Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Signed Builds #179

Closed
3Samourai opened this issue Aug 2, 2024 · 20 comments
Closed

Signed Builds #179

3Samourai opened this issue Aug 2, 2024 · 20 comments

Comments

@3Samourai
Copy link

In some companies and startups, including mine, it's not possible to install unsigned apps. It would be great to have signed builds available to replace Firefox and Chrome.

@PF4Public
Copy link
Contributor

Might be what you're looking for, but please note that notarized binaries are prepared and submitted by a volunteer: #63 (comment)

@3Samourai
Copy link
Author

look good, it would be great if the ungoogled group did it rather than a volunteer.

@networkException
Copy link
Member

We don't have a legal entity nor the funds so it'd have to be a contributor with their personal account in any case sadly

@lakdif
Copy link

lakdif commented Aug 2, 2024

look good, it would be great if the ungoogled group did it rather than a volunteer.

The people behind the team you call the "Ungoogled Group" are all volunteers, so it makes no real difference :)

Since the Apple developer signature to sign apps is just a $99/year barrier, not really a "security measure" for a determined supply-chain attacker, I don't particularly trust it alone - I just quickly review each main release and the MacOS version
for "unusual" stuff, which as we know from the XZ story can unfortunatelly happen.
So far everything was ok, and @claudiodekker just adds the Apple signature and no other code midifications to the .dmg

@Cubik65536
Copy link
Member

Cubik65536 commented Aug 3, 2024

Just a quick update on this, I am planning to publish an iPad app in the next few months, and I will purchase an Apple developer license if everything goes according to the plan.

However, that app will also be a FOSS product, which means that I personally would like to raise fund as much as possible via sponsors (like the GitHub one) as I won't gain much profit out of these apps.

So, as I am currently the maintainer of Ungoogled-Chromium macOS, if you do prefer this way, and you're interested, maybe consider sponsoring so we can get the rid of the fund issue. (I still cannot guarantee any result or timeline because I just can't predict how this will go).

But, as @lakdif mentioned, all members in Ungoogled-Software, despite having this "Member" title, are all still just volunteers, and there's still no real difference between a signed release from me, or anyone else.

@claudiodekker
Copy link

claudiodekker commented Aug 3, 2024

@Cubik65536 That's great news! Shouldn't be much effort to copy/paste my actions and make them more "official" as well in that case!

Just a recommendation, though; Set it up on a new (separate) Apple ID, so it's all not bound to your personal data, and if for whatever reason the account gets terminated someday, you don't necessarily risk your own iCloud stuff like photos etc.. Additionally, it reduces the risk associated with setting up an automated signing flow on Github Actions and credentials somehow leaking by accident, some future exploit, or whatever else might happen (in theory; that's a risk I'm currently running)

In either case, let me know if you need any help with this, but just give you a bit of a head-start; this article is what I based my actions on

@3Samourai
Copy link
Author

Just a quick update on this, I am planning to publish an iPad app in the next few months, and I will purchase an Apple developer license if everything goes according to the plan.

However, that app will also be a FOSS product, which means that I personally would like to raise fund as much as possible via sponsors (like the GitHub one) as I won't gain much profit out of these apps.

So, as I am currently the maintainer of Ungoogled-Chromium macOS, if you do prefer this way, and you're interested, maybe consider sponsoring so we can get the rid of the fund issue. (I still cannot guarantee any result or timeline because I just can't predict how this will go).

But, as @lakdif mentioned, all members in Ungoogled-Software, despite having this "Member" title, are all still just volunteers, and there's still no real difference between a signed release from me, or anyone else.

It's great to hear about your plans to sign the app more officially! It's best for security and preventing binary alterations. Regarding donations, I understand the challenges of funding open-source projects, and I’ll definitely consider sponsoring to support your efforts.

As for your Apple account, I agree with @claudiodekker — you should use a separate account rather than your personal one. I've had issues with the App Store myself, having been unable to use it for three days due to an Apple reviewer.

Anyway, good luck with your app!

Totally off-subject, but how do you create the Memoji with the WWDC sticker?

@Cubik65536
Copy link
Member

Cubik65536 commented Aug 3, 2024

It's great to hear about your plans to sign the app more officially! It's best for security and preventing binary alterations. Regarding donations, I understand the challenges of funding open-source projects, and I’ll definitely consider sponsoring to support your efforts.

As for your Apple account, I agree with @claudiodekker — you should use a separate account rather than your personal one. I've had issues with the App Store myself, having been unable to use it for three days due to an Apple reviewer.

Anyway, good luck with your app!

Thanks for your suggestion and support!

Totally off-subject, but how do you create the Memoji with the WWDC sticker?

You can first create Memoji, set it as your avatar for Apple account, download it (I do remember that there's a way of downloading the avatar), and then photoshop LOL.

@erwin
Copy link

erwin commented Aug 8, 2024

planning to publish an iPad app
will purchase an Apple developer license

Donating $99 / year in addition to all of the time you've been donating.

would like to raise fund as much as possible via sponsors (like the GitHub one)

Since Apple makes it impossible for you to publish an app for free without payment to Apple, I think you should REQUIRE that Apple user's donate to you to fund your developer license.

Once 99 or more users have paid $1 for their annual subscription, if you want to make it free for others...

Everyone would LIKE to "raise as much as possible via sponsorship/donations" however you should research this topic deeply to see for yourself if that's the actual outcome you can expect, rather than just the outcome that people hope for.

@ansoni-san
Copy link

ansoni-san commented Aug 8, 2024

What would be the avenue for donation? I think many of us that use and/or fork this project would be happy to do that (at least I like to think so).

@Cubik65536
Copy link
Member

What would be the avenue for donation? I think many of us that use and/or fork this project would be happy to do that (at least I like to think so).

GitHub Sponsors would be the best. If you’d like to use some payment methods that are not supported by GitHub, Buy me a Coffee is also an option.

They are under my name not ungoogled-chromium unfortunately, but all sponsor records (i.e. who’s sponsoring) will be public unless you choose to make it private. And you can leave a message specifying that it is for Ungoogled-Chromium, so I will be able to publish a list of sponsors with the specific amount of donation in this repo.

@Cubik65536
Copy link
Member

What would be the avenue for donation? I think many of us that use and/or fork this project would be happy to do that (at least I like to think so).

GitHub Sponsors would be the best. If you’d like to use some payment methods that are not supported by GitHub, Buy me a Coffee is also an option.

They are under my name not ungoogled-chromium unfortunately, but all sponsor records (i.e. who’s sponsoring) will be public unless you choose to make it private. And you can leave a message specifying that it is for Ungoogled-Chromium, so I will be able to publish a list of sponsors with the specific amount of donation in this repo.

I plan to make an announcement about this in the next release note, would that be okay? /cc @networkException

@networkException
Copy link
Member

Yes I'd say thats fine. I also have ungoogled on my sponsor page technically

@Cubik65536
Copy link
Member

Good news! We got enough fund for Apple Developer Program fee (#184). I am waiting for payouts. Expect notarized Ungoogled-Chromium macOS to come in mid-to-end October!

@Cubik65536
Copy link
Member

I will delay the release of macOS 130.0.6723.44 (the one that should move to stable Oct 15th, see ungoogled-software/ungoogled-chromium#3057) a bit... and it will be the first signed release.

Apple is processing my Developer Account payment.

@Cubik65536
Copy link
Member

Cubik65536 commented Oct 15, 2024

I'll reopen this for now and use this to track progress and publish progress update.

@Cubik65536 Cubik65536 reopened this Oct 15, 2024
@Cubik65536 Cubik65536 pinned this issue Oct 15, 2024
@Cubik65536
Copy link
Member

Cubik65536 commented Oct 26, 2024

https://github.com/ungoogled-software/ungoogled-chromium-macos/releases/tag/130.0.6723.58-1.1 is released and we have notarized builds!

@claudiodekker
Copy link

Congratulations @Cubik65536! I've archived my repository/builds, and have updated the readme as to point here instead 👍

@danilokleber
Copy link

That's great news! Would it be possible to get notarized builds via the Homebrew cask?

@Cubik65536
Copy link
Member

That's great news! Would it be possible to get notarized builds via the Homebrew cask?

The HomeBrew builds should already be notarized.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

9 participants