Code signing of .dylib files for MacOS

[bitbrain]

On MacOS it is not possible to either open or run games that are using this extension, as the loaded .dylib files are considered insecure by the latest MacOS security policies. To work around this issue, the dylib files need to be manually approved within the security section of the operating system, however, this is not an acceptable solution when trying to bundle the game for people to play. Also, it makes it difficult for collaborators to clone your game and try it out on their MacOS, as they will face the same issue.

Possible solution

The solution to this problem is to use codesign https://stackoverflow.com/a/61176509 where the artifacts need to be signed. We should document this issue on the README and include steps for people to circumvent that by code signing their artifacts (including the FMOD dylibs)

Please note that M1 laptops might require special treatment here as the security on them has been tightened by Apple!

[piiertho]

Maybe we can add a code sign step in scons. But the problem exists also with libraries provided by fmod.

[bitbrain]

@piiertho exactly. Also, we'd need an Apple Developer license for the certificate and all that jazz, so maybe for now I will just document how to solve this for MacOS.

[piiertho]

I think for now it is the best option. It seems even for open source apple requires an organisation to get a certificate.
Other thing I don't know is if we can distribute fmod librairies, and more if we can sign them.

[bitbrain]

I think there are ways, considering the fact that there is an official Unity and an official Unreal plugin available. The goal of this project could be to become an official plugin for Godot as well, however, I am wondering what is required to make it onto a page like this: https://www.fmod.com/resources/documentation-unity?version=2.02&page=welcome.html

Surely, Unity must have paid them in some way, unless there is some other way of getting featured on there. I created #110 to look further into this.

[IntangibleMatter]

Do we know of anybody active in the Godot community who might be willing to share an Apple Developer license with us? Surely there's someone who could lend us a code signing, unless Apple specifically needs each organization to do so in which case... f*** Apple?

[bitbrain]

unless Apple specifically needs each organization to do so in which case... f*** Apple?

The difficult part I think is licensing here - there is an official plugin for Unity and it might be that FMOD themselves provide signed binaries when downloading the plugin for Unity.

As part of this we might need to look into #110 first, however, as @piiertho already discovered this seems to be more tricky than expected. My wild guess is as soon Godot for gains more attention by AAA companies they will push for this plugin to become official.

Plan B could be to include a CLI script with instructions to auto-sign FMOD binaries as part of the setup of this plugin. Devs using this plugin would then need to provide their own certificates for this.

[piiertho]

unless Apple specifically needs each organization to do so in which case... f*** Apple?

The difficult part I think is licensing here - there is an official plugin for Unity and it might be that FMOD themselves provide signed binaries when downloading the plugin for Unity.

As part of this we might need to look into #110 first, however, as @piiertho already discovered this seems to be more tricky than expected. My wild guess is as soon Godot for gains more attention by AAA companies they will push for this plugin to become official.

Plan B could be to include a CLI script with instructions to auto-sign FMOD binaries as part of the setup of this plugin. Devs using this plugin would then need to provide their own certificates for this.

I think this is possible. IIRC, godot does this for Mac builds.