INTERACT FORUM

Please login or register.

Login with username, password and session length
Advanced search  
Pages: [1]   Go Down

Author Topic: Gatekeeper, Signatures, and JRiver's Developer ID  (Read 6717 times)

glynor

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 19608
Gatekeeper, Signatures, and JRiver's Developer ID
« on: October 19, 2014, 10:15:38 am »

This comes up again and again, and I'm not surprised.  Is this on purpose?

I know, from helping a bit with the recent signature problems, that MC is signed.  However, I believe you're signing it with your regular jriver.com cert, and not with an Apple-issued Developer ID.  That's why, all along, I've had to bypass Gatekeeper to get MC to run (using the Right-Click > Open trick).  Is that right?

I just want to verify that this is your intent.  It would stink if you were trying to sign it with a Developer ID to get around this, and it isn't working for anyone, and you don't know it somehow.  As far as I can recall, I've always had to do the Right-click > Open trick to open new versions of MC since Mountain Lion introduced Gatekeeper.  I'm using the default Gatekeeper settings (which I think are good ones) on all of my Macs.

Also, assuming this is on purpose... May I ask why?

Getting a Developer ID is simple (I have one) if you are in Apple's OSX Developer Program.  Paying $100 per year seems like a very small price to pay for this, especially considering that you also get access to all of their developer documentation and Beta releases (and the forums, which are quite good).  Is it just a "true belief" and that you don't want to give Apple the right to revoke your ID?  If so, I'll shut up I guess.  I don't see how this is rational since, worst-case, if they revoke your ID, it would just make you just exactly the same as you are right now.  So, it feels a bit like "I don't want them to be able to do this bad thing to me, that they probably won't do anyway, and so I'm going to do the bad thing to myself before they get the chance."  But, there's no use arguing with "True Believers" as we know, so I'll leave it at that if you tell me this is basically why.

Or is there some other reason?

And as I said, if you DO have a Developer ID, and you are trying to use it to sign MC20 for Mac, you are failing, and have been all along as far as I can remember.
Logged
"Some cultures are defined by their relationship to cheese."

Visit me on the Interweb Thingie: http://glynor.com/

Hendrik

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 10969
Re: Gatekeeper, Signatures, and JRiver's Developer ID
« Reply #1 on: October 19, 2014, 10:19:20 am »

Is Gatekeeper like disabled by default on a Mac (on 10.9 here)? I can install and run it just fine without any warnings whatsoever.
Personally I think requiring such a signature is stupid, but I think that about so many things that Apple does to its developers, so....
Logged
~ nevcairiel
~ Author of LAV Filters

JimH

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 72541
  • Where did I put my teeth?
Re: Gatekeeper, Signatures, and JRiver's Developer ID
« Reply #2 on: October 19, 2014, 10:22:34 am »

Amen to that.
Logged

JimH

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 72541
  • Where did I put my teeth?
Re: Gatekeeper, Signatures, and JRiver's Developer ID
« Reply #3 on: October 19, 2014, 10:24:28 am »

I know, from helping a bit with the recent signature problems, that MC is signed.  However, I believe you're signing it with your regular jriver.com cert, and not with an Apple-issued Developer ID. 
I don't buy Apple's need to create their own "certification".  I think the next step is a toll or a complete block.
Logged

glynor

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 19608
Re: Gatekeeper, Signatures, and JRiver's Developer ID
« Reply #4 on: October 19, 2014, 10:36:37 am »

Is Gatekeeper like disabled by default on a Mac? I can install and run it just fine without any warnings whatsoever.
Personally I think requiring such a signature is stupid, but I think that about so many things that Apple does to its developers, so....

Gatekeeper is enabled by default and set to the following:



If you do NOT get the following dialog every single time you launch a new build of MC on a Mac, it is because you've either turned this off on OSX, or because you've manually "trusted" JRiver's cert (which could happen as part of the development process, I'd guess, but you should be able to see it on a fresh VM or whatever).



This is what all Mac users see, essentially.  Not a great experience.

I understand how you feel from a Developer's perspective.  However, this is an extremely good user feature.  It prevents all sorts of malware common to Windows on modern versions of OSX.  Simply because the malware authors won't get a Developer ID, and if they do and distribute their crapware anyway, Apple can revoke their ID.  Yes, of course, it can be worked around by clever malware authors.  But the point is that it makes it harder to bypass, and so it rules out entire classes of "attacks".  And it isn't like these attacks are theoretical.  This includes many things that happen on Windows all the time.  A common example is "smitfraud" (fake anti-virus "scans" usually distributed through terrible web ads to people who don't understand the difference between dialogs in Web Browsers and native ones on their computer).  Before Gatekeeper, these attacks were starting to become targeted at Mac users as well.

If they set it to App Store Only by default (I do not believe they'll ever do this on the Mac), that would be crappy and I'd be up in arms right next to you.  But, these defaults are entirely reasonable, I'd say, as they protect the average users (who typically don't know how to decide if an application is trustworthy or not).  Also, if the signature process was much more onerous for Developers, I'd agree.  But, heck, it is way less than Microsoft charges for MSDN, and even a single copy of Visual Studio would cost enough to cover a Developer subscription for years and years.  We're not talking about where you have to submit to App Review like the iOS App Store.  You get the ID.  You sign and distribute the applications yourself.

So, I don't think it is too onerous.  That's really irrelevant to Apple though because given a "battle" between "what is good for the user" and "what is good for the developer", Apple will pick the former every single time (unless, of course, it conflicts with the prime directive of "what is good for Apple").
Logged
"Some cultures are defined by their relationship to cheese."

Visit me on the Interweb Thingie: http://glynor.com/

glynor

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 19608
Re: Gatekeeper, Signatures, and JRiver's Developer ID
« Reply #5 on: October 19, 2014, 10:42:04 am »

I don't buy Apple's need to create their own "certification".  I think the next step is a toll or a complete block.

Ok.  Just because you're paranoid, don't mean they're not after you, I guess.

I think you're wrong.  And, the feature has now existed and been enabled for three years, and there has not been a crazy wave of Apple revoking Developer IDs for arbitrary reasons.  They keep a much tighter lock on, and have many more rules for, the Mac App Store.  You can certainly get kicked out of there for not following their often "nanny-ish" rules.  But that's something entirely different.  I would not encourage you to go there, for a whole raft of reasons.  But, hey, it is their store, they can choose to sell what they want, I guess.

However, they have not revoked Developer IDs except in a handful of instances, which were clear cases of fraud and intentional malware distribution.  In three years.  And, as I said, you are already doing to yourself the bad thing you seem to be afraid they're going to do to you, so this seems completely illogical.

So... Thanks for confirming that it is on purpose.  It does seem to be a True Belief.  I'll leave it at that.

EDIT: One more thing, actually... We require our Mac users (via system policy) at work to keep that setting enabled as-is (and we generate our own trusted signatures for any applications we use to whitelist the occasional old abandonware apps that our scientists need to use).  This is common practice among enterprises as well.  Just saying...  You're probably leaving money on the table.
Logged
"Some cultures are defined by their relationship to cheese."

Visit me on the Interweb Thingie: http://glynor.com/

JimH

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 72541
  • Where did I put my teeth?
Re: Gatekeeper, Signatures, and JRiver's Developer ID
« Reply #6 on: October 19, 2014, 10:55:11 am »

This is what all Mac users see, essentially.  Not a great experience.
Sorry, but that seems like something Apple, not JRiver, has done to users.

There is a recognized method for verifying certificates.  Apple might take advantage of it.
Logged

glynor

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 19608
Re: Gatekeeper, Signatures, and JRiver's Developer ID
« Reply #7 on: October 19, 2014, 11:08:48 am »

There is a recognized method for verifying certificates.  Apple might take advantage of it.

Right.  And the public cert revocation system works perfectly and has no problems whatsoever.  Oh, wait, except it doesn't work at all and is horribly broken.

Even many common open source applications, like VLC, are signed with a Developer ID now.

But, ok.  I don't want a fight.  I just wanted to know how to respond to user questions.

There should be a wiki page explaining then, and a stickied post pointing to it.  You could even put something in the installer "finder" window or post-mounting prompts (where the user agreement is displayed).  Otherwise many potential users won't know how to get around the error when they download the trial.  It is simple to get around, so it isn't that big of a deal, as long as you explain it.
Logged
"Some cultures are defined by their relationship to cheese."

Visit me on the Interweb Thingie: http://glynor.com/

glynor

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 19608
Logged
"Some cultures are defined by their relationship to cheese."

Visit me on the Interweb Thingie: http://glynor.com/

Awesome Donkey

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 7892
  • Long cold Winter...
Re: Gatekeeper, Signatures, and JRiver's Developer ID
« Reply #9 on: October 19, 2014, 07:38:50 pm »

Honestly disabling Gatekeeper is the first thing I do after a clean OS X install.
Logged
I don't work for JRiver... I help keep the forums safe from "male enhancements" and other sources of sketchy pharmaceuticals.

Windows 11 24H2 Update 64-bit + Ubuntu 24.10 Oracular Oriole 64-bit | Windows 11 24H2 Update 64-bit (Intel N305 Fanless NUC 16GB RAM/500GB M.2 NVMe SSD)
JRiver Media Center 33 (Windows + Linux) | iFi ZEN DAC 3 | JBL 306P MkII Studio Monitors | Audio-Technica ATH-M50x Headphones

BartMan01

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 1513
Re: Gatekeeper, Signatures, and JRiver's Developer ID
« Reply #10 on: October 20, 2014, 01:35:32 pm »

Honestly disabling Gatekeeper is the first thing I do after a clean OS X install.

I leave it at the default settings.  It takes a few extra seconds to bypass (alt-open) for the one or two programs where the developers haven't bothered to get a proper license.  It does annoy me when
Logged

BartMan01

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 1513
Re: Gatekeeper, Signatures, and JRiver's Developer ID
« Reply #11 on: October 20, 2014, 01:37:09 pm »

Done:
http://wiki.jriver.com/index.php/Gatekeeper_Error_opening_Media_Center_for_Mac

And done:
http://yabb.jriver.com/interact/index.php?topic=92699.0


I thought to bypass you had to right click in Finder and then press 'alt' as you clicked on the open option.  Does it work without the 'alt' keypress and I have just be doing an extra step or did you leave that part out accidentally?
Logged

glynor

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 19608
Re: Gatekeeper, Signatures, and JRiver's Developer ID
« Reply #12 on: October 20, 2014, 02:34:22 pm »

I thought to bypass you had to right click in Finder and then press 'alt' as you clicked on the open option.  Does it work without the 'alt' keypress and I have just be doing an extra step or did you leave that part out accidentally?

It works fine without that.
Logged
"Some cultures are defined by their relationship to cheese."

Visit me on the Interweb Thingie: http://glynor.com/

JohnT

  • Citizen of the Universe
  • *****
  • Posts: 4627
Re: Gatekeeper, Signatures, and JRiver's Developer ID
« Reply #13 on: October 21, 2014, 09:42:48 am »

Sorry everyone.  Mavericks tightened the Gatekeeper restrictions as of 10.9.5 (released September 17th) which I believe has been causing all these problems.  I hadn't updated beyond 10.9.4 so wasn't seeing it on my machine.  Basically, 10.9.5 now matches the restrictiveness of Yosemite and we have to make a fairly major change to our build package to make it comply.  I'll try to get a fix out as soon as possible.

See this page under "Changes in OS X 10.9.5 and Yosemite Developer Preview 5":
https://developer.apple.com/library/mac/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG205
Logged
John Thompson, JRiver Media Center

glynor

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 19608
Re: Gatekeeper, Signatures, and JRiver's Developer ID
« Reply #14 on: October 22, 2014, 12:09:31 am »

I knew about those problems.  But, I wasn't sure... Is that why it is failing the overall Gatekeeper check right now?

I definitely remember earlier builds of MC18 failing (I commented on it, I remember).  And I feel like they always failed throughout MC19 and MC20 with Gatekeeper enabled, but I can't remember for sure.  I suppose I could make an older VM and test it...

I wasn't sure if Gatekeeper just required a valid signature (like is apparently required for other things like the Firewall configuration) or if it requires an "official" Apple Developer ID.  The documentation I read is a bit vague, though I didn't dig down through that big signing process document in super-duper detail.
Logged
"Some cultures are defined by their relationship to cheese."

Visit me on the Interweb Thingie: http://glynor.com/

JohnT

  • Citizen of the Universe
  • *****
  • Posts: 4627
Re: Gatekeeper, Signatures, and JRiver's Developer ID
« Reply #15 on: October 22, 2014, 07:51:11 am »

I knew about those problems.  But, I wasn't sure... Is that why it is failing the overall Gatekeeper check right now?

I definitely remember earlier builds of MC18 failing (I commented on it, I remember).  And I feel like they always failed throughout MC19 and MC20 with Gatekeeper enabled, but I can't remember for sure.  I suppose I could make an older VM and test it...

I wasn't sure if Gatekeeper just required a valid signature (like is apparently required for other things like the Firewall configuration) or if it requires an "official" Apple Developer ID.  The documentation I read is a bit vague, though I didn't dig down through that big signing process document in super-duper detail.
We have an official JRiver developer ID that we use for signing, our app just isn't "App Store Certified" but that's not required by the default Gatekeeper setting.  I think early builds of MC18 did not have the developer ID so they didn't install very gracefully.  Also, there may have been a build or two in the meantime that mistakenly went out without being signed properly, which added to the confusion.  So far, we've been creating the app bundle structure to look a lot like our Windows install layout, but now we need to completely separate code and data in the bundle to get past Gatekeeper.
On my 10.9.4 machine, our app installs just fine, but on our 10.9.5 machine, it fails with the same error other people are seeing.
Logged
John Thompson, JRiver Media Center

glynor

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 19608
Re: Gatekeeper, Signatures, and JRiver's Developer ID
« Reply #16 on: October 22, 2014, 08:42:10 am »

Okay, wow.  Thanks, John.  That's the answer I was looking for originally.

So, some of my wiki article is incorrect, and probably isn't needed at all in the long-run.  I'll get it fixed.  For now, it helps people who have the issue so I'll leave it stickied.

We have an official JRiver developer ID that we use for signing, our app just isn't "App Store Certified" but that's not required by the default Gatekeeper setting.

I never intended to mean approved for the Mac App Store.  You can't sell MC through the Mac App Store, as they require sandboxing (among other issues) which would pretty much rule MC out as even possible there.  Besides, I think that's silly for your product.  You can sell it yourself, and should.

I thought (still think, actually) you can sign your application with your own SSL Cert instead of a Developer ID, and this provides some of the benefits (and makes it easier to bypass Gatekeeper if you're a nerd and use the command line tools to trust the cert), and I thought that is what you were doing (from the conversation above).  It looks like Jim was a little mixed up about my question.

Anyway... If that's the case, totally understandable, and you're doing exactly the right thing.  I'll fix the wiki page as soon as I have a moment.
Logged
"Some cultures are defined by their relationship to cheese."

Visit me on the Interweb Thingie: http://glynor.com/

glynor

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 19608
Re: Gatekeeper, Signatures, and JRiver's Developer ID
« Reply #17 on: October 22, 2014, 08:55:38 am »

Okay.  The Wiki is fixed.  This is still a useful article because it could help people who have Gatekeeper set to App Store Only, long term.  And we need something for 10.9.5 and 10.10 users until the signature issue can be fixed.

Thanks again.
Logged
"Some cultures are defined by their relationship to cheese."

Visit me on the Interweb Thingie: http://glynor.com/

JohnT

  • Citizen of the Universe
  • *****
  • Posts: 4627
Re: Gatekeeper, Signatures, and JRiver's Developer ID
« Reply #18 on: October 22, 2014, 09:01:34 am »

Thanks Glynor!
Logged
John Thompson, JRiver Media Center
Pages: [1]   Go Up