Bug 428062

Summary: Mac Binaries "Unnotarized Developer ID"
Product: [Applications] kdiff3 Reporter: mbidewel
Component: applicationAssignee: michael <reeves.87>
Status: CONFIRMED ---    
Severity: normal CC: yurii.kolesnykov
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: macOS (DMG)   
OS: macOS   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: Error Dialog

Description mbidewel 2020-10-21 13:41:22 UTC
Created attachment 132606 [details]
Error Dialog

The kdiff3 mac binaries are unsigned which make KDiff3 unusable in situations where the launching of unsigned binaries is disabled

Error:  “kdiff3” can’t be opened because Apple cannot check it for malicious software.
Comment 1 michael 2020-10-21 23:59:08 UTC
Older pre 1.8 versions of kdiff3 are indeed unsigned. They are also several years old and pre-date both Apple's default signing requirements and my own mantianership. Current releases found at https://download.kde.org/stable/kdiff3/ are indeed signed. However if you are using default configuration apple's systems may reject anything not downloaded from the App Store. This however should raise a different message.
Comment 2 mbidewel 2020-10-22 16:42:01 UTC
I found the precise reason for the issue I believe.  Inspecting the DMG yields "Unnotarized Developer ID"

codesign --verify --verbose ~/Downloads/kdiff3-1.8.4-macos-64.dmg
/Users/mbidewel/Downloads/kdiff3-1.8.4-macos-64.dmg: valid on disk
/Users/mbidewel/Downloads/kdiff3-1.8.4-macos-64.dmg: satisfies its Designated Requirement

spctl --assess --verbose ~/Downloads/kdiff3-1.8.4-macos-64.dmg
/Users/mbidewel/Downloads/kdiff3-1.8.4-macos-64.dmg: rejected
source=Unnotarized Developer ID

https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution
Comment 3 michael 2020-10-23 23:11:09 UTC
I don't know when this will change as I don't have a developer account with apple and therefor cannot use their notarization service. In fact I don't even have a 64-bit OS X system. The MacOS X binaries are generated by automation at binary-factory.kde.org. Control clicking/right-clicking kdiff3 and selecting open should by pass the notarization check and rely on the application signature alone. Unfortunately this does not change the fact that kdiff3 isn't going through Apple's security checks. It will however remove this warning for kdiff3.
Comment 4 mbidewel 2020-10-26 15:19:30 UTC
Thanks, just got a chance to try the ctrl+click.  That does bypass the check.  Thanks for the work-around!