OK, not the final word. I've uploaded a notarized version of the tools to:
https://ftp.pwg.org/pub/pwg/ipp/wd/sw-ippeveselfcert11-20200226-macos.zip
These are signed with my personal Developer ID certificate (as opposed to my Lakeside Robotics one) so that people can try the beta tools out without having to click through dialogs a dozen times... :/
> On Feb 26, 2020, at 2:23 PM, Michael Sweet <msweet at msweet.org> wrote:
>> Oh, and one final follow-up on this - if you are testing the macOS binaries and run into this, just open System Preferences, go into the Security & Privacy pref pane, click on the lock icon, and the click on the "Allow Anyway" button. You'll need to do this for each of the programs... :/
>> (and now I'll add testing from another macOS user account to my release process to make sure I catch things like this in the future...)
>>>> On Feb 26, 2020, at 2:18 PM, Michael Sweet <msweet at msweet.org> wrote:
>>>> Smith,
>>>> Yes, even for open source projects (and this is no different from Windows). The free developer tier only covers running programs you compile on your own systems, not compiled programs you are distributing to third parties...
>>>>>>> On Feb 26, 2020, at 2:04 PM, Kennedy, Smith (Wireless & IPP Standards) <smith.kennedy at hp.com> wrote:
>>>>>>>>>>>>> On Feb 26, 2020, at 11:59 AM, Michael Sweet <msweet at msweet.org> wrote:
>>>>>>>> OK, I have some good news and some bad news...
>>>>>>>> The good news is that I've successfully signed and notarized the ZIP archive for the macOS self-certification tools. I only needed to make some small changes to the packaging script to a) update the code signing options to reflect the current "secure runtime" and "secure timestamp" options, and b) add a prefix (org.pwg.ippeveselfcertNN.) to the default "bundle ID" used for command-line tools. The resulting ZIP file can be submitted for notarization and makes macOS happy...
>>>>>>>> The bad news is that we can't use a third-party code signing certificate on macOS. Apple requires that you now use the certificate they provide, which can only be provided by signing up as an Apple developer and paying the $99/year for the privilege (which actually is super-affordable compared to what you go through on Windows with code signing certs from GoDaddy/etc.)
>>>>>>>> In the short term I can sign the tools using my Lakeside Robotics certificate for the macOS builds, but in the long term I assume we'll want the PWG IPP Everywhere Printer Self-Certification Tools signed by the IEEE-ISTO Printer Working Group, as before.
>>>>>>>> Thoughts?
>>>>>> Thanks for the legwork!
>>>>>> I think we need to get the Apple provided certificate. I can at least start the process of finding out how we get signed up. Does the $99 / year apply even to open source projects? That seems a bit lame if so...but we can bear $100 / year. I'll ask our ISTO program manager if she wants to be involved or if this is instead just an internal-to-the-PWG thing. Guessing the former.
>>>>>>>>>>>>>>>> On Feb 26, 2020, at 1:21 PM, Michael Sweet via ipp <ipp at pwg.org> wrote:
>>>>>>>>>> Smith,
>>>>>>>>>>> On Feb 26, 2020, at 1:15 PM, Kennedy, Smith (Wireless & IPP Standards) <smith.kennedy at hp.com> wrote:
>>>>>>>>>>>>>>>>>>>>>>>>> On Feb 26, 2020, at 10:57 AM, Michael Sweet <msweet at msweet.org> wrote:
>>>>>>>>>>>>>> ... and FWIW I just tried notarizing the zip file we provide and it failed, as it appears that the only supported notarization containers are currently application bundles (directories with a specific organization) and macOS packages. The latter isn't really what we want for macOS so I'll see what I can do about faking an application bundle...
>>>>>>>>>>>> Does it let you notarize a .dmg?
>>>>>>>>>> No.
>>>>>>>>>>> If not, you could do a flat .pkg that can install to a specific location and default to ~/ so that a sw-ippeveselfcert11-20200219-macos.pkg would install its payload into ~/sw-ippeveselfcert11-20200219, but make the package allow installing into other locations...
>>>>>>>>>> You can't install packages to user directories... :/
>>>>>>>>>> I'm investigating further, the notarization logs also point to some missing code signing options so I'll see what I can do about that...
>>>>>>>>>> ________________________
>>>>> Michael Sweet
>>>>>>>>>>>>>>>>>>>> _______________________________________________
>>>>> ipp mailing list
>>>>>ipp at pwg.org>>>>>https://www.pwg.org/mailman/listinfo/ipp>>>>>>>> ________________________
>>>> Michael Sweet
>>>> ________________________
>> Michael Sweet
>>>>>>>> ________________________
> Michael Sweet
>>>> _______________________________________________
> ipp mailing list
>ipp at pwg.org>https://www.pwg.org/mailman/listinfo/ipp
________________________
Michael Sweet