Comments (18)
Apple's documentation is not very clear regarding applications downloaded outside of Mac App Store... Many docs strongly suggest to have them signed with an Apple Developer ID, but I read here https://developer.apple.com/library/mac/#documentation/security/Conceptual/CodeSigningGuide/Procedures/Procedures.html#//apple_ref/doc/uid/TP40005929-CH4-SW1 :
if your company already has a third-party signing identity that you use to sign code on other systems, you can use it with the Mac OS X codesign command.
I am still using Snow Leopard. To make sure that Vienna runs without a warning under Mountain Lion, do I have to pay 100 $ to get an Apple Developer ID or can I use for instance a free certificate issued by Certum, whose root certificate is included in OS X ? http://www.certum.eu/certum/cert,offer_en_open_source_cs.xml seems to be an interesting option...
from vienna-rss.
I'm running Lion, and I have access to a Mountain Lion machine at work. I'm happy to test code signed builds or techniques for code signing if you need me to :)
It's not as simple as $100 for the Developer ID, the certificates are only valid for 12 months so it's actually $100 a year while the app is under active development.
from vienna-rss.
I did some digging and there are a few claims that while the Developer ID certificate process still requires a paid developer account, it's only because Mountain Lion hasn't been released yet. I'm dubious about that though - why would Apple lock out open source software until the release date?
There are other OSS apps which are signed - Adium for example - maybe it's worth asking them if they used a third party cert.
from vienna-rss.
The commands "codesign -vv AppnameHere.app
" and "codesign -dvv AppnameHere.app
" allow us to check the status of an application.
Here is what I see on Snow Leopard : Adium and Firefox are signed with Apple Developer ID and are considered valid...
But Opera and Microsoft Office apps are signed with a Verisign certificate and are also considered valid...
And a build of ViennaBeta that I signed with a Centrum certificate is considered valid...
Can you check if Opera is valid in Mountain Lion ?
My opinion : Apple risks to be successfully sued by competitors if they try to enforce a monopoly as the sole authority on all Mac apps.
They could do this on app stores, because it was a new package offered for a new market and they could reasonably claim "anything else didn't work" ; but locking a lucrative market (100 $ per year) while there is no compelling advantage for the end user to deal with a certificate signed by Apple over a certificate signed by Verisign/Thawte is a quite different story.
from vienna-rss.
Both MS Word and Opera load fine with gatekeeper turned on. The Vienna Beta does as well, but I think that's because I ran Vienna from xcode in the past. Vienna from the website does not run with gatekeeper on.
Interestingly Notational Velocity also runs fine, and it appears to be fully self-signed:
(master)nada:Applications spyder$ codesign -dvv Notational\ Velocity.app
Executable=/Users/spyder/Applications/Notational Velocity.app/Contents/MacOS/Notational Velocity
Identifier=net.notational.velocity
Format=bundle with Mach-O universal (i386 ppc x86_64)
CodeDirectory v=20100 size=4692 flags=0x0(none) hashes=228+3 location=embedded
Signature size=1677
Authority=Notational Velocity
Signed Time=01/04/2011 2:41:20 PM
Info.plist entries=26
Sealed Resources rules=4 files=189
Internal requirements count=1 size=224
If you throw up a build signed by Certum I'm happy to make sure it runs. ML will be released in a matter of hours, so this is kinda important :)
from vienna-rss.
I found a bunch of unsigned apps that work just fine with gatekeeper on - and after significant confusion I've figured out why.
You know how when apps are downloaded, it prompts you to allow them to execute on first load? This is now the gatekeeper flag. If you disable gatekeeper, load the app (accepting the prompt) and then re-enable gatekeeper, the unsigned app is still allowed to run.
I proved this by downloading a fresh copy of Vienna and extracting it twice. After loading one with gatekeeper off, gatekeeper allows it but blocks the other copy.
from vienna-rss.
Yes, testing is tricky with this Gatekeeper ACL. Glad you found a reliable method.
Can you test with this ViennaBeta build ? https://github.com/downloads/barijaona/vienna-rss/ViennaBeta3.0b.2815.zip
from vienna-rss.
Sadly it's still reporting it as an unidentified developer :(
from vienna-rss.
If your application is not signed with a Developer ID certificate issued by Apple, it will not launch on systems that have this security option selected.
from vienna-rss.
aha! it's not ideal, but there is a way to get an app out of quarantine without turning off gatekeeper completely:
http://stackoverflow.com/questions/11097453/mac-os-mountain-lion-is-it-possible-to-code-sign-applications-for-gatekeeper-wi
from vienna-rss.
Just to be sure : if you install into your keychain the level 3 certum certificate (just double click the attachment downloaded by the link https://www.certum.pl/l3.crt), then redownload my build (https://github.com/downloads/barijaona/vienna-rss/ViennaBeta3.0b.2815.zip), does Gatekeekper still block running ?
from vienna-rss.
Sadly, no :(
I even tried installing it as a system certificate, no dice.
from vienna-rss.
OK. My understanding so far :
- documents or apps downloaded through a web browser get the
com.apple.quarantine
extended attribute : you can see it with the commandxattr -l filename
- for applications signed with an Apple ID (and probably apps signed by a few specific signatories that Apple considers reliable), this attribute is automatically removed at first launch
- for unsigned applications or apps whose signature is untrusted by Apple, you can remove the attribute by right-clicking and choosing 'Open'
- removing the attibute can also be done with
xattr -d -r com.apple.quarantine filename
Can you confirm that ? (for instance, by downloading fresh copies of Firefox and Vienna)
from vienna-rss.
Yes, my reading of the documentation indicates gatekeeper is completely tied to quarantine. When in quarantine, unsigned apps are blocked completely; signed apps show the "are you sure" prompt similar to Lion.
If I remove quarantine from ViennaBeta.app manually, it loads without a problem.
After loading FireFox the quarantine attribute is still attached even though I am no longer prompted when opening it. Maybe there's a database of accepted apps somewhere (this would make sense, since developer certs can be revoked).
from vienna-rss.
So, does the build of ViennaBeta I signed prompt a warning and run normally afterwards ? What is displayed ?
from vienna-rss.
If I use xattr to remove quarantine, it doesn't prompt at all. If I leave quarantine enabled it is blocked from running unless I right click -> open.
The dialogs look like this:
https://skitch.com/thespyder/ee7ur/beta-blocked
https://skitch.com/thespyder/ee7uk/beta-right-click-open
from vienna-rss.
Signing with a non Apple ID signature is better than nothing... I'll publish a build with a Certum certificate, until someone gets an Apple ID
from vienna-rss.
Solved as of build 2817, which is signed with an Apple ID.
from vienna-rss.
Related Issues (20)
- Variation in Number of Feed Entries HOT 4
- Documentation regarding use of OpenReader needed in help book
- Can't reorder feeds HOT 3
- Exporting list of articles HOT 2
- Exporting articles
- Misbehaviors in 3.9.0 :7ad9df044: (8175) HOT 9
- Restore ability to disable Javascript HOT 1
- UX: Unread article count hard to read HOT 3
- Problem with recent update HOT 15
- Mark as read only works halfway on newest 3.9 release HOT 9
- Bug in Vienna 3.9.0 - Open links in external browser HOT 1
- Crash on startup after upgrade to 3.9.0 HOT 1
- MacUpdate RSS feed – partial download HOT 10
- Version 3.9.0 changing subscription list to alphabetical order.
- Unusual hits in the Open RSS service HOT 1
- Can no longer sort article subscriptions at all HOT 7
- issue with Delete Article keyboard shortcut in Vienna 3.9.0 HOT 1
- Turning off "Check for new articles on startup" means no checks for new articles ever HOT 13
- New scrolling behaviour is suboptimal
- Vienna 3.9.0 immediately crashes at start up
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vienna-rss.