Real Software Forums

The forum for Real Studio and other Real Software products.
[ REAL Software Website | Board Index ]
It is currently Sun Nov 17, 2019 8:39 pm
xojo

All times are UTC - 5 hours




Post new topic Reply to topic  [ 34 posts ]  Go to page Previous  1, 2, 3  Next
Author Message
 Post subject: Re: Mountain Lion - Unidentified Developer warning
PostPosted: Tue Feb 12, 2013 9:30 am 
Offline
User avatar

Joined: Thu Apr 30, 2009 1:00 pm
Posts: 120
DaveS wrote:
Is there a way to FORCE Gatekeeper to flash that notify?


There is a terminal command you can use to view and edit the existing gatekeeper security-policies for apps on your computer. Open terminal and use "man spctl" to get documentation on how to use it.

With this command you will be able to add/revoke the execute-access of a chosen app if you need to, and if you use this command to revoke access from a app I'm pretty sure that will force gatekeeper to show the message again.


Top
 Profile  
Reply with quote  
 Post subject: Re: Mountain Lion - Unidentified Developer warning
PostPosted: Tue Feb 12, 2013 10:44 am 
Offline
User avatar

Joined: Sat Nov 11, 2006 2:43 pm
Posts: 1221
Location: This poster has left the forums
I don't know your business, I didn't claim to. You are incredibly naive if you think you could not lose a sale because you don't code sign. Forcing a user to launch an app by control clicking it is not how I want to present my business, but each to there own.

As in many areas, first impressions last. Make whatever first impression works for your company. That would not work for mine. Code signing is here to stay. The irony is you feel the time defending your decision is not worth $99 a year.


Good luck.


BitsInAWhiteBox wrote:
pony wrote:
BitsInAWhiteBox wrote:
....Problem solved, and I still got all my Mac users happy as clams without needing to shell out the darn 99 USD a year fees. :D


Of course you don't know if they are happy, or merely pacified.
You don't know how many sales you missed because a user downloaded your wares then was unable to run it (who reads the manual).



My sales has been steadily increasing and due to the nature of my software which also requires centralized connection to my servers I have total control over the (anonymous) information of my users and I see in my logs how many users that use various versions of the OS, including how many that uses Mountain Lion. And my web-server tracks the version of the browser and OS too in its http-logs which I can easy compare with the other logs to make sure my solution actually worked and to make sure they are not "pacified" as you claim. So yea, I do indeed know exactly whats going on, even tho YOU might think you know my business better than myself with your current "claims".

And after I did this simple solution, I got rid of all the support-emails asking for help regarding this problem.

But then again, in my eyes, signing your software does NOT prove to anyone the software is NOT bad. It's just a "digital statement" that the software has not been tampered with since I personally compiled it. (and what if MY computer was infected at the time I compiled it and the virus injected itself into my executable binaries just BEFORE the signing which would make it appear legitimate anyways?) So to me, signing the code in most situations are "false sense of security" as long as it all works like it does now.

To push it to the "extreme" in this metaphorical argument about "security": Signing my software does NOT prevent me from going mentally rouge towards my customers in the future. Signing my software does NOT prevent a secret rouge virus on my computer from injecting itself into my binaries BEFORE the signing-stage takes place. I use other kinds of protection to make sure my customers stays safe (as safe as it gets metaphorically speaking at least) and they are happy with how I do it.

Now that being said; My name is quite reputable and I am known to deliver stable and well-working software throughout the community my software is focused towards so I personally do not need to "prove" I'm not a "crook with fishy intentions". Everyone knows my software works exactly as intended and everyone knows I'm to be trusted. And I've got thousands of 5-star reviews to back it all up.

Selling software and making it "secure and safe" is so much more than just compiling, signing and releasing it to the public. You still need to show the whole world YOU as a developer is trustworthy in the social aspect. And the only way to gain trust is to make sure you treat your customers as kings and queens whenever they call you for support and also make sure you have a lot of great reviews from your customers for everyone to read. Digital signing and the Gatekeeper system will not prevent anything, if a hacker really wanna do damage. It's just as big of a false sense of security just as a anti-virus system on MS windows. It is not 100% tamper-proof, and will never be.

And how do you know a certificate is truly to be trusted? Anyone could steal a credit-card and buy a apple certificate in a fake name and "appear" legitimate long enough to have infected THOUSANDS of computers before apple would get their slow asses to disable the certificate. It's been done by professional scammers many times already and will be done again and again in the future. So yea, if you think Gatekeeper is making you "safe", think again. It's all pseudo-security which makes it slightly harder for a hacker to gain his goal, but by far NOT impossible, which has been proven in the hacker community timer after time; even with root certs from various root-cert providers for SSL etc. We could go on and on with this silly argumentation. NOTHING is safe.

As the old saying goes: A lock on the door only keeps the honest man honest. The professional criminal will still flip out his titanium crowbar and go straight through the lock in a freakin' instant.

In the end of the day; your users dont care jack shit about signing certs. All they care about is; Are YOU as the developer to be trusted? That's a social thing, not a technical thing. In my honest opinion.

Now, feel free to ignore my simple suggestion or continue arguing all day about what would be "safe and secure". But it won't make any difference. All I'm saying it solved MY problem with MY users with great satisfactory (and proven) results. Which is all I need. if this won't work for you, or if you think its a bad idea; then feel free to go the other path by shelling out 99 USD a year for a certificate and hope the public will "trust" it's 100% pseudo-security level. You will still need to gain trust with your customers the good old (and only) "social way" in order to be successful.

_________________
%Invalidforumsignatureexception% user signature not found


Top
 Profile  
Reply with quote  
 Post subject: Re: Mountain Lion - Unidentified Developer warning
PostPosted: Tue Feb 12, 2013 11:57 am 
Offline
User avatar

Joined: Sat Nov 11, 2006 2:43 pm
Posts: 1221
Location: This poster has left the forums
DaveS wrote:
Is there a way to FORCE Gatekeeper to flash that notify?


The extended attributes are used to store this information.
First, take a look at the files extended attributes com.apple.quarantine, for example

xattr -p com.apple.quarantine /Users/sjob/Downloads/iTunes.app

You'll get something similar to this:
0062;511954d7;Safari;0B3C110E-2545-4B90-A6C3-BC5F4E4578FD
The entry contains a status code, time stamp from epoch, process that downloaded it, unique UUID used by SQLite DB database and other useful info. The length and contents varies depending on what app downloaded it. We are only interested in the status, the first 4 bytes.
0062 - means passed quarantine (user accepted)
0022 - means user cancelled
0002 - means just downloaded

to reset the status and have it prompt again, just change the status code back to 0002, leave the rest as it was before.
for example
xattr -w com.apple.quarantine '0002;511954d7;Safari;0B3C110E-2545-4B90-A6C3-BC5F4E4578FD' /Users/sjob/Downloads/iTunes.app

_________________
%Invalidforumsignatureexception% user signature not found


Top
 Profile  
Reply with quote  
 Post subject: Re: Mountain Lion - Unidentified Developer warning
PostPosted: Tue Feb 12, 2013 12:02 pm 
Offline
User avatar

Joined: Sun Aug 05, 2007 10:46 am
Posts: 4931
Location: San Diego, CA
based on what you just said...

What is to keep someone from by-passing Gatekeeper by issuing that same command with 0062?

_________________
Dave Sisemore
iMac I7[2012], OSX Mountain Lion 10.8.3 RB2012r2.1
Note : I am not interested in any solutions that involve custom Plug-ins of any kind


Top
 Profile  
Reply with quote  
 Post subject: Re: Mountain Lion - Unidentified Developer warning
PostPosted: Tue Feb 12, 2013 12:09 pm 
Offline
Site Admin
User avatar

Joined: Tue May 06, 2008 1:07 pm
Posts: 1464
Location: NotEvenOnTheMap, CT
BitsInAWhiteBox wrote:
My sales has been steadily increasing and due to the nature of my software which also requires centralized connection to my servers I have total control over the (anonymous) information of my users and I see in my logs how many users that use various versions of the OS, including how many that uses Mountain Lion.

You've got a logic problem here. Lion users upgrading to Mountain Lion will not get stopped by Gatekeeper, so you have an established starting base of Mountain Lion users who never saw the dialog and never will. Then, you also have no way to know how many users downloaded the app, but never launched it because they chose not to ignore the Gatekeeper warning.

No, code signing does not prove the software is safe, but it does prove who the software came from, which is the point. But it is still an additional layer of protection which is always a good thing. $99 for 4 (or 5, can't remember) years is pennies, I think you should reconsider fighting Apple on this.

_________________
Thom McGrath - @tekcor
Web Framework Architect, Real Software, Inc.


Top
 Profile  
Reply with quote  
 Post subject: Re: Mountain Lion - Unidentified Developer warning
PostPosted: Tue Feb 12, 2013 12:40 pm 
Offline
User avatar

Joined: Thu Apr 30, 2009 1:00 pm
Posts: 120
Thom McGrath wrote:
BitsInAWhiteBox wrote:
My sales has been steadily increasing and due to the nature of my software which also requires centralized connection to my servers I have total control over the (anonymous) information of my users and I see in my logs how many users that use various versions of the OS, including how many that uses Mountain Lion.

You've got a logic problem here. Lion users upgrading to Mountain Lion will not get stopped by Gatekeeper


Wrong. Each time my users download a new software update, the gatekeeper will prevent them from using the new version unless they follow the extra step i include as instructions. So I suggest you check out how it actually works before accusing me of having "wrong logic".

And i was indeed drowning in support emails with questions how to make it work until i came up with this very solution i described in my original answer. And let me be very detailed here; NONE of my customers asked for a signed executable, they only asked "how to get it working", which means the average user don't even know what digital code signing are at all. And those few who do what a digital signing of code is it, did not bother me at all ether, they just found out the solution by themselves.

Now, lets end this silly nitpicking argument it's really getting borderline-childish, since the creator of this very thread did expressively ask for possible alternatives that could be used without buying a certificate. Go back to the original question of this thread and see for yourself. So stop trying to chop off my damn head here. I only wanted to HELP him according to HIS ORIGINAL QUESTION!


Top
 Profile  
Reply with quote  
 Post subject: Re: Mountain Lion - Unidentified Developer warning
PostPosted: Tue Feb 12, 2013 12:48 pm 
Offline
User avatar

Joined: Thu Apr 30, 2009 1:00 pm
Posts: 120
pony wrote:
I don't know your business, I didn't claim to. You are incredibly naive if you think you could not lose a sale because you don't code sign. Forcing a user to launch an app by control clicking it is not how I want to present my business, but each to there own.

As in many areas, first impressions last. Make whatever first impression works for your company. That would not work for mine. Code signing is here to stay. The irony is you feel the time defending your decision is not worth $99 a year.


Good luck.


Good luck with what? The ORIGINAL thread-creator asked specifically for a possible solution which could work WITHOUT buying a certificate. I could not be less interested in your personal subjective opinion, coz in the end of the day, my answer was an attempt to show HIM a SOLUTION that would indeed work WITHOUT a certificate. My answer was NOT intended to ass-lick self-proclaimed security-experts like yourself which obviously may be trusting the gatekeeper slightly too much for your own good.

And no, i'm not naive. I keep very close touch with every single user of my software and I even arrange online meetings with them from time to time. Just a quick look in my own stats is like this:

200'000+ licenses sold in total of all my software.
500'000+ emails answered from customers with questions.
258 Megabytes of chat-logs from customers contacting me through online chat clients.

So you can stick that word "naive" up where the sun never shines. When time is right, I may choose to code sign, but as the current state is, NOBODY cares. If they did care, I would already known through the communication i have with them and I would then done something about it.

So, I'm ending this argument by saying; I agree to disagree with you. EOD.


Last edited by BitsInAWhiteBox on Tue Feb 12, 2013 12:53 pm, edited 2 times in total.

Top
 Profile  
Reply with quote  
 Post subject: Re: Mountain Lion - Unidentified Developer warning
PostPosted: Tue Feb 12, 2013 12:50 pm 
Offline
Site Admin
User avatar

Joined: Tue May 06, 2008 1:07 pm
Posts: 1464
Location: NotEvenOnTheMap, CT
BitsInAWhiteBox wrote:
Wrong. Each time my users download a new software update, the gatekeeper will prevent them from using the new version unless they follow the extra step i include as instructions. So I suggest you check out how it actually works before accusing me of having "wrong logic".

No, I'm not wrong. Once you approve a bundle identifier, it's approved for life. Anything you launched under Lion automatically has its bundle identifier approved under Mountain Lion. So unless you change your bundle identifier each build, this is exactly how it will behave.

Of course users don't know about code signing and just want it working. That's why code signing is the right solution. You should try to meet the requirements of the operating system you're targeting, rather than teach the customer how to circumvent it. It's similar to asking a Windows customer to disable their antivirus software to run your app.

And I feel like I am answering the question. There is no positive alternative to code signing. That's what Apple has said Mountain Lion requires. That's the solution, nothing else. You can try to fight it, but you'll be more successful if you just go with the flow.

_________________
Thom McGrath - @tekcor
Web Framework Architect, Real Software, Inc.


Top
 Profile  
Reply with quote  
 Post subject: Re: Mountain Lion - Unidentified Developer warning
PostPosted: Tue Feb 12, 2013 12:54 pm 
Offline
User avatar

Joined: Thu Apr 30, 2009 1:00 pm
Posts: 120
Thom McGrath wrote:
BitsInAWhiteBox wrote:
Wrong. Each time my users download a new software update, the gatekeeper will prevent them from using the new version unless they follow the extra step i include as instructions. So I suggest you check out how it actually works before accusing me of having "wrong logic".

No, I'm not wrong. Once you approve a bundle identifier, it's approved for life. Anything you launched under Lion automatically has its bundle identifier approved under Mountain Lion. So unless you change your bundle identifier each build, this is exactly how it will behave.

Of course users don't know about code signing and just want it working. That's why code signing is the right solution. You should try to meet the requirements of the operating system you're targeting, rather than teach the customer how to circumvent it. It's similar to asking a Windows customer to disable their antivirus software to run your app.

And I feel like I am answering the question. There is no positive alternative to code signing. That's what Apple has said Mountain Lion requires. That's the solution, nothing else. You can try to fight it, but you'll be more successful if you just go with the flow.


And i repeat, its NOT about ME going with the flow:

The creator of this very thread did expressively ask for possible alternatives that could be used without buying a certificate. Go back to the original question of this thread and see for yourself. So stop trying to chop off my damn head here. I only wanted to HELP him according to HIS ORIGINAL QUESTION!


Top
 Profile  
Reply with quote  
 Post subject: Re: Mountain Lion - Unidentified Developer warning
PostPosted: Tue Feb 12, 2013 12:57 pm 
Offline
User avatar

Joined: Sat Nov 11, 2006 2:43 pm
Posts: 1221
Location: This poster has left the forums
DaveS wrote:
based on what you just said...

What is to keep someone from by-passing Gatekeeper by issuing that same command with 0062?


You mean, bypassing by typing a terminal command, instead of bypassing by clicking the button or right clicking the app?

_________________
%Invalidforumsignatureexception% user signature not found


Top
 Profile  
Reply with quote  
 Post subject: Re: Mountain Lion - Unidentified Developer warning
PostPosted: Tue Feb 12, 2013 1:36 pm 
Offline
User avatar

Joined: Thu Apr 30, 2009 1:00 pm
Posts: 120
DaveS wrote:
based on what you just said...

What is to keep someone from by-passing Gatekeeper by issuing that same command with 0062?


The current way gatekeeper works it is in my eyes severely flawed with too many secondary attack-vectors that can be easily exploited and render it useless way too easy. Gatekeeper was a nice attempt from Apple, but in my eyes they did it wrong and they still have a long way to go before it would be defined as "safe". Now, it only looks like pseudo-security in it's current state and anyone who thinks they can trust it may get a surprize the day they realize they just executed a code-signed virus which appeared to look 100% legit. Right now, gatekeeper "may" only, at best case; prevent the youngest talentless script-kiddies from doing damage. The pro's cut through it like a warm knife through butter. And anyone who tells me that they think gatekeeper makes them feel "safe" sure scares me.

One day in the future I hope gatekeeper evolves into a similar system like http://www.sandboxie.com/ (Regretfully only for MS Windows yet) - but sandboxie still needs quite a bit work before it can go "mainstream". Only then it would start to look like a security-system that actually "may" be able to protect the system at a satisfactory level, at least for civilian-usage in general.

OSX got a simplified sandbox system for app store official releases tho, but as long as this aint enforced on EVERYTHING, the security will still look like a Swiss Cheese with way too many holes to poke in.

I would rather be honest to my customers and tell them straight "listen, gatekeeper may look nice, and sure, if you like me to, I can sign my code for you; but don't you dare think you can trust gatekeeper to keep you safe for a second, it will be a foolish trust to give yet." instead of attempting to lie and say "my software is signed so dont worry, you are 100% safe".


Top
 Profile  
Reply with quote  
 Post subject: Re: Mountain Lion - Unidentified Developer warning
PostPosted: Tue Feb 12, 2013 2:09 pm 
Offline
User avatar

Joined: Sat Nov 11, 2006 2:43 pm
Posts: 1221
Location: This poster has left the forums
BitsInAWhiteBox wrote:
The creator of this very thread did expressively ask for possible alternatives that could be used without buying a certificate. Go back to the original question of this thread and see for yourself. So stop trying to chop off my damn head here. I only wanted to HELP him according to HIS ORIGINAL QUESTION!


Your 'solution' is not that good, hence the contradictions to your advice. Your solution is inelegant, goes against Apples developer guidelines for developing modern applications, and can be confusing to users. By your own admission, your solution relies on comparing log files and metrics to ensure you are not, allegedly, losing customers by doing it.

Other equally poor solutions are
have your users type sudo spctl --master-disable
have your users downgrade the OS to 10.6 or earlier
have your users run the Windows version in a VM
ship the software on a floppy disk
bury your head in the sand and pretend code signing is unnecessary and "sticking it to Apple" by not paying $99 is not really "sticking it to yourself".

BitsInAWhiteBox wrote:
instead of attempting to lie and say "my software is signed so dont worry, you are 100% safe".

Whoa there cowboy, that is some distortion reality field you have.
How did you make the absurd leap that adding another layer of security to mean your customers will think you are lying to them?
Code signing is not 100 safe, no-one claims it is. It is part of a bigger security picture, which is not claimed to be 100% safe. It is the correct way to distribute your application. PERIOD.

_________________
%Invalidforumsignatureexception% user signature not found


Top
 Profile  
Reply with quote  
 Post subject: Re: Mountain Lion - Unidentified Developer warning
PostPosted: Tue Feb 12, 2013 2:12 pm 
Offline
User avatar

Joined: Sat Nov 11, 2006 2:43 pm
Posts: 1221
Location: This poster has left the forums
BitsInAWhiteBox wrote:
One day in the future I hope gatekeeper evolves into a similar system like http://www.sandboxie.com/ (Regretfully only for MS Windows yet) - but sandboxie still needs quite a bit work before it can go "mainstream". Only then it would start to look like a security-system that actually "may" be able to protect the system at a satisfactory level, at least for civilian-usage in general.

I leave the keys in my pickup whilst at the store. I figure it is not 100% secure, so why bother. The lock can be bypassed and the immobilizer disabled, so why bother.
I'll look at it again when they come up with something better. I'm not going to lie to my wife and say the pickup will be safe. I'm going to leave it unlocked and be honest with her. She shouldn't think it will be safer by locking it.

_________________
%Invalidforumsignatureexception% user signature not found


Top
 Profile  
Reply with quote  
 Post subject: Re: Mountain Lion - Unidentified Developer warning
PostPosted: Tue Feb 12, 2013 2:17 pm 
Offline
User avatar

Joined: Thu Apr 30, 2009 1:00 pm
Posts: 120
pony wrote:
BitsInAWhiteBox wrote:
The creator of this very thread did expressively ask for possible alternatives that could be used without buying a certificate. Go back to the original question of this thread and see for yourself. So stop trying to chop off my damn head here. I only wanted to HELP him according to HIS ORIGINAL QUESTION!


Your 'solution' is not that good, hence the contradictions to your advice. Your solution is inelegant, goes against Apples developer guidelines for developing modern applications, and can be confusing to users. By your own admission, your solution relies on comparing log files and metrics to ensure you are not, allegedly, losing customers by doing it.

Other equally poor solutions are
have your users type sudo spctl --master-disable
have your users downgrade the OS to 10.6 or earlier
have your users run the Windows version in a VM
ship the software on a floppy disk
bury your head in the sand and pretend code signing is unnecessary and "sticking it to Apple" by not paying $99 is not really "sticking it to yourself".

BitsInAWhiteBox wrote:
instead of attempting to lie and say "my software is signed so dont worry, you are 100% safe".

Whoa there cowboy, that is some distortion reality field you have.
How did you make the absurd leap that adding another layer of security to mean your customers will think you are lying to them?
Code signing is not 100 safe, no-one claims it is. It is part of a bigger security picture, which is not claimed to be 100% safe. It is the correct way to distribute your application. PERIOD.


Feel free to blindly think everything apple says is "right" is right. I agree to disagree at the current state of how the pseudo-security gatekeeper gives everyone.

And feel free to call me names using personal attacks like "cowboy" etc. It will bounce off like rain on a rain-coat. Let me correct you; I'm a hard-head. But I'm not a guy who runs around preaching about how great a flawed security like gatekeeper is.

No offense to real cowboys tho, I've visited Texas many times and met many awesome hardcore cowboys. They may be loud-mouths, but they sure treated me fair and square and they told me their barebone truth about stuff, without coating it with sugar like everyone else.

The only benefit of using gatekeeper now, is to get rid of the extra right-click "open" to get it to run. Not much of a awesome security if you ask me. It's like living in a house with no roof, no walls, just a door with a lock on infront of your bed. If that makes you feel safe, then be happy :)


Last edited by BitsInAWhiteBox on Tue Feb 12, 2013 2:24 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  
 Post subject: Re: Mountain Lion - Unidentified Developer warning
PostPosted: Tue Feb 12, 2013 2:22 pm 
Offline

Joined: Wed Feb 04, 2009 1:43 pm
Posts: 427
BitsInAWhiteBox wrote:
200'000+ licenses sold in total of all my software.


If this stats are correctly (which I doubt) then why on earth are you complaining about $99/year fee?

I guarantee you at least quadruple (if not many more) your income when it is sold on the Appstore. And double it when it is codesigned.
So stop the ignorance please.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 34 posts ]  Go to page Previous  1, 2, 3  Next

All times are UTC - 5 hours


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group