Apple developer program

[jdart]

I have looked at getting into the Apple Developer program, because by default Apple's Gatekeeper technology doesn't let end users install unapproved apps. Anyone have experience with this? (I am looking mostly at targeting MacOS since I don't have an IOS device).

The program agreement is lengthy. I did a quick read-over. Among other things it says you won't write files outside of your installed location, which seems pretty restrictive. I also did not like a bunch of the terms including Apple's freedom to do pretty much anything at any time, including booting you out of the program, and the ridiculously one-sided limitation of liability and disclaimer of warranty.

[smatovic]

Idk if this an alternative for you, but people use Homebrew as package manager on Apple macOS:

https://en.wikipedia.org/wiki/Homebrew_ ... e_manager)

SF and Lc0 for example have scripts wich grep the source and compile for native:

https://formulae.brew.sh/formula/stockfish
https://formulae.brew.sh/formula/lc0

with

Code: Select all

brew install stockfish --HEAD

in shell/terminal you install latest SF for example.

--
Srdja

[phhnguyen]

I have worked with notarizing issues for BanksiaGUI and some engines for a while, thus I write here a few things:

- I have signed all agreements with the Apple developer program without reading anything. Thus I can't talk about them
- You are right, to avoid Apple's Gatekeeper, especially on Apple Silicon, you need to codesign and notarize your app. Otherwise, just tell your users to make an exception, e.g., by running:

Code: Select all

xattr -cr /path/to/yourappname

I suppose you want to notarize your chess engine, a terminal app. There are some notes:
- A terminal app can run on both normal Mac and Apple Silicon by just popping up the menu and selecting "Open With" as usual. Users don't need complicated actions to avoid GateKeeper or install it. IMO, it is the easiest way to run your chess engine. You and users don't need to deal with some extra headaches from Apple
- A terminal app is not a folder-app (not a typical app), just it itself can't contain extra info for verifying notarization. Thus you must provide it in an installer such as a PKG file. When running that file your engine will be installed in a system folder (typically it is /usr/local/bin/). So far I don't know how to let users select another folder instead. That is what I don't like: users still need to click multi times, and confirm some questions (longer than the above case) then the engine is stored in an almost "hidden" (from user view) folder that may be hard for average users to locate it. Even though it can run just by typing the engine name but if users don't know the folder they can't install it into a chess GUI. They may have to run some command lines and/or copy the engine to a new folder. All are not easy

The process of codesigning and notarising is quick with few command lines. However, there are some works and tricks that may take time and you must do them correctly, say, your app should not contain upper characters, set up, download some certifications...

Another way is that to ask someone who has joined the Apple developer program and done some similar work to do that for your chess engine. You can save that fee, time, and some headaches. I could do that job for your engine as a volunteer: whenever you officially release your chess engine, I could compile, create a new installer with notarising and send it to you!

To examine, you may try what I have done with Stockfish binaries (Stockfish collections for macOS and Apple Silicon) on the below page. For each kind of computer, I have created two files. One is a non-notarized zip. Users can unzip and copy binaries to anywhere they want, then right-click for the menu and select Open With to allow it run. The other is a notarized installer (PKG). Users still need multi-click and wait for a bit for verifying and then solve themselve with the "hidden" folder as I have mentioned.

https://banksiagui.com/otherdownloads/

[smatovic]

I am not a lawyer, but afaik there are issues with Apple Developer Program and GPL, probable the reason why SF and Lc0 do not offer binaries:

https://developer.apple.com/support/dow ... nglish.pdf

3.3.22 If Your Application includes any FOSS, You agree to comply with all applicable FOSS
licensing terms. You also agree not to use any FOSS in the development of Your Application in
such a way that would cause the non-FOSS portions of the Apple Software to be subject to any
FOSS licensing terms or obligations.
[..]
You further represent and warrant to Apple that the licensing terms governing Your Application,
Your Safari Extension, Your Site’s registration bundle, and/or Your Pass, or governing any third
party code or FOSS included in Your Covered Products, will be consistent with and not conflict
with the digital signing or content protection aspects of the Program or any of the terms,
conditions or requirements of the Program or this Agreement. In particular, such licensing terms
will not purport to require Apple (or its agents) to disclose or make available any of the keys,
authorization codes, methods, procedures, data or other information related to the Security
Solution, digital signing or digital rights management mechanisms or security utilized as part of
any Apple software, including the App Store. If You discover any such inconsistency or conflict,
You agree to immediately notify Apple of it and will cooperate with Apple to resolve such matter.
You acknowledge and agree that Apple may immediately cease distribution of any affected
Licensed Applications or Passes, and may refuse to accept any subsequent Application or Pass
submissions from You until such matter is resolved to Apple’s reasonable satisfaction.
[..]
9. Confidentiality
9.1 Information Deemed Apple Confidential
You agree that all pre-release versions of the Apple Software and Apple Services (including pre-
release Documentation), pre-release versions of Apple hardware, the FPS Deployment Package,
and any terms and conditions contained herein that disclose pre-release features will be deemed
“Apple Confidential Information”; provided however that upon the commercial release of the Apple
Software the terms and conditions that disclose pre-release features of the Apple Software or
services will no longer be confidential. Notwithstanding the foregoing, Apple Confidential
Information will not include: (i) information that is generally and legitimately available to the public
through no fault or breach of Yours, (ii) information that is generally made available to the public
by Apple, (iii) information that is independently developed by You without the use of any Apple
Confidential Information, (iv) information that was rightfully obtained from a third party who had
the right to transfer or disclose it to You without limitation, or (v) any FOSS included in the Apple
Software and accompanied by licensing terms that do not impose confidentiality obligations on
the use or disclosure of such FOSS. Further, Apple agrees that You will not be bound by the
foregoing confidentiality terms with regard to technical information about pre-release Apple
Software and services disclosed by Apple at WWDC (Apple’s Worldwide Developers
Conference), except that You may not post screenshots of, write public reviews of, or redistribute
any pre-release Apple Software, Apple Services or hardware.
[...]

As far as I got it:

- You are the only Copyright holder -> OK
- MIT or equivalent license - > OK
- GPL (with multiple Copyright holders) - > NOK

--
Srdja

[phhnguyen]

I am not a lawyer, but afaik there are issues with Apple Developer Program and GPL, probable the reason why SF and Lc0 do not offer binaries:

A few years ago I mentioned that to VandeVondele (the main maintainer of Stockfish) and he replied that they had some difficulties setting up an Apple server to auto-compile and distribute Stockfish binaries for macOS. There are also some Stockfish binaries for macOS already, even in AppStore. Look like the license conflict is not the reason.

[wickedpotus]

I have looked at getting into the Apple Developer program, because by default Apple's Gatekeeper technology doesn't let end users install unapproved apps. Anyone have experience with this? (I am looking mostly at targeting MacOS since I don't have an IOS device).

I would advice giving Apple the finger and NOT joining Anything from them as long as they persist with their DRM, gatekeeping, and hardline un-openness and lock-ins. We as developers should fight this evil rather than endorse it with our hard earned money and time.

my 2 cent

[jdart]

Thanks for all the information, very helpful.

I am not all that fond of Gatekeeper either, but the other side of it is that there is a lot of malware out there, including malware that tries to disguise itself as a legitimate download. So that is one reason Apple and Google have an approval process for apps (even though it is not completely effective at preventing unauthorized ones from installation).

My program is MIT-licensed, so GPL-related issues would not apply. However it is not completely clear to me from the agreement that GPL would be excluded.

The file location thing is not a big issue, but I usually have Arasan installed into a writeable directory. Among other reasons it can write log files and store games, to the install directory by default, although these options are off by default and the file locations can be changed.

[smatovic]

[...]
However it is not completely clear to me from the agreement that GPL would be excluded.
[...]

Question, if you compile and sign your GPL source code with Apple magic stuff, is the compiled binary still under GPL, according to above mentioned terms, including the Apple magic in binary?

--
Srdja

[smatovic]

[...]
However it is not completely clear to me from the agreement that GPL would be excluded.
[...]

Question, if you compile and sign your GPL source code with Apple magic stuff, is the compiled binary still under GPL, according to above mentioned terms, including the Apple magic in binary?

--
Srdja

Hmm, maybe I was wrong and signing a GPL v3 binary is just fine...

https://www.kencochrane.com/2020/08/01/ ... b-actions/
https://law.stackexchange.com/questions ... -in-source

--
Srdja

[Ras]

Among other reasons it can write log files and store games, to the install directory by default

That has been bad practice even under Windows for at least a decade. There are appropriate directories in the user's AppData directory, retrievable through SHGetKnownFolderPath() with (probably) FOLDERID_LocalAppData.