Re: [hatari-devel] Code signing for macOS

[ Thread Index | Date Index | More lists.tuxfamily.org/hatari-devel Archives ]


I don't know, when searching I came across this:

"Ever since Apple introduced Gatekeeper, some high-quality open-source apps have been second-class citizens on macOS, their maintainers either unable or unwilling to pay Apple $99 a year for a Developer ID certificate. Many of these are niche apps, but there are notable popular exceptions, such as Audacity. Other apps, like Krita, have had trouble integrating notarization into their build systems, requiring manual notarization for every release.

At this time, most of the large, popular open-source apps are signed and notarized, a big improvement over where things were just a couple years ago. "


https://buckleyisms.com/blog/apple-should-provide-notarization-for-open-source-apps/

(I'm not too worried about any legal aspects. I'd first try the nonprofit aspect before thinking of paying. However, I'm far from being a major contributor to Hatari so I'd only go forward with this if it's something of interest for the wider team)


/Troed



Sent from ProtonMail Mobile


On Sun, Nov 29, 2020 at 14:23, Nicolas Pomarède <npomarede@xxxxxxxxxxxx> wrote:
Le 29/11/2020 à 12:56, Vincent Barrilliot a écrit :
> Hello,
>
>
> Do we want to fix this ? I mean, Apple is true, they cannot guarantee
> who developers behind the app are. People pay expensive Macs to have an
> army of lawyers controlling their ecosystem by always knowing who to
> sue. Hatari is made by hobbyists, does any of them want to potentually
> get sued for what they do in their free time?
>
> * If yes (which I disagree with)  then well we can pay and and give
> Apple a stick to beat us if they don't like what we're doing.
>
> * If no then we should only seek the trust of people using Hatari, even
> if that requires them to manually specify it on their Mac.
>
> Eventually, if Apple makes it harder and harder to use open source apps
> like Hatari, to the point the Mac is no longer a friendly environment
> for open source apps, then it'll just mean you shoudln't use a Mac
> otherwise you're just creating trouble for yourself. Like if Lamborghini
> makes car for running on race tracks, you shouldn't by one to drive on
> muddy country roads.
>
>

Hi

I'm grateful if Troed want to go through this process, but same as you I
also feel it goes against the open source idea and paying Apple who uses
its monopolistic advantage to enfore such policy.

Maybe in the end it's better to not accept Apple's rules and let the
users be aware of what is going on ? (especially if you consider that
with recent ARM release for macOS, Apple has some kind of backdoor to
let his own apps contact outside servers, bypassing their own firewall,
as was described in some recent articles).

How do other open source apps manage this ? For example Audacity is a
popular app, do they manage to get a signature from Apple ?

Nicolas





Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/