Correct signature for macOS application and/or App Store

[putnik]

Is it possible to sign JOSM application correctly and add it to App Store?

JOSM is the only application that I have to download every time manually for the update. Since macOS Sierra I also have to disable security settings each time. It is very uncomfortable. Less experienced users just do not understand that it is necessary to do, and decide that JOSM does not work.

If Apple rules allow, at least, I would like to see the application has been correctly signed. And even better, to have been added to the App Store.

For my part, I can donate $99 to the developer subscription to Apple, to get the correct certificate.

Also posted here: ​https://forum.openstreetmap.org/viewtopic.php?id=56694

[stoecker]

What's the certificate lifetime?

If we offer a new service, we also need to think about what to do on next renewal, as very likely we will not step back from what we have ATM.

Can you link to information about what it needs?

[putnik]

I was sure that I had the Sierra, but it turned out that it was El Capitan. I updated now, and in the new version there is no way to open programs from unknown developers by default.

To enable it you need to google, find magic console command with sudo, run it, than disable all checks in preferences, and only after this you can run JOSM for first time. Probably, there is no way to make the situation even worse.

Probably, this is the correct link, but I'm not a macOS developer: ​https://developer.apple.com/library/content/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html

[Klumbumbus]

Replying to stoecker:

What's the certificate lifetime?

Seems 1 year.

If we offer a new service, we also need to think about what to do on next renewal

If we really need this certificate then there is a page in the osm wiki (which I can't find anymore atm) where you can requst financial support for osm related projects. (I think it is from the OSMF.) I'm pretty sure this would be accepted as the other supported projects often requst 10 or 100 times more money than these 99$.

[Klumbumbus]

See also ​https://forum.openstreetmap.org/viewtopic.php?id=56667

[stoecker]

I now got an AppleID for JOSM and asked them if they have special conditions for free-of-charge OpenSource projects.

[andygol]

user$ brew cask install josm

Run this ☝️ command in terminal 🖥 and all your troubles concerning JOSM installation on macOS will be gone

more details - ​https://caskroom.github.io/

[Don-vip]

​Setup file is quite simple, maybe we should document this as a supported installation method.

[stoecker]

Hmm, I got a response from Apple developers support, that they aren't responsible for my request. They say to contact ​http://www.apple.com/ie/marcom/, but from them I only get an automatic answer, but no follow-up to that.

[Klumbumbus]

Replying to Klumbumbus:

there is a page in the osm wiki (which I can't find anymore atm) where you can requst financial support for osm related projects.

Found it. (was searching in the wrong wiki): ​https://www.fossgis.de/wiki/F%C3%B6rderantr%C3%A4ge

[stoecker]

I tried again to reach Apple, but till now had no success. The developer support does not know of an OpenSource sponsoring. The marketing department did not answer.

While FOSSGIS could be an option actually I personally dislike this. Apple adds some checks and now each non-profit project has to pay 100€ a year to deliver free software. I don't want to support that model really.

[bastiK]

According to the ​wikipedia page, Apple does not allow free software licensed under GPL in the app store. Not sure if it would work to just have Apple sign the app, but it feels like being taken for a fool to pay them 100€ annually but still being excluded from the store.

[Don-vip]

We should ask ​VLC. They got a long history with Apple. It appears to be on App Store but I can't find it on Mac Store. Also it is not clear if they are still using GPL license or completely switched to LGPL.

[Stereo]

I've added a workaround to the Documentation: To open JOSM for the first time, right-click on JOSM.app and confirm the opening in the pop-up dialogs. This is only necessary on the first run of JOSM.

I only ever update josm-tested.jar partly for this reason - as far as I can tell, it's JOSM.app/Contents/MacOS/JOSM that gets signed, and that runner wrapper never changes, does it? We could pay a one-off $100 fee, or have a friendly developer sign that for us, and live happy ever after?

[stoecker]

Seems Apple doesn't like OpenSource and I don't like to support that. Mac users will have to live with an unsigned app until Apple completely forbids to install free software.

[Klumbumbus]

It seems the $100 per year was removed for nonprofit organizations. ​https://developer.apple.com/news/?id=01032018a I don't know if this changes the status of this ticket or if there are still other barriers like our license.

[Don-vip]

There are restrictions:

if you’re a nonprofit organization, accredited educational institution, or government entity based in the United States that will distribute only free apps on the App Store.

We could probably distribute JOSM on the mac Store through ​OSM US.

[Klumbumbus]

Replying to Don-vip:

There are restrictions:

if you’re a nonprofit organization, accredited educational institution, or government entity based in the United States that will distribute only free apps on the App Store.

We could probably distribute JOSM on the mac Store through ​OSM US.

The sentence is not clear if "based in the united states" belongs to all three or only to the third item of the list.

[Don-vip]

The ​details page also states "Fee waivers for other countries will be added as they become available." so I guess this is only for US-based entities.

[Klumbumbus]

ah, ok

[Don-vip]

I have asked them if fee waivers are coming for the EU, especially for France and Germany. They should answer in 1 business day.

[Don-vip]

They answered that they had no answer...
The cost is indeed not the only problem. As explained by the FSF, ​the App Store and GPL don't mix well.

VLC suffered from this (first publication in 2010, removed in 2011). Initially GPL-only, the software now uses:

• ​LGPL for its video engine and playback modules.
• ​dual license MPL + GPL for its iOS version, available on the AppStore now.
• GPL for the "classic" desktop version. This version is not available on the AppStore.

So we should probably go the same path if we really would like to be on the AppStore. I don't think this is worth the effort.

[Don-vip]

Ticket #18660 has been marked as a duplicate of this ticket.

[Stereo]

The ticket asks for two things really:

• app store presence. No, read above.
• signing JOSM. Doable, desirable, and something where Apple might be interested in helping. Don-vip, I'll message you on irc?

[stoecker]

The question remains why we should spend our time to support on OS which acts against the whole philosphy of free software and which only a minority of our users use.

If you or someone else can present a working cost free solution we may reconsider, but as is now this topic remains wontfix.

[Don-vip]

Stereo offered me a MacBook last year so that I can do macos development for free. So I am willing to spend some time on this.

[Stereo]

Working on it

---

[Stereo]

What's needed now is a JOSM build that can be signed.

See ​https://stackoverflow.com/questions/58548736/notarize-existing-java-application-for-macos-catalina

[Stereo]

I'm taking care of this in parallel in #18319

Please try out ​https://openstreetmap.lu/JOSM.zip and let me know if it works for you.

[Stereo]

You can try the new pre-releases at ​https://github.com/thomersch/josm/releases

[Stereo]

The new builds at ​https://github.com/openstreetmap/josm/releases are correctly notarized. Future 'tested' builds will be too.

[Don-vip]

Milestone renamed