Sponser mac developer account

As per discussion during FOSS Monthly meetup on Jan 2022, creating a thread here.

There was a discussion around needing Mac developer account for various scenarios. a suggestion was that FOSS united can keep a single mac developer account and anyone under the umbrella can get the app signed for that.

As of now following people have commited:

  1. myself can commit for funding 1 year charge.
  2. @Amit_Upadhyay has commited to help from monatory side.

The main requirement will be to find a custodian who will keep the devleoper certificate and key and would facilitate the process.

Please feel free to add if i missed anything, or if the whole idea is absurd and there could be a different way to approach this

3 Likes

Call on 2nd Feb:

Present: @subins2000, @WishArya

Agenda: Possibility of helping multiple developers with single Mac developer account.

MoM:

  • We need to get help from someone who uses mac dev account and have experience around that.
  • Ping Ajin from Zerodha to help.

Call on 6th Feb:

Present: @ajinasokan @WishArya

Agenda: Possibility of helping multiple developers with single Apple developer account.

MoM:

  • We can create an account as organization. We can add multiple owners to manage overall account.
  • We can add individual developers with permissions to work on specific apps.
  • A person with a normal free Apple iCloud account can build and run the source code in their own phone (which is logged in with same account). This doesn’t need a paid developer account. But apps installed this way will get expired after 7 days. This can be extended with AltStore. Initial work for the app can be done this way.
  • If a developer want to install an app in someone else’s phone(with physical access) then developer’s account has to be added to the paid organization account. Can be done this way. I’m not sure if there is any limit to the number of accounts that can be added like this. But there is a limit to number of 3rd party devices - 100. Certificates for this are called Provisional certificates.
  • If a developer wants to publish an app to app store they need a Distribution certificate. There is a limit of 3 per account. So we can’t give one for every developer. And it won’t be safe as well as it has permission over all the apps.
  • In theory we could set up a CI with the account credentials and distribution certificate and attach it to the repository of the app. There are Github actions available. I think the app repo has to be under the organization to handle the credentials properly.
  • We can try and experiment with this flow and I can help to set it up.

Does this makes sense to have the setup like this ^?

Cc: @anant_shrivastava, @subins2000, @Amit_Upadhyay

When the developer is helped via fossunited it makes sense for foss united to be the custodian of the keys. I am happy with this. but we need feedback from developers if they see a potential lock in coz of this.

as far as google play store is concerned once signing has started by a certificate i cant change the cert keystore mid way in the application lifecycle and i will have to get a new application and discard old application if i want to change certificate.

If dev’s dont see an issue consider it a plus one from my side.
thanks @ajinasokan and @WishArya for the help in setting this up.

Sorry I missed out the notification on this.

For my app Varnam, it’s going to be distributed for macs. I believe for mac, it’s liberal than iOS. What I learnt is that every 3rd party app binary needs to be notarized. Only notarized apps can be run on macs, otherwise user would have to self-sign it. The notarization process is done by uploading the binary to an Apple API. This requires a Developer ID certificate which is only available for Apple Developer Program membership devs.

More about notarization: https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution

Here’s a sample script of notarization: https://github.com/ratreya/lipika-ime/blob/master/Installation/build#L3 See the notarizefile() function in it.

Any updates on this ? I’ve been thinking about formally announcing a release of Varnam for mac for a long time now, never got free time to work on it :sweat_smile:

Meanwhile I’ll be following up this thread.

@ajinasokan Perhaps we can get on a call to discuss this further .

1 Like

Notarization is not necessary IIRC. You can self sign and distribute in zip. Users can open it by CTRL + Right click -> Open.

I haven’t done macOS releases before. But I’m down.

I believe it can work. We should have some official policy, to ensure developer interests are met as much, without undue problems for FOSS. Like if developer wants to make their app paid, I believe it would be pain for FOSS to manage payment etc, so developer may be allowed to ask FOSS to delete their app, and them to republish it. If there is a way for App Store to transfer the app its even more friendly to developers.