View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0006846 | ardour | bugs | public | 2016-03-28 21:41 | 2016-04-20 02:02 |
| Reporter | mike-overtonedsp | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | new | Resolution | open | ||
| Platform | Mac OS X | OS | Mac OS X | OS Version | v.10.11 |
| Product Version | 4.7 | ||||
| Summary | 0006846: Mac OS 'ready-to-run' packages from ardour.org are not signed | ||||
| Description | Ardour for Mac OS X downloaded from ardour.org fails to run with the default security settings, giving the error "Ardour4 can't be opened because it is from an unidentified developer". Reducing security settings to minimum "run anything" allows Ardour to run successfully, however to new users the message will be cause for concern or worse, as it is very uncommon for recent applications / installers for Mac not to be signed. | ||||
| Steps To Reproduce | Download Ardour for Mac from ardour.org - drag Ardour to the applications folder as directed by the dmg. Try to launch Ardour. | ||||
| Tags | No tags attached. | ||||
|
|
This is a won't fix. There are no plans to purchase an Apple developer license nor to accept the conditions for doing so (I'm not even sure if they're compatible with the GPL, the AppStore for sure is not). The email sent to users who download Ardour/OSX binaries include the same message as http://nightly.ardour.org/list.php#osx "Note: The application is not digitally signed. On Yosemite, right-click (or control + click) and select Open the first time to launch it." PS. the same is true for Ardour derivatives. |
|
|
I think its possible to use any SSL code-signing cert to sign a binary / application such that it passes gatekeeper etc. I think the Apple developer license and associated conditions become more stringent specifically when submitting apps to their App store (which is entirely understandable, its their store / platform). There's something slightly incongruous about distributing an application, and in this case a commercial one (because you pay for the download) targeted at a (proprietary) platform, and yet refusing to abide by the terms and conditions required to do so (which is effectively the current stance of the Ardour devs, by refusing to join Apple's developer program), and by implication the same could be true of applications derived from Ardour. |
|
|
Signing itself is easy. The issue is that one does need an Apple Certified Identity: https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html and all the strings attached to it. What benefit is there to a user? It means nothing other than "the developer paid Apple's yearly tax". You can just as well sign malware. We provide sha1sum and md5sum to verify integrity. GPG signatures are an option. For Ardour developers there's no benefit either. We have no use for anything that the Apple developer program offers. Granted it's not very "professional" to sell unsigned binaries and ask a user to right-click once (OSX remembers the choice). But given the thousands of clicks a user will do in Ardour. That's negligible. So far nobody has brought this issue to our attention (also not with Mixbus). I also don't see how this is incongruous. What are those terms and conditions that you allude to which we refuse for distributing an unsigned binary? Why does "commercial" make a difference here? Quite the opposite: Why should we charge users an extra amount which goes to Apple if they already paid for a MacBook? Anyway since Ardour is GPL licensed everyone interested can sign it. |
|
|
The reason I though it incongruous was that it seemed as if it was being held up as a matter of *principle* that you would *never* agree to Apple's terms - and I thought that was at odds with shipping an application for their platform. In the same way that I wouldn't ship applications for linux if I had some deep aversion to GPL / open source (I don't, I don't have any view on it other than it just doesn't suit my business model). But to the original issue - the reason for signing (as you have mentioned) is to guarantee the authenticity (better, and more robustly than MD5 hash etc). If I buy a binary of Ardour from ardour.org, all I know is that I have something which came from ardour.org. I don't know (and neither do you) that my download is the code you intended to ship (and not something pretending to be Ardour) - If I'm going to run it on my machine, I feel more secure about doing so if I know it's the exact binary which you intended to ship. That's the integrity which code signing guarantees, and the reason why Apple switch on the requirement by default. I'm only referring to binaries which are built / distributed from ardour.org - of course signing doesn't apply if the user builds the program from source, just as it doesn't (yet) for any other application they may write / build on their own machine. Code signing doesn't guarantee that malware hasn't been *intentionally* signed and shipped (as you say, you can code sign malware) but, in that instance a certificate can be revoked. |
|
|
Well, eventually the the person or persons who release Ardour (currently Paul) has to decide what to do. While Apple can revoke certificates, I doubt it happens timely enough (at the very least it requires online connection or a OS update for offline users) nor can one easily find out what the criteria are. Trust which can be bought sounds like a very bad idea to me, even worse if that trust relationship is subject to some unknown rules established by a proprietary company. One should think twice before aiding to proliferate this concept. In Ardour's case it would not even guarantee the authenticity of Ardour. Anyone can sign up with the name "Ardour Inc" on the Apple developer program as long as that name is not yet taken. I very much support code signatures to prove authenticity, down to reliable reproducible binary matched builds (we're not quite there for Ardour). But both Apple's Signatures as well as Windows publisher-control are just a farce, both technically and conceptually: A web of trust is built not bought. A PGP/GPG chain leading back to Paul signed by persons who know him personally is one of the few viable ways to establish trust. Back in reality the issue at hand is educating users to right-click > open Ardour once. And be careful what they click on regardless if signed or not. |
|
|
FYI You can't just 'buy trust' from Apple (or any other CA) - when you buy a code signing certificate from a CA, if you do so as an individual you can only do so in your own name (not for example 'Ardour Inc') and you have to submit legal proof of your identity. Or, if you do so as a company, you have to submit legal proof that it is a real company, and of your own id, and your entitlement to act in the required capacity on behalf of that company. That's the 'web of trust' in this case and in effect a declaration of your legal liabilities. My reason for pressing this issue is that it protects both Paul (and / or his company) and anyone purchasing the software from his site. Yes you can educate people to be careful what they 'right click' on (although actually you're educating people to ignore a security feature), but the fact remains that if its not signed I can be as careful as can be, and might think I'm about to run Ardour - which I trust - but I don't know if it really is (and not malware) until I have actually run it (and possibly suffered loss / damage as a result) |
|
|
It is not true that I have not joined Apple's developer program. I have. Years ago. That is totally orthogonal to the certificate issue. I have still not decided what to do about this. I do not agree that the Apple certificate provides any protection whatsoever for me or anyone else, except users. That's the one argument in its favor. But it still isn't as good as a certificate/CoT that is independent of Apple. As for the stuff about companies ... not sure about the law in the UK or EU, but here in the US I am a "sole proprietor" which means I have no limited liability and thus there is no difference between doing something as "Paul Davis" or "Linux Audio Systems". Ardour is distributed under the GPL which explicitly disavows warranties. I have never heared of any case bought against any GPL'ed software. For that matter, I have not heard of any case bought against someone whose site was hacked and people downloaded malware (or worse) from it. All in all, I am pretty dubious about arguments based on "protection". |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2016-03-28 21:41 | mike-overtonedsp | New Issue | |
| 2016-03-28 21:49 | x42 | Note Added: 0018088 | |
| 2016-03-28 21:54 | x42 | Note Edited: 0018088 | |
| 2016-03-28 22:08 | mike-overtonedsp | Note Added: 0018089 | |
| 2016-03-29 18:56 | x42 | Note Added: 0018092 | |
| 2016-03-29 19:40 | mike-overtonedsp | Note Added: 0018094 | |
| 2016-03-29 19:48 | mike-overtonedsp | Note Edited: 0018094 | |
| 2016-03-29 20:46 | x42 | Note Added: 0018096 | |
| 2016-03-29 23:25 | mike-overtonedsp | Note Added: 0018097 | |
| 2016-04-20 02:02 | paul | Note Added: 0018152 |
