As per discussion during FOSS Monthly meetup on Jan 2022, creating a thread here.
There was a discussion around needing Mac developer account for various scenarios. a suggestion was that FOSS united can keep a single mac developer account and anyone under the umbrella can get the app signed for that.
Agenda: Possibility of helping multiple developers with single Apple developer account.
MoM:
We can create an account as organization. We can add multiple owners to manage overall account.
We can add individual developers with permissions to work on specific apps.
A person with a normal free Apple iCloud account can build and run the source code in their own phone (which is logged in with same account). This doesn’t need a paid developer account. But apps installed this way will get expired after 7 days. This can be extended with AltStore. Initial work for the app can be done this way.
If a developer want to install an app in someone else’s phone(with physical access) then developer’s account has to be added to the paid organization account. Can be done this way. I’m not sure if there is any limit to the number of accounts that can be added like this. But there is a limit to number of 3rd party devices - 100. Certificates for this are called Provisional certificates.
If a developer wants to publish an app to app store they need a Distribution certificate. There is a limit of 3 per account. So we can’t give one for every developer. And it won’t be safe as well as it has permission over all the apps.
In theory we could set up a CI with the account credentials and distribution certificate and attach it to the repository of the app. There are Github actions available. I think the app repo has to be under the organization to handle the credentials properly.
We can try and experiment with this flow and I can help to set it up.
When the developer is helped via fossunited it makes sense for foss united to be the custodian of the keys. I am happy with this. but we need feedback from developers if they see a potential lock in coz of this.
as far as google play store is concerned once signing has started by a certificate i cant change the cert keystore mid way in the application lifecycle and i will have to get a new application and discard old application if i want to change certificate.
If dev’s dont see an issue consider it a plus one from my side.
thanks @ajinasokan and @wisharya for the help in setting this up.
For my app Varnam, it’s going to be distributed for macs. I believe for mac, it’s liberal than iOS. What I learnt is that every 3rd party app binary needs to be notarized. Only notarized apps can be run on macs, otherwise user would have to self-sign it. The notarization process is done by uploading the binary to an Apple API. This requires a Developer ID certificate which is only available for Apple Developer Program membership devs.
I believe it can work. We should have some official policy, to ensure developer interests are met as much, without undue problems for FOSS. Like if developer wants to make their app paid, I believe it would be pain for FOSS to manage payment etc, so developer may be allowed to ask FOSS to delete their app, and them to republish it. If there is a way for App Store to transfer the app its even more friendly to developers.
