Add macOS signing changes

[emlynmac]

In order to give Mac users a better install experience, I've modified the build script to have an optional signing step, using:
./mac/deploy_mac.sh -s <cert_name>

#1851 for more details.

For now, I'll build the signed version manually otherwise we need to figure out a secure means to store the certificate / private key that I use to sign it.

[ann0see]

Thank you very much! See my comments.

[softins]

What would be the cost of obtaining such a certificate specifically for the Jamulus project?

[emlynmac]

What would be the cost of obtaining such a certificate specifically for the Jamulus project?

You'd need to join the apple dev program at an annual cost and then create the certs. From what I can tell, someone has already used the id somewhere in the apple ecosystem - which is why I changed it to io.jamulus.*

[ann0see]

I think it’s $99/year?

[emlynmac]

I think it’s $99/year?

Yup, US is my understanding. If you set that up then I can do the rest for you.

[ann0see]

I think there was a discussion about the financial part in the iOS post? But as soon as money gets involved, the project might have a different legal status. I‘m not sure what this means for us as I‘m not a lawyer. We‘re all from different countries so it might be even more complicated.

[softins]

You'd need to join the apple dev program at an annual cost and then create the certs. From what I can tell, someone has already used the id somewhere in the apple ecosystem - which is why I changed it to io.jamulus.*

The one with llcon in it would most likely have been Volker, sometime in the past. The name was changed from llcon to Jamulus in 2013, from what I can see, but the llcon part lived on, maybe to do with SourceForge. All before my time!

[softins]

I think there was a discussion about the financial part in the iOS post? But as soon as money gets involved, the project might have a different legal status. I‘m not sure what this means for us as I‘m not a lawyer. We‘re all from different countries so it might be even more complicated.

Yes, I’m not sure either. I’ve had several requests to donate from people who are so grateful for Jamulus. We already need to fund the jamulus.io domain. Needing a Mac cert too would probably make it worthwhile getting something set up? But there must be other projects that have trodden this path already.

[emlynmac]

You can have open-source projects and money involved. Ubuntu is a great example.
What I can offer is essentially a means to sign the app using my corporation certificates, at no cost to the jamulus project. I contribute to it and use it regularly to jam, so I'm quite vested in having it work properly.

In terms of getting it all automated with the build script, I think there's a way to do that too - I'll be digging into that with GitHub.

[ann0see]

Of course commercial and FLOSS do work together. Paying for certs, hosting,… is ok and totally valid. But I strongly object

1. Making Jamulus proprietary (that’s covered by the GPL)
2. Introducing any "Pro" only features
3. Making the user feel that he must donate to have benefits in any terms
4. Weakening the community and voluntary spirit of Jamulus

But that’s part of #647

[softins]

Totally agree!

[ann0see]

Almost ready, I think? Did anybody already add you as contributor in the app?

[emlynmac]

Almost ready, I think? Did anybody already add you as contributor in the app?

Yes, I'm there from last time :)

I have made a couple more changes and I think we're at a good place now. I have been able to publish to the Mac App Store too, so that is ready to go. Maybe we do it with the next official release?
I can add you to the app details page on appstoreconnect.apple.com if you would like to see the metrics of downloads etc. but that requires an Apple ID to attach to.

[ann0see]

Great! Thank you. I think - to be sure and at least in parts secure - we should add something like this: https://github.com/nextcloud/ios/blob/master/COPYING.iOS to the license. Actually, I'd appreciate if at least Volker (who's not around anymore) gave his ok on the App Store publishing.

[emlynmac]

How do I rerun the failed job? I see no reason that the pushed change would cause the build to fail for windows.

[ann0see]

Just restarted it for you. Something is wrong on Windows.

C:\Users\runneradmin\AppData\Local\Temp\tmp113D.tmp.zip
41
New-Object : Exception calling ".ctor" with "3" argument(s): "End of Central Directory record could not be found."
42
At
43
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1:934
44
char:23
45
D:\a\jamulus\jamulus\windows\ASIOSDK2
46

• ... ipArchive = New-Object -TypeName System.IO.Compression.ZipArchive -Ar ...
  47

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

48
+ CategoryInfo : InvalidOperation: (:) [New-Object], MethodInvocationException
49
+ FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand
50

51
Move-Item : Cannot find path 'C:\Users\runneradmin\AppData\Local\Temp\ASIOSDK2.3.2' because it does not exist.
52
At D:\a\jamulus\jamulus\windows\deploy_windows.ps1:124 char:5
53

• Move-Item -Path "$TempDir\$Name" -Destination "$WindowsPath\$Dest ...
  

54

• ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

55
+ CategoryInfo : ObjectNotFound: (C:\Users\runner...mp\ASIOSDK2.3.2:String) [Move-Item], ItemNotFoundExce
56
ption
57
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.MoveItemCommand
58

[emlynmac]

Just restarted it for you. Something is wrong on Windows.

C:\Users\runneradmin\AppData\Local\Temp\tmp113D.tmp.zip
41
New-Object : Exception calling ".ctor" with "3" argument(s): "End of Central Directory record could not be found."
42
At
43
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1:934
44
char:23
45
D:\a\jamulus\jamulus\windows\ASIOSDK2
46

• ... ipArchive = New-Object -TypeName System.IO.Compression.ZipArchive -Ar ...
  47

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

48

• CategoryInfo : InvalidOperation: (:) [New-Object], MethodInvocationException
  49
• FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand
  50

51
Move-Item : Cannot find path 'C:\Users\runneradmin\AppData\Local\Temp\ASIOSDK2.3.2' because it does not exist.
52
At D:\a\jamulus\jamulus\windows\deploy_windows.ps1:124 char:5
53

• Move-Item -Path "$TempDir\$Name" -Destination "$WindowsPath\$Dest ...
  

54

• ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

55

• CategoryInfo : ObjectNotFound: (C:\Users\runner...mp\ASIOSDK2.3.2:String) [Move-Item], ItemNotFoundExce
  56
  ption
  57
• FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.MoveItemCommand
  58

Is the windows build machine missing something?

[ann0see]

I think it’s a temporary problem. Maybe it works now.

[pljones]

It must be something on this branch. #1867 is working, for example.

[emlynmac]

It must be something on this branch. #1867 is working, for example.

It was working. Then one change, unrelated to windows - 5444155 caused windows build to stop working.

[ann0see]

It works now. So the only missing things before a merge are:

1. review by someone else (main dev)
2. change log entry
3. Verification/trust questions (can be addressed after the merge

[emlynmac]

It works now. So the only missing things before a merge are:

1. review by someone else (main dev)
2. change log entry
3. Verification/trust questions (can be addressed after the merge

I added a change log entry

[emlynmac]

@ann0see Do you know or have an idea as to what is causing the GitHub jobs to be cancelled?

[emlynmac]

@hoffie @softins Are there any other issues to be resolved with this PR from your perspectives? Thanks in advance.

[softins]

@hoffie @softins Are there any other issues to be resolved with this PR from your perspectives? Thanks in advance.

I haven't looked in detail as I am currently on holiday, and not spending time on the computer.

I'm away for another week, but may get some time to look after the weekend.

[pljones]

Is there some limit of builds we've hit? Space limits?

That's all I can think of.

[ann0see]

Didn't test it yet since I don't have a signing cert. Will this work with a normal 7-day free development certificate?

[ann0see]

So should this be squash&merged or would we do a normal merge?

[emlynmac]

So should this be squash&merged or would we do a normal merge?

Best to squash I think, no need to keep the 'tween state.

[ann0see]

@softins since you have a mac available, could you please test this PR?

[softins]

@softins since you have a mac available, could you please test this PR?

Sure. Just catching up after being on holiday, so will do so over the next day or two.

[softins]

OK, I'm not sure what I'm supposed to test and see here, so this is what I've done:

1. Reading through the changes to the files. All looks sensible.
2. Checking the branch can be built locally:
   • Fetched and checked out the osx-signing branch from emlynmac.
   • Built using the script mac/deploy_mac.sh. That succeeded without issues.
   • Mounted the generated dmg and installed from it, keeping my original install too.
   • Successfully ran Jamulus 2.app and JamulusServer 2.app. So this proves the branch can still be built locally.
3. Checking the artifact built by Github Actions for the PR:
   • Went to the Checks page for the PR and downloaded the Mac artifact.
   • Mounted the downloaded dmg and installed from it, keeping the other two installs.
   • Attempted to run Jamulus 3.app and JamulusServer 3.app by double-clicking in Finder. In both cases, the Mac said "can't be opened because it is from an unidentified developer".

I had assumed that the artifact from this PR would be signed by Emlyn's certificate and would therefore run without this warning. Was I incorrect? Does the app actually need to be fetched from the App store to have its certificate recognised and bypass that warning? How can I view the signing status of an app?

[emlynmac]

Verify code sign with

‘ codesign --verify --verbose=4 deploy/Jamulus.app’

But the version built has not been signed: you need the linked version to the PR for that

[softins]

Verify code sign with
codesign --verify --verbose=4 deploy/Jamulus.app

Thanks.

But the version built has not been signed: you need the linked version to the PR for that

Maybe I didn't explain my steps well above. I did install the linked version to the PR, if you mean the one found under "Checks" and then looking for "Artifacts".

Here are my results:

Tonys-MBP:jamulus tony$ codesign --verify --verbose=4 deploy/Jamulus.app
deploy/Jamulus.app: code object is not signed at all
In architecture: x86_64

This is the one I just built, and I don't have a cert, so would expect it not to be signed.

Tonys-MBP:jamulus tony$ codesign --verify --verbose=4 /Applications/Jamulus.app
/Applications/Jamulus.app: code object is not signed at all
In architecture: x86_64

This is my installation of the 3.8.0 released dmg. Also unsigned, as expected.

Tonys-MBP:jamulus tony$ codesign --verify --verbose=4 /Applications/Jamulus\ 2.app
/Applications/Jamulus 2.app: code object is not signed at all
In architecture: x86_64

This is my installation from the dmg I built today, which is the same as deploy/Jamulus.app and won't be signed.

Tonys-MBP:jamulus tony$ codesign --verify --verbose=4 /Applications/Jamulus\ 3.app
/Applications/Jamulus 3.app: code object is not signed at all
In architecture: x86_64

This is the one I installed from the dmg listed in Artifacts for the PR as https://github.com/jamulussoftware/jamulus/suites/3031142357/artifacts/68820521. I had expected it would have been signed when Github Actions built it.

Is there something I haven't understood?

[softins]

In fact, looking more closely, I can see that although mac/deploy_mac.sh has been enhanced to accept a -s option, there is nothing in this PR that invokes that option (in autobuild/mac/artifacts/autobuild_mac_2_build.sh). Do I need to look in a different PR for the certificate to actually be used?

[ann0see]

Yes. I think @emlynmac will just sign it manually on his Mac. The only thing missing here was a functionality test - which you did.

[emlynmac]

In fact, looking more closely, I can see that although mac/deploy_mac.sh has been enhanced to accept a -s option, there is nothing in this PR that invokes that option (in autobuild/mac/artifacts/autobuild_mac_2_build.sh). Do I need to look in a different PR for the certificate to actually be used?

Correct - the change is to enable the signing. I have the certificates locally in my keychain. I had made a build with the signed assets, indeed there is a version awaiting deployment the Mac app store too.

There were some links to signed files which ann0see was looking at - but I don't see those any longer. I'm not at home today so I don't have access to my catalina Mac to do a signed build for you.

Automated signed builds will be something that I need to sort out on my GitHub account I think, but for now they're manual.

[softins]

OK, happy to approve, then. :)

[ann0see]

CHANGELOG: Enable signing of macOS binaries via build script

[ann0see]

@emlynmac could we move the Jamulus.entitlements file into the mac folder to clean up the repo root?