It's $100 for the signing and $500 for a Mac Mini. Any professional software developer would make that kind of money in a few days. And I would bet that an open source project as big as this gets at least that amount in donations yearly. It's completely irresponsible to not sign releases after something like this happens.
And if they did get $600 in donations in the last year... they should dedicate all of that to the Mac build? Even if they've already spent those funds on hosting and other expenses?
A user of a free product telling the developer of said free product how the developer should be spending the money that said user isn't giving them takes a special kind of entitlement.
A developer should feel a little responsible about the product if it has a large amount of users... It's simply gaining bad reputation for the developer with such news because of saving $100 a year.
If the developers are all students or something and can't pay for that, please let me know if there's a page asking for it and I'll pay or any of the other 1000 users who can.
Hold on… your premise doesn't make sense. Apple's SDK only officially runs on Mac - but that applies to the entire build process, not just codesigning. Anyone who is already producing a Mac build either has access to a Mac build host, which they can also use to sign, or is using third party tools to cross-compile from another OS.
In the latter case, there is also a third party tool capable of signing binaries:
It's worth noting that you need access to a Mac you can trust to setup your Apple developer credentials on as well as iSign and then export your credentials and certificate from each time you get a new certificate. It's likely you won't be able to do this in the Apple store. While you or I may have a colleague or trusted friend we could do this with, many developers will not.
It does say that in the readme, but I don't think it's actually necessary: you can get certificates and provisioning profiles through the web portal without going through Xcode. (For certificates, it has you upload a standard CSR file.) Though developers may not know that…
Admittedly, if you don't have a Mac build machine, (a) you can't test your builds, and (b) you can't use the official SDK (including, e.g., system header files) without violating the terms of service. Not that many people care about that, but if you don't mind ToS violations you may as well just install pirated macOS in a VM (which is easy enough in practice). Perhaps Apple deserves blame for not having a legal way to run a macOS VM on non-Apple hardware; certainly it makes life harder for open-source developers that want to play by the rules. Still, these obstacles have nothing to do with signing.
A user of a free product telling the developer of said free product how the developer should be spending the money that said user isn't giving them takes a special kind of entitlement.
There is a very simple solution. Get a dev program membership. Sign and sandbox the application and make it available in the Mac App store for $1.99. People who want a signed, sandboxed Handbrake pay the equivalent of a cup of coffee. People who want to play Russian roulette can download Handbrake for free on the web page.
Given that Handbrake is extremely popular, that small fee will probably cover the $99 per year plus a Mac Pro (or two) within no time.
>It's $100 for the signing and $500 for a Mac Mini. Any professional software developer would make that kind of money in a few days
Sorry but you are living in a bubble. There are thousands of software professionals who don't make that kind of money in India, South America and many other places.
Explain that to me slowly: if you're enjoying the work of someone from a place where the economy is vastly different and worse than where you live, that person should feel bad about your loss or inconvenience?
Handbrake is a very popular package. It's probably downloaded about a million times a year. It would be very easy for the author to pay for a code-signing certificate with either donations from users or unobtrusive, inoffensive amounts of advertising.
Best practices call for releases of executable code to be signed for the reasons outlined here.
Or you know, don't be a entitled jerk of an user who can't be bothered to support Free (as in Speech, NOT as in beer) Software.
Come on, if every developer that uses any kind of Free Software decided to donate every hour the dollar amount of one HOUR of their work for the projects that THEY need, no one would be in this mess.
Or you know, don't be a entitled jerk of an user who can't be bothered to support Free (as in Speech, NOT as in beer) Software.
(Shrug) I've authored a large amount of software that's free as in both. I sign my releases for my users' protection, and also to avoid looking like a careless dilettante. I expect others who are serious about their craft to do the same.
If that makes me an "entitled jerk," well... meh. There's no way to respond to an accusation like that except to own it.
While its great that you have a spare $100 a year and the money to invest in Apple hardware to digitally sign Mac builds, not every project will have those resources. Projects that don't have the resources will often publish hashes so that users will be able to check to ensure their download is legitimate before using it. Handbrake does this: https://handbrake.fr/checksums.php
For free, the author could simply GPG sign all releases for all platforms and suggest users verify them. Then, the decision to run untrusted code is the user's decision and bypasses platform monetization.
Then, if suffient and continual contributions of money and expertise permit, official codesigning per platform could be added as another layer (defense-in-depth).
Wow. Waste of bits (your comment). Please take your political agenda some where else. This is the 3rd time this author has been compromised. For $99 it seems a bit negligence on his part. Donations are not excepted so...
"The HandBrake and HandBrake Documentation projects are not accepting monetary donations. Please instead consider donating to the VideoLAN non-profit organization and the Blender Foundation."
It's cheaper than that. I've let my Apple developer subscription lapse but I can still sign packages until my certificate expires. You can probably also get a reasonable second-hand Mac mini for $200.
So you are looking at an up-front cost of $300 then around $25 per year.