[Haskell-cafe] Haskell development in Mac OS X after Gatekeeper

Austin Seipp mad.one at gmail.com
Mon Feb 20 04:21:49 CET 2012 

On Sun, Feb 19, 2012 at 8:19 PM, Tom Murphy <amindfv at gmail.com> wrote:
>     Actually, what I was more concerned about was the ability to
> distribute a "full" Mac application, with a GUI, made with a method
> other than calling Haskell from Objective-C.
>     It seems that *none* of these applications will be usable by
> anyone except users with all security settings turned off (it doesn't
> sound great in a user manual: "Every time you run this program, be
> sure to turn the malware-detector all the way off")
>
>     The reason I'm concerned is that having a security signature
> requires a membership to the Apple Developers program, which is
> exclusively for XCode [0]. Isn't it logical to assume that the
> signature-"bundling" process [1] occurs within XCode?
>     (I'm assuming the "digital summary of the contents of the
> application" is a hash, which (I think) would imply that
> XCode-compilation would have to be the final step in the development
> chain)

On OS X, you can sign applications or paths using any certificate you
like using the 'codesign' utility, including a .app bundle. If you're
going to distribute an OS X application to average users, let's face
it: you're going to give them an .app bundle.

You can do it yourself with a self-trusted code signing certificate
already. Building LLDB on OS X for example, requires self signing in
this manner, because the debugging engine needs permissions granted by
the signature (AFAIK.) Regular LLDB with XCode already comes signed by
Apple, obviously.

>     Which (again, unless I'm reading it wrong) means that most
> Haskell OS X GUI work (incl. FRP) goes out the window?!

No. Just sign your .app bundle with your Developer ID cert using
codesign after the build and bundling process, and it'll work unless
they only have Gatekeeper enabled to allow Mac App store apps. There's
nothing you can do about this if they have it enabled if you're not
willing to put it on the store, other than advise them to disable it.
If it's on the store, you've already paid for the developer license
and signed it anyway.

The only differences mountain lion adds is that now you must at least
sign those applications which you intend to distribute to regular
users by whatever means, but not put them on the App Store. That's
really it at the core. And tech demos and code examples will never be
relevant if the target is programmers really, because developers are
just going to have it disabled (equivalent to the way OS X is now, in
effect.)

The only two things not clear at this point, at least to me, are:

1) Will Apple require the paid development program, as opposed to the
free one, if you only want to self-sign applications with a cert they
trust?
2) What will the default Gatekeeper setting in Mountain Lion be?

These 2 factors will control whether or not you'd have to pay and the
user impact. In an ideal world, you won't require the paid dev ID (I
don't know the expense of giving out certs however,) and the default
setting would be App store + Dev signed. Unfortunately we'll just have
to wait and see on that note.

-- 
Regards,
Austin

More information about the Haskell-Cafe mailing list