MobileRead Forums - View Single Post

kovidgoyal · 06-21-2019, 08:35 AM

I haven't received the emails, but I am aware of notarization. I have been signing calibre for several years now, so at least to start with, it should be fine. I am actually in the process of updating calibre's build pipeline, so on macOS it now builds on Mojave, which I think is a pre-requisite for getting notarization to work.

I too do not like giving apple any kind of "approval" over calibre. They suffer from extreme naivety if they think that they can successfully detect malware in an automated fashion. Probably just a trojan horse for extending more control over third party software.

That said, in the long term I dont really see an alternative, if you want to continue using their platform, you will have to play by their rules. macOS users are ~15% of calibre users, so I dont feel comfortable just abandoning them. At least to start with I plan to continue without notarizing and see how the situation evolves, let other people figure out how to notarize in an automated fashion. Automated signing via ssh is already unnecessarily difficult, so I doubt notarization will be straightforward. This is code needed to get automated signing via ssh to work, absurdly complex: https://github.com/kovidgoyal/calibr...os/sign.py#L29

I am definitely not using their "secure runtime". It is completely unsuited to an application of calibre's power and complexity.

06-21-2019, 08:35 AM	#2
kovidgoyal creator of calibre Posts: 45,378 Karma: 27230406 Join Date: Oct 2006 Location: Mumbai, India Device: Various	I haven't received the emails, but I am aware of notarization. I have been signing calibre for several years now, so at least to start with, it should be fine. I am actually in the process of updating calibre's build pipeline, so on macOS it now builds on Mojave, which I think is a pre-requisite for getting notarization to work. I too do not like giving apple any kind of "approval" over calibre. They suffer from extreme naivety if they think that they can successfully detect malware in an automated fashion. Probably just a trojan horse for extending more control over third party software. That said, in the long term I dont really see an alternative, if you want to continue using their platform, you will have to play by their rules. macOS users are ~15% of calibre users, so I dont feel comfortable just abandoning them. At least to start with I plan to continue without notarizing and see how the situation evolves, let other people figure out how to notarize in an automated fashion. Automated signing via ssh is already unnecessarily difficult, so I doubt notarization will be straightforward. This is code needed to get automated signing via ssh to work, absurdly complex: https://github.com/kovidgoyal/calibr...os/sign.py#L29 I am definitely not using their "secure runtime". It is completely unsuited to an application of calibre's power and complexity.