You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@openoffice.apache.org by bu...@apache.org on 2014/08/06 01:24:49 UTC
[Issue 125360] New: Request Apache Open Office Install package is
signed with an Apple Developer ID
https://issues.apache.org/ooo/show_bug.cgi?id=125360
Issue ID: 125360
Issue Type: DEFECT
Summary: Request Apache Open Office Install package is signed
with an Apple Developer ID
Product: Installation
Version: 4.1.0
Hardware: Mac
OS: Mac OSX, all
Status: UNCONFIRMED
Severity: major
Priority: P3
Component: ui
Assignee: issues@openoffice.apache.org
Reporter: svrusho@us.ibm.com
I request that this report not be closed as a dup of 121478. I think the
concurrence to close 121478 was in error. Let me elaborate:
Installation packages for the Mac should be signed with an Apple signing ID
regardless of how or where they are distributed. Apple provides various
certificates through the Apple Developer account. Specifically 4 types types of
IDs are provide (2 for Mac App store distribution and 2 for outside the store).
The one you use depends if your package is flat or a bundle type and where you
are distributing.
This request is for the following:
1) Ensure Apache org has an Apple Developer Account. If not, I encourage you to
pay the $99 to get one
2) Request a "Developer ID Application" through the Apple developer member
center. You will need this one since Apache Open Office is a bundle not a flat
package. If flat, you would request "Developer ID Installer".
3) Sign the package with "Developer ID Application" in OS X 10.9 or above. This
can be scripted with the Codesign Utility and I encourage you to make it part
of your build process. You can also do this manually through xCode. You must
use OS X 10.9 or above due to the certificate levels becoming obsolete from
earlier OS X versions.
After doing the above, when anyone downloads Open Office and runs it in OS X
10.8 and above, there will be no prompt about missing signature and you won't
have to direct users to the unsafe practice and workaround referenced in the
Apple technical doc to lower security or trust certain packages.
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 125360] Request Apache Open Office Install package is signed
with an Apple Developer ID
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=125360
--- Comment #3 from Rob Weir <ro...@apache.org> ---
We've had a lot of discussion on this. The issue is not money. Companies
generally are happy to donate things like this to Apache. The issue is more of
security. We need a way to ensure that only officially approved and reviewed
code is signed. But we also need to ensure that the signing key is protected.
There is also a big distaste for having a single Apache wide key that, if
compromised, would make a mess of many protects. And we need to do this in a
decentralized way. And considering the prominence of this application (over
125 million download of Apache OpenOffice) we assume that any automated system
we set up for this purpose would be a prestige target for hackers.
This is a question for Windows as well as Mac users, sign code signing is used
on both platforms.
We think we have a way of doing this now for Windows at least as described in
this blog post from the Apache Infrastructure team:
https://blogs.apache.org/infra/entry/code_signing_service_now_available
Of course, integrating this into the build system will require some work.
Extending it to future Mac signing will require more investigation as well
build work.
So, although progress is slow, we're making progress.
We should probably close this issue as RESOLVED/NOTABUG. Follow up
discussion, please, to the mailing list dev@openoffice.apache.org.
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 125360] Request Apache Open Office Install package is signed
with an Apple Developer ID
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=125360
Andrea Pescetti <pe...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
CC| |pescetti@apache.org
Resolution|--- |NOT_AN_ISSUE
--- Comment #4 from Andrea Pescetti <pe...@apache.org> ---
For the record: we are now fully ready for the Windows version, the Mac version
needs a different setup which has legal implications. See
https://issues.apache.org/jira/browse/LEGAL-174 for the last things to be
fixed, but we are very close to get it done too.
Marking RESOLVED/NOT_AN_ISSUE, and please follow the link above for more
information.
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 125360] Request Apache Open Office Install package is signed
with an Apple Developer ID
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=125360
--- Comment #2 from Scott Vrusho <sv...@us.ibm.com> ---
>From Wikipedia on Apache Software foundation:
Financials
In the 2010–11 fiscal year, the Foundation took in $539,410, almost entirely
from grants and contributions with $12,349 from two ApacheCons. With no
employees and 2,663 volunteers, it spent $270,846 on infrastructure, $92,364 on
public relations, and $17,891 on two ApacheCons.
If the $99 isn't within the budget of the Apache Software foundation, I would
be happy to solicit my company for a contribution to cover the cost.
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 125360] Request Apache Open Office Install package is signed
with an Apple Developer ID
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=125360
oooforum <oo...@free.fr> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |oooforum@free.fr
--- Comment #1 from oooforum <oo...@free.fr> ---
(In reply to Scott Vrusho from comment #0)
> I encourage you
> to pay the $99 to get one
Well, AOO is free of charge. Where to find the money?
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 125360] Request Apache Open Office Install package is signed
with an Apple Developer ID
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=125360
John Walicki <wa...@us.ibm.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |walicki@us.ibm.com
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.
[Issue 125360] Request Apache Open Office Install package is signed
with an Apple Developer ID
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=125360
sarae <sa...@verizon.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |saraewa35@verizon.net
--
You are receiving this mail because:
You are the assignee for the issue.
You are watching all issue changes.