[KennyBlanken]

It's also some real shady shit, requiring MacOS users use an unsigned installer package.

There's no reason it should require an installer package when it can be distributed as a self-contained app.

I'm not giving authorization to an unsigned installer file made by some anonymous Russians.

[ojosilva]

It would be interesting if Github here could put a green check next to the release files certifying they were entirely built from the sources in the repository that link to a corresponding ref/tag SHA. "No external files involved in the build". Obviously this would only be possible if the release files were built by GH Actions and the environment was a special one, absolutely sealed from the open internet that GH would certify, filter and curate.

Still, this would not prevent some shady file in the repo or build hack to go unnoticed, but maybe it could become a starting point for delivering safer binary distributions from open source projects.

[guessmyname]

You’re only looking at the top 12 download links. There’s a link that says “Show all 22 assets”.

Click on that to find a link to download “Popcorn-Time-0.5.0-osx64.zip”, which contains a self-contained [.app] folder.

[qubex]

I don’t know what I’m doing wrong but I can’t get it to run. I get an error message reading “Popcorn-Time” is damaged and can’t be opened. You should move it to the Bin. I can’t diagnose anything sensible from the Console. What am I doing wrong?

[NotPractical]

The "unsigned" part isn't surprising, considering Apple would never approve it. But the installer package is far from ideal. It's typically only used when a program needs to install a privileged helper service, and I don't know why Popcorn Time would need that?

Edit: It appears to be just a .app file? Unless the .pkg is bundled in there...

[GeekyBear]

> The "unsigned" part isn't surprising, considering Apple would never approve it.

Apple doesn't have approval rights when you distribute Mac software outside their App Store.

Signing just requires that you have a developer certificate and pass a virus scan.

[NotPractical]

Just based on the Apple developer documentation, it appears that you're correct: https://developer.apple.com/documentation/security/notarizin...

I was actually surprised not to at least see "your app must agree to abide by some basic terms of service" on the list of requirements. It seems like a mostly automatic system.

At the same time, I would also be surprised if Apple were explicitly alerted by Hollywood lawyers of the fact that an app like Popcorn Time was endorsed in any way by them, and they didn't proceed to revoke the signature.

[jrockway]

I kind of doubt it. Right now Microsoft is paying money to distribute it to people (Github). Code signing is not really any stamp of approval from an "app store" type agency, it's more of a self-certification thing. It's similar to TLS on the Web; Let's Encrypt issuing a certificate says "Let's Encrypt checked that the website was able to receive traffic for the named domain on the issuance date", not "Let's Encrypt wishes that it made this website itself!"