vscodium
vscodium copied to clipboard
MacOS archives are not signed
Describe the bug
Apparently the macos binaries are not properly signed. I tried both of them and none of them would start on Big Sur.
I should also mention that I do not see the point / difference between those to blends of builds.
https://github.com/VSCodium/vscodium/releases/download/1.53.2/VSCodium-darwin-x64-1.53.2.zip https://github.com/VSCodium/vscodium/releases/download/1.53.2/VSCodium.x64.1.53.2.dmg
Please confirm that this problem is VSCodium-specific
- [x] This bug doesn't happen if I use Microsoft's Visual Studio Code. It only happens in VSCodium.
Please confirm that the issue/resolution isn't already documented
- [x] I checked the Docs page and my issue is not mentioned there.
To Reproduce Steps to reproduce the behavior:
- Go to '...'
- Click on '....'
- Scroll down to '....'
- See error
Expected behavior Be able to start the app.
Screenshots
Desktop (please complete the following information):
- OS: 11.2
- Architecture x64
- Version 1.53.2
Additional context Add any other context about the problem here.
@ssbarnea Signing is not required for open source software. because Apple signing is paid. You can allow it in your macos Security settings.
While I do agree with others that Apple and other owners of more or less closed stores are making developer life harder, I do also think that the main goal is security, and that applies to open-source as well.
Non-profit organizations can request free developer program access, as documented on https://developer.apple.com/support/membership-fee-waiver/#:~:text=Apple%20Developer%20Program%20membership%20is,their%20annual%20membership%20fee%20waived. -- so we should not use the fee as an excuse for no signing our code. Even if the fee would not be waived, I am also sure that there are multiple open-source foundations which would have no problems sponsoring certification costs.
Asking users to bypass system security protections in order to run pre-compiled binaries downloaded is a serious security risk, one that I am not longer willing to take. I do prefer to compile stuff from source using brew and have it locally signed instead of bypassing system security.
If we do not adapt to the reality, we may fail to make vscodium more popular and most people will go to vscode, which is signed, but that comes with some strings attached.
Any news here? I would very like to use it without tampering my security!
@ssbarnea Signing is not required for open source software. because Apple signing is paid. You can allow it in your macos Security settings.
I would not recommend this to anyone! This can reduce the security of your system.
While I do agree with others that Apple and other owners of more or less closed stores are making developer life harder, I do also think that the main goal is security, and that applies to open-source as well.
Non-profit organizations can request free developer program access, as documented on https://developer.apple.com/support/membership-fee-waiver/#:~:text=Apple%20Developer%20Program%20membership%20is,their%20annual%20membership%20fee%20waived. -- so we should not use the fee as an excuse for no signing our code. Even if the fee would not be waived, I am also sure that there are multiple open-source foundations which would have no problems sponsoring certification costs.
Asking users to bypass system security protections in order to run pre-compiled binaries downloaded is a serious security risk, one that I am not longer willing to take. I do prefer to compile stuff from source using brew and have it locally signed instead of bypassing system security.
If we do not adapt to the reality, we may fail to make vscodium more popular and most people will go to vscode, which is signed, but that comes with some strings attached.
Thank you @ssbarnea this is well said.
@iMonZ You just have to authorize to run that application. It's an exception.
The waiver is for a Non-profit organization
with a tax ID/national ID
. So it can't apply for small open-source projects like this one.
While I do agree with others that Apple and other owners of more or less closed stores are making developer life harder, I do also think that the main goal is security, and that applies to open-source as well.
Non-profit organizations can request free developer program access, as documented on https://developer.apple.com/support/membership-fee-waiver/#:~:text=Apple%20Developer%20Program%20membership%20is,their%20annual%20membership%20fee%20waived. -- so we should not use the fee as an excuse for no signing our code. Even if the fee would not be waived, I am also sure that there are multiple open-source foundations which would have no problems sponsoring certification costs.
Asking users to bypass system security protections in order to run pre-compiled binaries downloaded is a serious security risk, one that I am not longer willing to take. I do prefer to compile stuff from source using brew and have it locally signed instead of bypassing system security.
If we do not adapt to the reality, we may fail to make vscodium more popular and most people will go to vscode, which is signed, but that comes with some strings attached.
Is it possible to replace the cask with a formula? This could resolve the problem without any certificate
@iMonZ You just have to authorize to run that application. It's an exception.
The waiver is for a
Non-profit organization
witha tax ID/national ID
. So it can't apply for small open-source projects like this one.
Still, this is something that you shouldn't do
Still, this is something that you shouldn't do
If Apple was offering waiver even for small open-source projects (like some other companies), only then, I would agree with you :wink:
This issue has been automatically marked as stale. If this issue is still affecting you, please leave any comment, and we'll keep it open. If you have any new additional information, please include it with your comment!
+1
@daiyam as this project seems to be most-effected by you, could you please try https://developer.apple.com/support/membership-fee-waiver?
@GitMensch It's only available for organization...
too bad, so would a sponsoring do the trick, if it is important enough for someone to do that?
Isn't this "just the (duplicated) bug" for the "todo issue" #324? In this case I'd suggest to close this as duplicate; otherwise - where is the difference?
duplicate of #324