Sign Windows and Mac executables #2381
Comments
|
Thanks Jay! |
ghost
assigned 
|
This is an issue for OS X 10.8 as well, where Gatekeeper makes it difficult to install unsigned apps. On mac, this requires signing for the Mac developer program, getting the keys provided by Apple, and then using If we get all this figured for mac and windows soon, we will put it on the 0.1 branch. Otherwise, it will be a 0.2 thing. |
|
I should note that our debian packages are already signed by @sebastien-villemot. |
|
Here is a Microsoft blog post about code signing: |
|
"Windows 8 has detected that you are trying to install open-source software. Please shave and get a job." |
|
Shaving is not good for julia's success: Julia does not fare well in the facial hair category, as evidenced by this picture when we visited Prof. Kahan in Berkeley: |
|
I'm holding up my end of the facial hair. |
|
@staticfloat Would it be possible to at least start signing the mac executables? Do you have an Apple Developer ID? |
|
We would need to sign Platypus, not Julia, interestingly enough, since it's I have a developer ID, but I don't have the "license" or whatever the paid On Tue, Mar 4, 2014 at 11:43 PM, Viral B. Shah [email protected]:
|
|
For windows 8 signing, mozilla has a guide on how to sign an installer from linux: |
|
@staticfloat For Mac is all that we require a paid license? If so, could you get one and we will get you reimbursed. Would be nice to ship signed binaries for 0.3 wherever we can. |
|
Here is an SO answer covering what we need logistically for Windows: namely, to purchase a certificate. Some notes (to myself, mostly):
|
|
I will sign |
|
That's amazing! I am marking this as 0.3, as it seems that we will be able to pull this off. |
|
Status update: @StefanKarpinski has started the process to procure keys for the mac. This should not block the 0.3 release, and binaries can be signed whenever the keys are available. For now, we should document how to turn off the authentication of packages on a mac on the downloads page, until we get this fixed. |
|
I believe mac executables are being signed now. Did we get very far with the Windows certificates from MIT? If not, I am happy to purchase one from wherever we need to. |
|
Hopefully the Microsoft process is no worse than the Apple one. |
|
@Keno were you able to get in touch with anyone at MIT about a code-signing cert from InCommon? |
|
I'm not really sure who to talk to. I'll ask around. |
|
Maybe |
|
I'm on it, thanks. |
|
In order to sign code, we need to apparently have an email server set up on julia.mit, so Ali is going to do that over the next week and then get us the code sign certs. |
|
Can't we just buy something from a vendor? I don't mind paying. Just an option if we need it. |
|
Yeah, it doesn't seem like this should depend on our ability to maintain a mail server on a particular machine. |
|
Ok. Just waiting for confirmation of the key details above and will buy it then. Ping @ihnorton |
|
@ViralBShah Other options: User-protected: require password prompt to use the cert. We probably don't want this, if we want to sign the nightlies automatically. |
|
I have paid - but waiting for the verification process that may take a couple of days. |
|
Any news about the verification? |
|
We got the certificate today. |
|
I still get a smartscreen warning, and my understanding is that we need to build up some amount of reputation on the certificate for that to go away. |
|
At least now you see the |
|
Thanks due to @ViralBShah. I'm going to go ahead and make the signed installers the default and we'll see how it goes. |
|
Eagerly waiting for the signed binaries. Also, with verification done, it will be easier for us to get other things like SSL certificates and such easily too. |
|
Already done, the 0.3-release downloads are now signed for win32 and win64. |
|
What should be done in order to increase your reputation? Should many people (like us) sign your certificate? |
|
I do not know much about this. I know that this was the case with the debian keyring - but does it matter for Windows code signing certificates? |
|
As far as I can tell the only thing we can do is wait for more people to download and install it. The microsoft docs appear to imply that smartscreen phones home with some info (certificates? file ids? urls?) that it uses to build the reputation score. |
|
OK, great. |
|
Looks like this certificate lasts for a year, so will need to be renewed in the next 3 weeks? |
|
Yeah, I'm on it. |
|
Awesome. Let @staticfloat know when it's renewed, I think he has to move the certificate over to the buildbots somehow. |
|
Bump. Certificate's expired, needs to be renewed. |
|
This would have been better opened as a new issue. I believe the mac certificate requires renewing right now, is that right? |
|
If not for the reminder here from 3 weeks ago, I would have gone with a new issue or a direct email to whoever is able to make the renewal. I don't know how long the OSX keys last for. The OSX buildbot has not been having any issues so I assume that one's still okay. |
|
Basically, IIRC, @StefanKarpinski did the mac certificate, and I did the windows certificate. So, just ping me if I need to do something. |
|
I see. Sorry I should've been more specific, it's the Windows certificate that is expired and needs to be renewed. It's been failing for a couple days - http://buildbot.e.ip.saba.us:8010/builders/package_win8.1-x64 Once it's ready we need to ping Elliot about getting it migrated over to the windows buildbots. The step is here https://github.com/staticfloat/julia-buildbot/blob/70571c66606fc744cf75597e1d207b5641161224/master/package_win.py#L81-L84 but I'm having a hard time finding where |
|
I have initiated the process for a new Windows code signing certificate. Hopefully we will have one in a couple of days. |
|
We need to get it up onto the buildbots somehow. @staticfloat knows how, I hope? Would be good if he could enlighten a few more of us what to do with it, if it's anything more complicated than just copying it over manually. |
|
Yep, send it to me and I'll load it onto the buildbots. Here's how the signing process works:
SSH access to the buildbots is somewhat difficult, partly because it's SSH-key based only, (I have a |
|
@staticfloat confirmed the new Windows code signing certificate works. |
Currently, the Windows 8 "Smart"Screen filter tries to protect me by preventing the Julia executables and batch files from being executed. I have not read up on this filter, but I suspect it would be less hostile if executables were signed.
Before reaching v1.0, you ought to get signing integrated into your release process.
[ViralBShah: Updated title]
The text was updated successfully, but these errors were encountered: