Re: signing Racket releases for Mac OS X

[John Clements]

> On Jan 10, 2013, at 3:28 PM, John Clements <clem...@brinckerhoff.org> wrote:
>
> I don't know why Matthew wasn't cc:'ed on this, I've added him. Perhaps this should just go to dev?
>
> On Jan 10, 2013, at 2:23 PM, Ryan Culpepper wrote:
>
>> I'm told that the Mac OS X default security policy has changed (as of 10.8) to disallow running unsigned software, so it looks like we need to start signing Racket releases.
>>
>> Eli: Can you work out how to include signing in the build/release process? I believe John (cc'd) has the information for PLT Apple Developer account, which may be sufficient to get a signing key; otherwise we'll need to acquire one.
>
> I've just logged in as 'plt', and skimmed a long presentation:
>
> http://developer.apple.com/devcenter/download.action?path=/wwdc_2012/wwdc_2012_session_pdfs/session_702__gatekeeper_and_developer_id.pdf
>
> (I don't know if you can hit that URL without logging in to the developer center.)
>
> The gist of it seems to be this: Although Apple would much rather have you use the App Store, there is something called "Developer ID" which allows you to sign and distribute your own stuff. It looks like it uses standard certificate signing stuff; that is, you submit a "this is my signature" certificate to Apple, and they sign it for you, and then you can distribute it with your code to prove that this is your signature, and then also attach the signature for the code.
>
> There are a bunch of command-line tools that can help with this:
> codesign
> spctl
> csreq
> productsign
> xip
>
> If I understand correctly, however, you have no choice but to fork over $99 / year to join the Apple Developer Program in order to have them sign your certificate.
>
> I believe it's possible to circumvent the whole signature mess… if you instruct users on how to dig into the innards of OS X to disable code signing. In other words, that's a major obstacle for normal users.
>
> Anyone who wants the 'plt' password should let me know, and I'll hand it over. Naturally, it would be almost as simple just to create another "p...@racket-lang.org" developer account; for all I know, someone may already have done this.
>
> John Clements
>

It’s now 2015, and in Yosemite, it’s quite unpleasant to double-click on DrRacket. You get a nasty dialog, and Racket winds up looking like malware.

Can we consider signing the 6.3 release?

(Apologies if my e-mail search has missed something significant since 2013…)

John

[Matthew Flatt]

At Sun, 18 Oct 2015 13:01:00 -0400, "'John Clements' via Racket Developers" wrote:
> Can we consider signing the 6.3 release?

We started signing the Racket executables for Mac OS X as of version
6.0. Unfortunately, Apple changed requirements for application signing
over the summer, and we didn't manage to adapt the build in time for
the v6.2.1 release. We have adapted the build for the upcoming v6.3
release.

We also expect to sign the Windows installers with this release. We're
currently in the process of obtaining a certificate.

[John Clements]

Ah! my mistake. I’m very glad to hear this.

John