[IPP] IPP WG Last Call: IPP Everywhere Printer Self-Certification Manual v1.1 (SELFCERT) (ends March 12, 2020)

[IPP] IPP WG Last Call: IPP Everywhere Printer Self-Certification Manual v1.1 (SELFCERT) (ends March 12, 2020)

Michael Sweet msweet at msweet.org
Wed Feb 26 19:18:01 UTC 2020


Smith,

Yes, even for open source projects (and this is no different from Windows).  The free developer tier only covers running programs you compile on your own systems, not compiled programs you are distributing to third parties...


> On Feb 26, 2020, at 2:04 PM, Kennedy, Smith (Wireless & IPP Standards) <smith.kennedy at hp.com> wrote:
> 
> 
> 
>> On Feb 26, 2020, at 11:59 AM, Michael Sweet <msweet at msweet.org> wrote:
>> 
>> OK, I have some good news and some bad news...
>> 
>> The good news is that I've successfully signed and notarized the ZIP archive for the macOS self-certification tools. I only needed to make some small changes to the packaging script to a) update the code signing options to reflect the current "secure runtime" and "secure timestamp" options, and b) add a prefix (org.pwg.ippeveselfcertNN.) to the default "bundle ID" used for command-line tools. The resulting ZIP file can be submitted for notarization and makes macOS happy...
>> 
>> The bad news is that we can't use a third-party code signing certificate on macOS. Apple requires that you now use the certificate they provide, which can only be provided by signing up as an Apple developer and paying the $99/year for the privilege (which actually is super-affordable compared to what you go through on Windows with code signing certs from GoDaddy/etc.)
>> 
>> In the short term I can sign the tools using my Lakeside Robotics certificate for the macOS builds, but in the long term I assume we'll want the PWG IPP Everywhere Printer Self-Certification Tools signed by the IEEE-ISTO Printer Working Group, as before.
>> 
>> Thoughts?
> 
> Thanks for the legwork!
> 
> I think we need to get the Apple provided certificate. I can at least start the process of finding out how we get signed up. Does the $99 / year apply even to open source projects? That seems a bit lame if so...but we can bear $100 / year. I'll ask our ISTO program manager if she wants to be involved or if this is instead just an internal-to-the-PWG thing. Guessing the former.
> 
>> 
>> 
>> > On Feb 26, 2020, at 1:21 PM, Michael Sweet via ipp <ipp at pwg.org> wrote:
>> > 
>> > Smith,
>> > 
>> >> On Feb 26, 2020, at 1:15 PM, Kennedy, Smith (Wireless & IPP Standards) <smith.kennedy at hp.com> wrote:
>> >> 
>> >> 
>> >> 
>> >>> On Feb 26, 2020, at 10:57 AM, Michael Sweet <msweet at msweet.org> wrote:
>> >>> 
>> >>> ... and FWIW I just tried notarizing the zip file we provide and it failed, as it appears that the only supported notarization containers are currently application bundles (directories with a specific organization) and macOS packages. The latter isn't really what we want for macOS so I'll see what I can do about faking an application bundle...
>> >> 
>> >> Does it let you notarize a .dmg?
>> > 
>> > No.
>> > 
>> >> If not, you could do a flat .pkg that can install to a specific location and default to ~/ so that a sw-ippeveselfcert11-20200219-macos.pkg would install its payload into ~/sw-ippeveselfcert11-20200219, but make the package allow installing into other locations...
>> > 
>> > You can't install packages to user directories... :/
>> > 
>> > I'm investigating further, the notarization logs also point to some missing code signing options so I'll see what I can do about that...
>> > 
>> > ________________________
>> > Michael Sweet
>> > 
>> > 
>> > 
>> > _______________________________________________
>> > ipp mailing list
>> > ipp at pwg.org
>> > https://www.pwg.org/mailman/listinfo/ipp
>> 
>> ________________________
>> Michael Sweet

________________________
Michael Sweet





More information about the ipp mailing list