> Open Anyway button.

We can also make this a background image of the distributed DMG file.

We can also make this a background image of the distributed DMG file.

Would that even be big enough to be readable? :thinking:

Based on the discussion on #mumble, I suggest we make a highly visible message on the download page on mumble.info, stating that this warning box is expected.

@Kissaki could you do that? :)

Right now we sign releases using @mkrautz's personal developer account.

Ideally we should create a dedicated account for the project, but I firmly believe giving money to Apple is morally wrong and harms the IT world.

I'm aware that unfortunately many people need macOS, either due to exclusive programs and/or because the company they work in forces it due to "security". I'm also pretty sure hardware that only works with macOS exists.

From my point of view the decision is up to the community, especially because we receive enough donations to pay Apple's _pizzo_. That is, unless they decide to add a magical 9 to the price tag.

In my opinion, we shouldn't pay anything to Apple.
If a user wants to use Mumble, their friends/colleagues will instruct them about Mac OS restrictions, and how to install and do the first-run of Mumble app.

Right now we sign releases using @mkrautz's personal developer account.

But if we do sign releases... Where does the warning come from? :thinking:

If we can continue to use his account for that though, I'm all in to keep using that and providing signed / notarized builds.

The warning appears when running the builds produced by CI, we don't sign them.

As much as I agree with what has been said before.
Maybe you could contact Apple on this and ask about two topics:

1. Exceptions regarding fees for open source projects like yours.
2. Using virtual machines for testing.

It is possible that Apple does not care at all, but sometimes there are positive surprises.

Nonetheless the problem of indirectly supporting such manners remains.

I understand and can related to the general, prevalent frustration here. But I can also see why this was implemented with good reason.

For tech-savy persons this may not be necessary, but most users, even of Mumble I am sure, can not be trusted or asked to verify binary checksums, signatures, or even expected to download from the correct website.

Windows SmartScreen and Apple name-here are for those users. It attempts to solve this through building trust, and/or certification. And a not minimal entry fee so mass-scams are not worth it, and are associated to specific owners.

Windows SmartScreen requires code signing with certificates which are not cheap either, although distributed and created through third parties. Valve Steam added a game listing fee as well to prevent low quality product and scam spam.

For companies with a software product 100 USD is a drop in the bucket. For individuals, non-commercial projects and people who already spent a ton of their free time it is.

I am hesitant to just pay though. (Popular) FOSS projects should definitely get free or price reduced certificates either directly or indirectly.

I am certainly not against a dedicated funding where people could donate for this specific cause if they want to support this, for themselves, the platform or the project in general. If there were a FOSS solution available that would be even better. Either directly or some other forms of donations (certifying companies).

For now I agree we can and should document the current state and that it is what it is. Whether I would be in favor of paying or not would also depend on the userbase; how big the platform is for our project. It’s not necessarily necessary for a niche. I guess generally I think we should aim for doing so though if we can find a reasonable solution. Idealism is a good thing but should not ignore pragmatism. If we want to support the platform, and do so for novice users, then there is no way around it.

Yes, I can add something notice to the downloads page. I’m working on that one right now anyway. I will create a separate mumble-www ticket for that.

mumble user wsky reports the 1.3.1 dmg shows the error.

Does our existing cert (that we use for the 1.3 stable builds) not meet the new criteria by apple?

It probably appears because we don't notarize the releases, we only sign them.

It probably appears because we don't notarize the releases, we only sign them.

@davidebeatrici :o what is the difference?

And what is the process for notarizing?

It's explained by @TerryGeng in the first message.

Ah, my bad. :bow:

Have you considered applying to get a free Apple Developer account?

https://developer.apple.com/support/membership-fee-waiver/

Not sure if they give this to open source organizations or just not-profits. It's hard to claim that it is 'immoral' or there isn't a legitimate reason for Apple to verify that a real organization is behind this software versus Bob's Non-Profit (for you anyway) Malware LLC.

The problem is that Apple is forcing developers and users to use the App Store. It's only a matter of time until they lock out every app that is not downloaded from the App Store (IMHO). It would be morally less wrong, if they didn't put a 30% commission rate on everything. There is a reason the EU opened up an antitrust investigations into App Store practices.

"Nonprofit organizations, accredited educational institutions, and government entities" sounds like it would need a real organization in one of the eligible countries. Just because developers work on an open source project doesn't make it a non-profit organization. The need to create a non-profit organization or pay a $99 fee discriminates against the many open-source projects where a non-profit organization is more effort to create and run than it is worth.

Let's not forget that 3rd party apps on the iPhone 1 were web apps and Apple used a fork of KHTML to make that possible:
https://www.apple.com/newsroom/2007/06/11iPhone-to-Support-Third-Party-Web-2-0-Applications/

Apple doesn't have any problems to benefit from open source projects and make a shitload of money, but they are to lazy, greedy or morally stupid to care about the developers and users of community-driven open source projects. Apple would have the resources to proactively look for solutions to these problems, but I guess they don't give a shit.

The problem is that Apple is forcing developers and users to use the App Store. It's only a matter of time until they lock out every app that is not downloaded from the App Store (IMHO).

But they haven't yet -- and it seems kind of limiting to live in a world of what-ifs like that. You could always remove the app in retaliation as many other developers might at such a juncture.

It would be morally less wrong, if they didn't put a 30% commission rate on everything. There is a reason the EU opened up an antitrust investigations into App Store practices.

Well, if Apple wants to collect a 30 percent commission on a piece of free software, hopefully, they will at least give the other 70 percent to the project =P (Sorry, I couldn't resist.)

"Nonprofit organizations, accredited educational institutions, and government entities" sounds like it would need a real organization in one of the eligible countries. Just because developers work on an open-source project doesn't make it a non-profit organization. The need to create a non-profit organization or pay a $99 fee discriminates against the many open-source projects where a non-profit organization is more effort to create and run than it is worth.

Having now done this a few times myself (becoming a non-profit, that is), it's really not that hard nor time-consuming. With a sufficiently large community, those are the sorts of things you can delegate. In fact, having some kind of formality/governance is a good thing when, for example, the owner of the mumble.info domain name/GitHub account could rage-quit the project tomorrow over something like this discussion and shut it all down. If they were to do so, hopefully, the community has the legal recourse to rescue the project. You'll notice that several very successful open-source projects have gone in exactly this direction: https://opensource.com/resources/organizations

.. Just a thought. I have almost no skin in this game other than being a user at this time.

https://developer.apple.com/support/membership-fee-waiver/

Interesting.

Creating an organisation:

it's really not that hard nor time-consuming. With a sufficiently large community, those are the sorts of things you can delegate.

That probably depends on the country.
While I like this idea, it involves some work and money.
You would need to decide what form of organisation you want to be and then decide and work on multiple things:

1. Basic Agreements/Contracts (or similar)
2. Verification (costs money)
3. Board of Directors (or similar) and Votings
4. Financial reports/Cash auditors (necessary in many countries, does not need to be an external professional, but someone has to do it and is liable for it (of course))
5. Maybe necessary to communicate with state agencies for tax topics etc.

Also you would need to decide about the country where the organisation should be located, because as of now, there is for example no real european organisation besides the https://en.wikipedia.org/wiki/Societas_Europaea which is a form of company.

But they haven't yet -- and it seems kind of limiting to live in a world of what-ifs like that. You could always remove the app in retaliation as many other developers might at such a juncture.

If people accept any BS (pun intended) from Apple without any resistance, it's just a matter of when, not if.

Having now done this a few times myself (becoming a non-profit, that is), it's really not that hard nor time-consuming. With a sufficiently large community, those are the sorts of things you can delegate.

Mumble is open source software. If some wants to delegate it to themself, just do it.

I'm willing to donate $100 / year to see this notarized and in the app store. That seems like a small amount of money to greatly improve the distribution and security story for users of the mac. The notarization process and app store also lend a certain amount of security assurance to our users, and automatic updates, etc, which is all strictly value add stuff. If I amortize my $100 over all the users of Mumble and the new users of Mumble by making it easier to discover and manage, it feels like a better value than a meal for four at a restaurant.

@fnordpig thank you very much for your generous offer.
Could you please write a mail to contact[at]mumble.info so that we can talk about the details? :)

Hi, Update here myself and another donor gave $50 each to fund the app store certification costs.

Sorry, I should've posted an update here as soon as the Apple account was created (7th September).

I'm going to keep the issue open until Mumble 1.3.3 is released (signed with the new certificate and notarized as well).

Thank you very much for your donation!

For whatever it's worth, I tried 1.3.3 on Catalina and was not allowed to open the binary.

The release was signed with the new certificate, but the notarization process apparently failed due to "hardened runtime" not being enabled for the binary.

With CMake enabling it seems to be straightforward: https://stackoverflow.com/a/56026083