Gatekeeper Warnings for DMG File on Mac

[cupppcakes]

Checklist

• I'm reporting a problem with Chatterino
• I've verified that I'm running the most recent nightly build or stable release
• I've looked for my problem on the wiki
• I've searched the issues and pull requests for similar looking reports

Describe your issue

I'm raising this issue in regards to the Chatterino DMG image on macOS (I know there are older discussions and information about the Gatekeeper warnings and signing the .app file, but I believe this is the first regarding the .dmg that houses it).

As of Chatterino 2.4.3, it looks like macOS builds are now code signed, however with a self-signed certificate rather than an Apple-issued one. Furthermore, the enclosing DMG image is also being signed with this certificate. This is causing macOS to trigger a Gatekeeper warning when trying to open the .dmg in the first place, and then a second when trying to launch the Chatterino app itself.

Both can be bypassed by right-clicking the files and choosing Open from the context-menu, however this is actually a step back compared to before 2.4.3, when only the app (and not the DMG) would trigger a warning.

According to the codesign CLI utility, it's signed by:

Authority=chatterino-self-signed-4
Authority=pajlada’s CA 3

I'm assuming the use of self-signed certs are intentional here. (If you did happen to have actual Developer ID certs then they're not being applied to the published builds.)

Screenshots

First Warning for Opening Chatterino.dmg (these were not shown prior to 2.4.3):

Second Warning For Opening chatterino.app after allowing DMG:

OS and Chatterino Version

Chatterino 2.4.4 (commit 29a1462) built with Qt 6.5.0 Running on macOS Ventura (13.3), kernel: 22.4.0

[cupppcakes]

Two ideas are:

1. Is is possible to leave the outer DMG image unsigned, so at least that still opens without triggering a warning? This seems like the quickest fix to get the level of friction presented to the user back to pre-2.4.3 levels.
2. Is it possible to obtain an Apple-issued signing certificate so Gatekeeper issues will no longer be a thing at all? This would be the ideal situation and would put Chatterino on the same footing as most other applications. I realize this costs money to apply for though (but I'm happy to help chip in some extra donations if it would make this possible).

[pajlada]

You're right, I'm using a self-signed certificate in the packaging process.

1. I can try not signing the dmg file for future releases, assuming that works that should be perfectly fine

2. The plan is to get an Apple-issued signing certificate, but they don't accept my Swedish passport so I'm in a bit of a pickle right now - looking into alternatives

[SputNikPlop]

I took a look at this on my personal account and I was able to get it to not display the warnings, also have a company one which I think we could use to sign the app. This also would let us distribute the app via the app store.