[winswitch] DMG available download is not signed
Antoine Martin
antoine at nagafix.co.uk
Thu Nov 5 13:59:37 GMT 2015
On 04/11/15 04:27, Gowtham Narisipalli wrote:
> I am using OSX El Caption and attempted to install xpra after downloading
> the dmg. Looks like the DMG is not signed as OSX is not able to identify
> the developer of the application. Can you please sign the package to
> ensure that users who are downloading package can trust it and not fear
> that it tinkered with?
Jumping through the hoops that Apple has created "in the name of
security" is planned:
http://xpra.org/trac/ticket/641
You can already check that the packages you have downloaded have not
been tinkered with using the checksums and gpg signatures found in the
download area, which you can download via https - this guarantees that
you are downloading from xpra.org.
This has been the case for many years, we did not wait for Apple to
provide this assurance.
The problem is that as far as I am aware, you now have to trust Apple
for everything, including managing this new signing system which is
completely disconnected from the website it is hosted on... in the name
of security.
Last but not least, this tedious signing process requires a sufficiently
new version of xcode, which is not available on our current build system.
Switching to a newer version of OSX for the build system is in the
works, I am sure this will break all sorts of things in new and
interesting ways too.
Cheers
Antoine
More information about the shifter-users
mailing list