All binaries must be signed as enforced by Mac Silicon chips

[nikivi]

The twitter thread: 

 

And HN discussion:

 

https://news.ycombinator.com/item?id=25134352

 

I wonder if you really need to pay a license to Apple to sign things. If yes, that's so bad for developers/users who just build software for fun and not profit.

 

 

Edited November 18, 2020 by vitor
Post merging

[vitor]

I’ve combined your two posts. Once again I must ask you don’t serial post in the same thread, it makes things hard to follow.

 

More importantly, rather than a random thread which already got corrections, it would be better to link to someone who has been discussing signing and notarisation for quite a while, paid attention when this was officially announced by Apple, and covered it in detail: https://eclecticlight.co/2020/08/22/apple-silicon-macs-will-require-signed-code/

 

Quote

Two important points need to be reiterated: you don’t need a developer signature, and can use an ad-hoc one, even one generated on the fly during the build process, and this only applies to ARM native executables.

 

This still sucks, but presumably (from my limited understanding) it means your things won’t break on day one and you can continue to build things for yourself (at a bigger inconvenience).

It remains unclear if scripts are affected. If they’re not, Alfred Workflows will continue to be viable to share, depending on what the situation is regarding the interpreters.

I understand that does complicate things for you and the time you’ve invested in Go, though. I also have things I’d like to sign and notarise, but $100/year (is that before or after tax, even? USAmericans are weird in that regard), while not breaking the bank, is hard to justify when I’d be paying to give away work.

 

4 hours ago, nikivi said:

I wonder if you really need to pay a license to Apple to sign things.

 

You have never needed to pay Apple to sign things. Unless you want those signed tools to be valid to anyone you share them without scary warnings, in which case you have always needed to pay. Nothing changed in that regard. The issue here is that not signing now has a bigger cost.

[nikivi]

10 minutes ago, vitor said:

without scary warnings

 

From my understanding, there is no longer even a warning now. The thing won't run on the new macs.

 

Thanks for the nice article and answer. I suppose the answer is that if I want to build stuff for my own use, I don't need to pay anyone. But if I or anyone wants to share some compiled code with anyone, they'd need to either compile it themselves or pay Apple 100$ fee and sign the binary before shipping it. Otherwise the user simply won't be able to use it where even instructions like: https://github.com/deanishe/awgo/wiki/Catalina won't help.

 

I am probably going to get the M2 16" macbook when that comes out, just trying to evaluate how much software I'd probably lose in the process. Specifically I don't mind recompiling Dean's or someone else's Go/Rust workflows but if say an update gets released to workflow, I'd need to go clone the repo, compile the thing, move the binary to the workflow (so workflow updates for compiled alfred workflows are broken unless author pays fee to sign things). Not sure if I've missed something perhaps.

Edited November 18, 2020 by nikivi

[deanishe]

49 minutes ago, vitor said:

It remains unclear if scripts are affected.

 

Scripts were excluded because Apple couldn't figure out how to reliably sign text files. I doubt that has changed.

 

50 minutes ago, vitor said:

is that before or after tax, even? USAmericans are weird in that regard

 

Almost certainly excluding tax (the norm for US prices). All it says for me is "I will be billed on an annual basis for €99. Taxes may apply."

 

43 minutes ago, nikivi said:

the M2 16" macbook

 

There's already an M2?

 

44 minutes ago, nikivi said:

I don't mind recompiling Dean's or someone else's Go/Rust workflows

 

That's completely untenable. Some users may be able to compile workflows for themselves, but it's too complex for the large majority.

 

[nikivi]

22 minutes ago, deanishe said:

There's already an M2?

 

An assumption was made.

The issue with current M1 macs is the ecosystem is not yet there. I think a year is enough time.

Edited November 18, 2020 by nikivi

[vitor]

1 hour ago, nikivi said:

The thing won't run on the new macs.

 

The ARM-compiled thing. According to reports, even Rosetta 2-emulated software my run faster than on Intel Macs, so that might be a thing for a while.

 

28 minutes ago, deanishe said:

There's already an M2?

 

“Word on the street” (i.e. speculation) is that we’ll get something other than M1 for bigger / more powerful machines. The most common (and again, speculated) names are M2 and M1X. The latter or a variation thereof seem likelier to me if the new machines launch before the middle of 2021. Then again, naming and consistency (apart from a rock obsession) haven’t been Apple’s strong suit for a while.

 

9 minutes ago, nikivi said:

The issue with current M1 macs is the ecosystem is not yet there.

 

But it seems it might get there fast and in less time than previous transitions. There’s a lot of (seemingly deserved) hype about the performance of the new Macs and a lot of willingness to support it.

 

1 hour ago, nikivi said:

I am probably going to get the M2 16" macbook when that comes out

 

My machine is falling apart and begging to be replaced, so it was a bit disappointing (though not entirely unexpected) when that one didn’t land on launch. Though I have begun to wonder if waiting is worth it. Even if the new 16″ costs the same as it does today, that’s still a buttload more than what I’d like to pay and it will have (in all likelihood) a mandatory touch bar, which significantly increases the price while ostensibly making the machine worse. So the Air is all of a sudden looking like a tempting proposition, though the smaller screen will hurt (an external display is not an option).

 

And I see no one talking about it seriously, but I’m curious as to what this may do the state of Mac gaming. I’m seeing the possibility of a brighter future in the small specific way I care about it.

[deanishe]

1 minute ago, vitor said:

According to reports, even Rosetta 2-emulated software my run faster than on Intel Macs, so that might be a thing for a while.

 

Yeah. Rosetta 2-emulated apps apparently run at 70–80% of the speed of native ones. Given how ridiculously fast the M1 chips are, that's plenty fast.

 

3 minutes ago, vitor said:

an external display is not an option

 

Why not? If I only had a notebook, there is zero chance that I wouldn't buy an external display.

 

5 minutes ago, vitor said:

but I’m curious as to what this may do the state of Mac gaming

 

I've been wondering about that, too. At the moment, I'm inclined to believe it will be awful for Mac gaming. Apple has sacked off OpenGL and now x86. It's almost as if they're going out of their way to be hostile towards game developers and gamers.

[nikivi]

I like to give each device a purpose. Mac (coding, creative work), iPhone (messages, podcasts/media, on the go), iPad (browsing/books/drawing), PS5 (real games).

 

There are of course some games that are superior with keyboard and mice. I just remember the time I moved from Windows to mac was a huge productivity boost for me as I could no longer play anything. 😄

[vitor]

7 minutes ago, deanishe said:

Why not?

 

I doubt that I could go back to a non-HiDPI screen. The few times I have to deal with those (typically on other laptops), it physically (optically) bothers me. I’m not familiar with the external display world (and its prices), but I suspect I wouldn’t be able to get a decent one for less than the price difference of the MBAir and the MBP.

 

And said screen would be stationary on my desk, but I suspect the times when I’d miss the bigger screen would be watching something with company in the living room, which happens a lot.

 

So an external screen wouldn’t be available when it’s most useful and would be more expensive (which is the opposite of what I want, and the reason I’m considering a smaller laptop in the first place).

 

8 minutes ago, deanishe said:

At the moment, I'm inclined to believe it will be awful for Mac gaming.

 

With the abilities to add controller support to iOS games and play them on macOS, a new market opens. Suddenly you can play Journey on a Mac and Inside would’ve been available three years earlier (the macOS port was released in 2020, I wonder if they now regret that). If you combine both iOS and macOS markets, which can be served with the same app, more small games become financially viable on Apple platforms.

The few games I want to play tend to be indie with a pixel aesthetic (Extremely OK Games, formerly Matt Makes Games, is a good example), which means every time I see something that looks remotely interesting, I stop and check for macOS compatibility because there’s a good change it isn’t there.

 

1 hour ago, deanishe said:

Apple has sacked off OpenGL and now x86. It's almost as if they're going out of their way to be hostile towards game developers and gamers.

 

For what I play on this machine, the worst offenders performance-wise (the ones who turn on the fans as soon as the title screen opens, and sometimes only then!) are usually made with generic game engines. Those are likely to be updated to work with Metal and ARM, but even if they’re not I wouldn’t have been able to play them anyway. We’ll see how it affects the others.

[nikivi]

@vitorMight be useful to you: https://bjango.com/articles/macexternaldisplays/

I use https://www.apple.com/nl/shop/product/HMUB2ZM/A/lg-ultrafine-5k‑display as display myself.

[vitor]

2 minutes ago, nikivi said:

Might be useful to you: https://bjango.com/articles/macexternaldisplays/

 

No prices are listed, and that’s the most important metric right now.

 

3 minutes ago, nikivi said:

I use https://www.apple.com/nl/shop/product/HMUB2ZM/A/lg-ultrafine-5k‑display as display myself.

 

That looks good, but for that price I could just buy a second Macbook Air or an iPad and have them side by side (and still save money). Or wait and buy the 16″, whose major reason I’m considering not doing is the price.

 

Again, I’m not looking for an external screen because it would make no sense to me: it’s as or more expensive than the alternative, it may mean a performance hit, and it’s not available when it matters most.

 

Even with infinite money (which I very much don’t have) I probably wouldn’t go that route.

[deanishe]

26 minutes ago, vitor said:

I suspect I wouldn’t be able to get a decent one for less than the price difference of the MBAir and the MBP.

 

Depends what you mean by "decent", tbh. The 16" MBP is going to cost about €1000 more than the MBA. You can get a hi-res screen for a fraction of that.

 

I can't really comment on the quality of any because they're always connected to Windows PCs, and Windows always looks awful compared to macOS.

 

27 minutes ago, vitor said:

I suspect the times when I’d miss the bigger screen would be watching something with company in the living room, which happens a lot.

 

Fair enough, but a 16" screen doesn't strike me as much of a way to watch a movie in company, either.

 

32 minutes ago, vitor said:

generic game engines. Those are likely to be updated to work with Metal and ARM, but even if they’re not I wouldn’t have been able to play them anyway.

 

Many already work with Metal. I presume ARM support will also come. Problem is, those games also often use assembler, which would require manual porting.

 

You can probably also forget about all your existing games (that Catalina didn't already break).

 

That iOS games can run on macOS is rather meh for me personally. Casual games don't really interest me, and I suspect a lot of iOS games will suck without a touchscreen.

[vitor]

14 minutes ago, deanishe said:

Depends what you mean by "decent", tbh.

 

Anything someone with fair knowledge on the subject wouldn’t be embarrassed to recommend.

 

16 minutes ago, deanishe said:

The 16" MBP is going to cost about €1000 more than the MBA. You can get a hi-res screen for a fraction of that.

 

If that fraction is one-third or less, now we’re talking.

 

1 minute ago, deanishe said:

Fair enough, but a 16" screen doesn't strike me as much of a way to watch a movie in company, either.

 

My current 15″ retina is the best screen in the house and it does the job acceptably. Due to the living room layout there’s no practical and affordable solution that doesn’t involve lugging a laptop. Replacing it with the Macbook Air would mean choices get reduced to either a 13″ retina or 15″ non-retina Windows. I suspect I’d still prefer looking at the smaller screen with that choice, but it might be annoying.

 

22 minutes ago, deanishe said:

You can probably also forget about all your existing games (that Catalina didn't already break).

 

Only going to miss one. I was able to keep Catalina off my machine, so no premature breaks there.

 

24 minutes ago, deanishe said:

That iOS games can run on macOS is rather meh for me personally. Casual games don't really interest me, and I suspect a lot of iOS games will suck without a touchscreen.

 

I agree, with the situation as it stands now. What I’m curious about is what the situation can be. As way of example, the Final Fantasy franchise (including older gems like Tactics) is never released to macOS but it is available on iOS. Now it can be on macOS as well. Or Evoland—which is presumably good—and has both iOS and macOS versions, could maybe reduce its development time. Or as mentioned above, Inside could’ve come sooner to the Mac (I didn’t even know it had until I searched it for the previous post; I liked the team’s previous game).

None of those are casual. And I want to play none of those on iOS. But now we can buy them to play on macOS even if they weren’t ported. With controller support it will make little difference what platform they were built for. I’m expecting some indie developers who previously did not develop for Apple platforms might suddenly see the math work out (even more so now).

[deanishe]

4 minutes ago, vitor said:

If that fraction is one-third or less, now we’re talking.

 

If you want something from the "Good for Retina" column of the chart Niki linked, I think you're stuck with the 22" LG. Anything bigger in Retina-like resolution costs an arm and a leg.

 

17 minutes ago, vitor said:

Due to the living room layout there’s no practical and affordable solution that doesn’t involve lugging a laptop.

 

Fair enough.

 

1 hour ago, vitor said:

None of those are casual.

 

"Casual" wasn't the right word. Only a couple of the games I like to play have ever had an iOS version, and they're not so much fun without the mods…

 

1 hour ago, vitor said:

With controller support it will make little difference what platform they were built for.

 

Not strictly true, tbh. I've played a couple of iOS->Mac ports that sucked because the developers didn't bother to adjust the size of the text, making it unreadable if you weren't sitting as close to the monitor as you would be to an iPad screen. I suspect an awful lot of iOS game will be pretty bad on macOS if the developers don't make a proper effort to adapt them. Same as all other iOS apps, I suppose.

[nikivi]

Came across this discussion on Go repo around code signing and Go apps.

tl;dr is that one could use codesign command after building the binary and publishing it. If signed, binaries will run without any errors on other computers, no warning prompts or anything. Perhaps in future Go will be able to do the signing itself similar to clang and xcode. 

 

I do wonder though why @deanishedidn't do this already. I personally didn't know about this but if I did, it would simplify the installs of workflows (no need to add extra instructions for how to avoid the unsgined binary warning). Going to look into adding codesign as a publishing step as a mage command.

I left the comment on the issue as I am not sure how the process works. Someone has to validate the signature and whether you need to pay Apple to do it.

 

Okay, from my Telegram macOS/iOS group, found the answer I was looking for:

Edited November 19, 2020 by nikivi

[deanishe]

1 hour ago, nikivi said:

I do wonder though why @deanishedidn't do this already.

 

I told you before when you opened an issue about it on GitHub. I don't have a problem with signing the binaries, I have a problem with paying Apple €99 to be able to do so.

 

Apart from objecting in principle to paying Apple to be able to release open-source software for their platform, I don't have a credit card I could pay it with, anyway.

 

If it were possible to sign the binaries with a free certificate (which I've had for years), I would have signed them all long ago.

 

EDIT: Going by the screenshot you posted, signing binaries with a free cert shows an "unknown developer" warning. So I guess that's what I'll have to do.

 

But I’m still not sure about what else I’d need to do to get a Go workflow running on ARM. Do I have to prefix every command with arch -x86_64 or will it automatically run the Go binary with Rosetta?

Edited November 19, 2020 by deanishe