Bug 458351

Summary: [macOS] trustworthy code-signed download was replaced with a completely unsigned binary
Product: [Applications] kstars Reporter: autoreleasepool
Component: generalAssignee: Rob <rlancaste>
Status: RESOLVED FIXED    
Severity: major CC: mutlaqja, yurii.kolesnykov
Priority: NOR    
Version: 3.6.3   
Target Milestone: ---   
Platform: macOS (DMG)   
OS: macOS   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description autoreleasepool 2022-08-26 18:21:37 UTC 
up until recently the KStars 3.6.0 download from here
https://www.indilib.org/jdownloads/kstars/kstars-3.6.0.dmg
was a properly code-signed and trustworthy binary that was officially signed by
Developer ID: K Desktop Environment e.V. (5433B4KXM8)
the hash of the file was
2c4c72a39b6320c68341b42f0cce3a8cf28fde188e5184da40c5af127bd2be23


now it suddenly is a untrustworthy and completely unsigned binary with the hash
122f0a8f9eb439a322d47e1d2902183b3020049342f652e3fe3ea06561f99525

what happened? were you hacked?
Comment 1 Jasem Mutlaq 2022-08-26 18:33:25 UTC 
No hacked, but Robert Lancaster uploaded a new DMG he built on his machine to test if the reported bugs were fixed. Once all sorted out, we'll upload the KDE Binary generated version.
Comment 2 autoreleasepool 2022-08-26 18:34:07 UTC 
thanks for the explanation
Comment 3 Rob 2022-08-26 18:46:59 UTC 
So I have been building KStars DMGs and releases on my machine since 2016 or so and every release was built and released that way.  It was only a very short time (~ 1 month or so) that we have been using the KDE binary built version because my script broke.  I only finally managed to get my craft recipes on the kde binary server so that we could have nightly versions and releases built there in January of 2022.  But I am still building official releases on my machine.  I just recently fixed my script and uploaded the new version.  I wouldn't say that there was a "trusted" version until now and it suddenly was replaced with a "hacked" one.  We were only using that "trusted" version for a very short time as a stopgap measure until we fixed some issues.  There are still several other things that I have in the dmg that are not properly duplicated in the craft kde binary server built version and I would not like to switch to them as the official version of releases until I can get craft to do those things properly.

Also my dmgs have not been code signed because I have not spent my own money to get a developer certificate.  Is it possible for me to build on my own machine with the KDE developer certificate or must that be done from the KDE binary server only?
Comment 4 autoreleasepool 2023-02-03 19:46:38 UTC 
while the issue was fixed in 3.6.2, version 3.6.3 is again unsigned
Comment 5 Jasem Mutlaq 2023-02-27 16:24:38 UTC 
Should be resolved now.
Comment 6 autoreleasepool 2024-02-05 16:03:06 UTC 
while 3.6.8 was fine, 3.6.9 is once again completely unsigned (ad-hoc signature).