Apple Developer subscription renewal #2126
Comments
|
@rvagg did we have the @brianwarner FYI as a heads up. |
|
@mhdawson I think just the Developer Program but I don't recall the Enterprise one existing, or at least I never considered it. I haven't done much research on this but we want (a) certs for codesigning and package signing (b) the ability to do notarisation and a bonus would be (c) team access to the account so we can have multiple using it instead of a single account we have to sign in through and do awkward apple 2fa from (looking yesterday the 2fa thing seems like a problem for a multi-person account). It'd be a new membership at this point I suppose since it's lapsed so far. We could take the opportunity to fix it up to point to the new Foundation name, but it'll need a DUNS search and whatever else they need to do to verify (I remember it being a hassle in 2015). I think build@iojs.org may be still all set up for the Node.js Foundation. I also don't know what the implications, if any, are for signing packages with a new certificate suddenly - does it make a difference to people installing 10.x for example, to suddenly have a release with a new certificate and new name? No idea, but perhaps it matters less for .pkg since these are almost always done interactively by individuals. If nobody else (@nodejs/build) knows more about this then I'll try and find some more time soon to do some more research on this. |
|
Enterprise seems to be for distributing private apps to your employees. Apparently if you sign up as an organisation you can add team members to the same account using their apple id - https://developer.apple.com/support/roles Im also lead to believe having a paid account gives us access to macOS installers which would help with the nearform setup #1695 but I can't find any concrete proof of this - just a lot of people saying "you need a paid account to get them from apple" |
|
yeah, so to do that, you need: https://developer.apple.com/programs/enroll/ we went through all of that with build@iojs.org with the NF, but because the enrolment has lapsed I can't access any meaningful preferences or settings for that account anymore so I can't be sure. When I go to re-enroll I get:
it doesn't say anything about DUNS or legal entity but it suggests that it's re-using all the existing information so I'm going to assume that most of the hard stuff is already done (unless we want to change to the new Foundation name). The catch now is the 2fa, which isn't any old 2fa, it's super-special-magical-wonderful-not-compatible-with-anyone-else Apple 2fa which sends a 2fa code to one of your logged in devices or a mobile number, or remembers "trusted devices", which is annoying because it really makes it difficult to share a single account. Because Apple assumes this 1:1 relationship between individuals and accounts, build@iojs.org has been set up with my details. I've gone in to set up 2fa and this magical-wonderful-super-secure Apple notification comes up, I suspect because I've just had to change the security questions (because I have no record of having ever set them for this account!):
So I'll wait 3 days and go back in and set up 2fa for this account and then see how much further I can get. I suspect that I may have to have to pay for this as build@iojs.org and bill the Foundation for a reimbursement but I don't yet know what happens when you opt to sign up as an organisation--it may let me start the process and hand off to some other Apple ID to finish the transaction or even have some procurement process pay for it. Will keep y'all posted. |
|
Hacky idea for the 2fa, would be to set it up, then put the recovery codes in a secrets repo |
|
does apple even have recovery codes for their 2fa? that's an option, because we store this stuff in secrets, but I'm not sure if this is a thing Apple can do. I'll find out in 3 days. |
|
Looks like it has a one-off Recovery Key for the older "two-step verification" https://support.apple.com/en-ca/HT202649 but not for 2FA |
|
2fa enabled, SMS to my phone number, but there's also a recovery key that I've put into secrets that can be used to reset 2fa entirely (not the same as the keys you often get from sites that use a totp-based 2fa. But anyway, there's a backup in case I disappear or am no longer trusted. The next part is developer subscription. I don't think it's going to be convenient to have someone else pay for it so I'll have to jump through reimbursement hurdles with the foundation I suppose (something I vowed to not do again after losing too much money in the process). @brianwarner what is the process for reimbursement these days? Can I just send someone a standard invoice from my company with payment details and treat it as a b2b transaction? |
|
If it's possible under the circumstances, it's easier if we log in, add a
card, and pay for it directly. That's what we did for the certs. Is that
possible here?
It's generally easier if we don't have to reimburse, but the process is
pretty straightforward these days. If that's the case:
1. Get a price quote
2. Submit it to operations@openjsf.org
3. Robin can review it for approval
4. When you get the go-ahead, make the purchase
5. Submit the receipt
It's no easier or harder to reimburse an individual or a company. So long
as it's approved in advance and we have documentation of the expense, it's
basically the same process.
…On Mon, Jan 13, 2020, 3:54 AM Rod Vagg ***@***.***> wrote:
2fa enabled, SMS to my phone number, but there's also a recovery key that
I've put into secrets that can be used to reset 2fa entirely (not the same
as the keys you often get from sites that use a totp-based 2fa. But anyway,
there's a backup in case I disappear or am no longer trusted.
The next part is developer subscription. I don't think it's going to be
convenient to have someone else pay for it so I'll have to jump through
reimbursement hurdles with the foundation I suppose (something I vowed to
not do again after losing too much money in the process).
@brianwarner <https://github.com/brianwarner> what is the process for
reimbursement these days? Can I just send someone a standard invoice from
my company with payment details and treat it as a b2b transaction?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#2126?email_source=notifications&email_token=AAOVQJVLSCLGVNARQO3UYODQ5PJWNA5CNFSM4KDU2LZKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIXMRBA#issuecomment-573491332>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAOVQJWEQ32Y54PJ3BRWRG3Q5PJWNANCNFSM4KDU2LZA>
.
|
|
The problem I had with the re-reimbursement when I did it a few years ago was the method of payment. Accepting the international wire transfer cost me in the order $30-$40. On something thats $100 that;s pretty big chunk. @rvagg was that what happened in your case or something else? |
|
Yes, this is one of the reasons it's easier for us to pay for it directly.
…On Tue, Jan 14, 2020 at 12:09 AM Michael Dawson ***@***.***> wrote:
The problem I had with the re-reimbursement when I did it a few years ago
was the method of payment. Accepting the international wire transfer cost
me in the order $30-$40. On something thats $100 that;s pretty big chunk.
@rvagg <https://github.com/rvagg> was that what happened in your case or
something else?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#2126?email_source=notifications&email_token=AAOVQJTV4B5SNQ3D4QSCPWLQ5TYCLA5CNFSM4KDU2LZKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEI2UPBY#issuecomment-573917063>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAOVQJV4NZ22CG5KD7BUQM3Q5TYCLANCNFSM4KDU2LZA>
.
|
|
Yeah @mhdawson something like that but also a misunderstanding of my instructions iirc. I have a US bank account so it technically shouldn't be a problem. @brianwarner the challenge for getting you guys to log in and pay for it is all around Apple's stupid two-factor authentication. For the level of authentication we need (they have two levels and they both suck), I have to be logged in on an Apple device to the account and accept a new login and feed it a number they send to that device. We can do this from the other side of the world with some real-time coordination though, maybe we should try it. First we need to get through the hurdle of re-verifying the valid nonprofit status. Even though it initially said that we had a verification in place it's decided now to go through the process again. I've put in the original DUNS for the Node.js Foundation (it's still valid according to the DUNS database) and some details for contacting you, @brianwarner and the LF in general. I haven't heard back yet but presumably they are manually following it up. Once we get over that hurdle we should be able to pay for it and you and I should try and coordinate on logging in. |
|
Update: after some circular discussions with Apple, we've figured out that the original account that we (I) set this all up for the org when we took over from Joyent was rvagg@iojs.org. When I log in to that account I have an option to renew and Apple are telling me that proceeding with that will renew for the org and the Node.js Foundation team we have set up that lets us delegate access. I've set up that account with their new 2fa and it's ready to go. Brian and I have scheduled a slot tomorrow so he can log in and I can verify with 2fa and he can pay for it. The 2fa is still tied to an individual (SMS and/or push to a logged in Apple device). So 🤞 we'll have access again and can mess with certificates and notarization and whatnot. |
|
I've found the team section of the org in Apple's developer thing, it's got some people, including myself and Joao. @mhdawson and @sam-github do you have Apple IDs? If so, give me the email address is it associated with it and I'll add you to the org so you can access all the things (I think). |
|
Got it renewed, thanks to @brianwarner. It's a good thing we're getting this sorted out now too:
Will work on this and figure out next steps. I'll also make sure we have as much as possible in secrets for this. The team access looks pretty good though, if I give people "developer program" access then you can access the certs (tested with my personal account), so the only reason to log in to the org owner account should be renewal I think. I've ticked auto-renew (heads-up @brianwarner) so hopefully that will continue to work for a few years. |
|
@rvagg I have an apple ID associated with my email: vieuxtech at gmail.com EDIT: though I don't have a dev subscription, if that matters. |
you do now, through your involvement in the org! we all share it. So I've put the old certs into secrets, this time in two .cer files and deleted the original password protected .p12 files that they used to provide (but for which I couldn't figure out the password ...). Anyone with access to secrets/release should be able to install those and compile signed packages now (am testing this myself because it was what I was originally trying to do when I started this thread). I've also discovered that you can add multiple phone numbers to verify an account, so that's one way we could make this shareable, kind of like sharing a totp seed. So @sam-github & @mhdawson perhaps you'll want to email me your phone numbers and I'll put them into the list. I think when logging in you can opt for verifying via SMS even if someone's device is also logged in. It's useful for recovery anyway. |
|
I'll send you my Apple Id and phone number to use through email. |
|
My cell numbers are semi-disposable, like my cell phones, so I don't think they have much value for backup purposes. Maybe someone else in the WG has a more stable number to get the number of people with access up to 3. |
|
@rvagg Can this be closed now? |
and others
@mhdawson I think this one is for you -- our Apple Developer Program membership expired some time back and I don't think it was renewed, we have certificates and have been using them since (although I can't figure out the password for the p12 certificates file is!). I was having a look at this notarization thing but he lack of a developer program membership is a bit of a hangup I think, everything's been removed from the build@iojs.org as far as Apple is concerned. I have an email record of getting it set up back in 2015 but have nothing beyond that so maybe it's been expired for 4 years and we've been rolling on the same cert. Could you see if you can arrange with the foundation for a renewal somehow?
The text was updated successfully, but these errors were encountered: