Issue 125360 - Request Apache Open Office Install package is signed with an Apple Developer ID
Summary: Request Apache Open Office Install package is signed with an Apple Developer ID
Status: CLOSED NOT_AN_OOO_ISSUE
Alias: None
Product: Installation
Classification: Application
Component: ui (show other issues)
Version: 4.1.0
Hardware: Mac Mac OS X, all
: P3 Major (vote)
Target Milestone: ---
Assignee: AOO issues mailing list
QA Contact:
URL:
Keywords:
: 126267 127285 127406 (view as issue list)
Depends on:
Blocks:
 
Reported: 2014-08-05 23:24 UTC by Scott Vrusho
Modified: 2017-05-21 12:42 UTC (History)
8 users (show)

See Also:
Issue Type: DEFECT
Latest Confirmation in: ---
Developer Difficulty: ---


Attachments

Note You need to log in before you can comment on or make changes to this issue.
Description Scott Vrusho 2014-08-05 23:24:49 UTC
I request that this report not be closed as a dup of 121478. I think the concurrence to close 121478 was in error. Let me elaborate:

Installation packages for the Mac should be signed with an Apple signing ID regardless of how or where they are distributed. Apple provides various certificates through the Apple Developer account. Specifically 4 types types of IDs are provide (2 for Mac App store distribution and 2 for outside the store). The one you use depends if your package is flat or a bundle type and where you are distributing.

This request is for the following:
1) Ensure Apache org has an Apple Developer Account. If not, I encourage you to pay the $99 to get one
2) Request a "Developer ID Application" through the Apple developer member center. You will need this one since Apache Open Office is a bundle not a flat package. If flat, you would request "Developer ID Installer".
3) Sign the package with "Developer ID Application" in OS X 10.9 or above. This can be scripted with the Codesign Utility and I encourage you to make it part of your build process. You can also do this manually through xCode. You must use OS X 10.9 or above due to the certificate levels becoming obsolete from earlier OS X versions.

After doing the above, when anyone downloads Open Office and runs it in OS X 10.8 and above, there will be no prompt about missing signature and you won't have to direct users to the unsafe practice and workaround referenced in the Apple technical doc to lower security or trust certain packages.
Comment 1 oooforum (fr) 2014-08-06 08:26:19 UTC
(In reply to Scott Vrusho from comment #0)
> I encourage you
> to pay the $99 to get one
Well, AOO is free of charge. Where to find the money?
Comment 2 Scott Vrusho 2014-08-06 13:36:10 UTC
From Wikipedia on Apache Software foundation:

Financials
In the 2010–11 fiscal year, the Foundation took in $539,410, almost entirely from grants and contributions with $12,349 from two ApacheCons. With no employees and 2,663 volunteers, it spent $270,846 on infrastructure, $92,364 on public relations, and $17,891 on two ApacheCons.

If the $99 isn't within the budget of the Apache Software foundation, I would be happy to solicit my company for a contribution to cover the cost.
Comment 3 Rob Weir 2014-11-06 16:46:54 UTC
We've had a lot of discussion on this.  The issue is not money.  Companies generally are happy to donate things like this to Apache.  The issue is more of security.   We need a way to ensure that only officially approved and reviewed code is signed.  But we also need to ensure that the signing key is protected.   There is also a big distaste for having a single Apache wide key that, if compromised, would make a mess of many protects.  And we need to do this in a decentralized way.   And considering the prominence of this application (over 125 million download of Apache OpenOffice) we assume that any automated system we set up for this purpose would be a prestige target for hackers.

This is a question for Windows as well as Mac users, sign code signing is used on both platforms.

We think we have a way of doing this now for Windows at least as described in this blog post from the Apache Infrastructure team:

https://blogs.apache.org/infra/entry/code_signing_service_now_available

Of course, integrating this into the build system will require some work.  Extending it to future Mac signing will require more investigation as well build work.

So, although progress is slow, we're making progress.    

We should probably close this issue as RESOLVED/NOTABUG.   Follow up discussion, please, to the mailing list dev@openoffice.apache.org.
Comment 4 Andrea Pescetti 2014-11-17 23:43:21 UTC
For the record: we are now fully ready for the Windows version, the Mac version needs a different setup which has legal implications. See https://issues.apache.org/jira/browse/LEGAL-174 for the last things to be fixed, but we are very close to get it done too. 

Marking RESOLVED/NOT_AN_ISSUE, and please follow the link above for more information.
Comment 5 mroe 2015-04-23 16:18:04 UTC
*** Issue 126267 has been marked as a duplicate of this issue. ***
Comment 6 oooforum (fr) 2017-01-13 13:50:35 UTC
*** Issue 127285 has been marked as a duplicate of this issue. ***
Comment 7 Marcus 2017-05-07 06:45:19 UTC
*** Issue 127406 has been marked as a duplicate of this issue. ***
Comment 8 oooforum (fr) 2017-05-21 12:42:44 UTC
*** Issue 127418 has been marked as a duplicate of this issue. ***