codesigning

Codesigning is one of the worst issues we had been having since we started working on the new Opera for Mac. How Apple managed to screw this up never ceased to amaze us.

Since yesterday morning our build servers started to get CSSMERR_TP_NOT_TRUSTED error while code signing the Mac builds. Well, we didn’t notice until trying to release the new Opera Next build in the afternoon, which is obviously a bad timing. When it happened, immediate reaction was search for it in Google, unfortunately, when it happened words haven’t been spread yet so all results we got were from early 2009 ~ 2011, about some intermediate certificates missing, which completely mislead us. We spent a couple of hours inspecting certificates on all 3 of our Mac buildbot servers, none of them seemed wrong. One of my colleagues tried to resign a package locally with certificates/keys installed, got the same error as well.

Fortunately our build server didn’t get the same error every time so we managed to get a build for release.

When I later did a search for the same keyword but limit the results in last 24 hours, we finally found the real answer to the problem this time. According to this discussion:

Apple timestamp server(s) after all that is the problem here. If I add the --timestamp=none option, codesign always succeeds.

I have exactly the same problem. Probably Apple got two timeservers, with one broken, and a 50% chance for us to reach the working one.

And it worked for us perfectly as well. The only thing I didn’t know was whether it’s safe to release a build without requesting a timestamp (or where can we find other trusted timestamp servers).

This morning I woke up and saw this summary about yesterday’s incident.

According to Allan Odgaard (the author of TextMate):

As long as the key hasn’t expired, there should be no issue with shipping an app without a date stamp, and quite sure I have shipped a few builds without the signed date stamp.

That at least give us some confidence that if such incident happen again, it shouldn’t be a big issue to turn timestamp off.

Update: More explanations from Apple:

The point of cryptographic timestamps is to assist with situations where your key is compromised. You recover from key compromise by asking Apple to revoke your certificate, which will invalidate (as far as code signing and Gatekeeper are concerned) every signature ever made with it unless it has a cryptographic timestamp that proves it was made before you lost control of your key. Every signature that does not have such a timestamp will become invalid upon revocation.

Apple 27″ LED Cinema Display 使用感受

ָApple 早在 7 月份的时候就随新的 iMac 和 Mac Pro 一起公布了新的 27″ LED Cinema Display,同时将原有的 24″ LED Cinema Display 降价、停产,而因为迟迟没有替代仍然一直在产的 30″ Cinema Display 也宣布销完存货不再生产,可是新的 27″ LCD 要到 9 月才可以订购,而从订购到送货在欧洲这个犄角旮旯又得等上一个月,所以直到 10 月中旬我才用上这款显示器。

技术上的评测在 anandtech 上已经非常详尽,这里不加赘述,关心技术参数比较的可以看那篇评测,这里只讲一点作为普通使用者的感受。

这款显示器的重量是 10.7 KG,接近一台 27″ iMac 的重量了,绝对不算轻,但相比以前的 Apple Display 显得薄了不少,尤其是相比 30″ ACD 所占桌面空间大为减少,我用的是一张 120x70cm 的桌子,感觉桌上放下两个这样的显示器仍然不会觉得太挤。

如同往常一样,27″ LCD 的设计非常简洁,没有外置的电源适配器,只需要从背后接一条线即可,支架设计了一个圆孔可以把线从中穿过方便整理,但支架只能调整上下角度,无法调整高度和旋转。接口也非常简洁,只有三个 USB 2.0 接口,三条连接 Mac 的接线分别是 Magsafe、Mini DisplayPort 和 USB。其中 Magsafe 可以直接给 Mac 笔记本提供电源——这几乎是 Apple 显示器唯一的“绝活”了。USB 用于同时提供与机器的数据传输和不支持 Mini DisplayPort Audio 机型的音频输出。

可是 27″ 版本的 USB 输出存在问题,表现是有时在机器休眠恢复之后就无法向显示器输出音频,音量调节 HUD 出现缓慢,Console 中也会输出一些错误信息,这个问题似乎不是硬件问题,但非常普遍,包括我在内的很多用户都遇到了,可以参见 Apple discussion 和 <a href="http://forums viagra au pharmacie maroc.macrumors.com/showthread.php?t=1027419″>macrumors 上的讨论,目前只有断开显示器电源重新接上,或者重置 SMC 两种解决方案,但效果都是临时的而非永久的。

因为是家里的环境,所以可以自己选择灯光,镜面屏幕在我这里并没有造成多大的困扰。如果觉得实在没法忍受镜面屏幕的当然 Dell 的 U2711 会是非常好的替代。因为工作性质的缘故,我不觉得在色域 (gamut) 上的缺乏对我有什么影响,但色彩的感受与我的 MacBook Pro 屏幕非常接近,这样就不需要自己调整显示器了。在有了 2560×1440 像素之后,全屏观看 720p 的 H.264 视频开始显得有点模糊了,而之前都很难看出和 1080p 的区别。

除了前面提到的问题,音频的效果其实是不错的,相比 MacBook Pro 的内置扬声器提升明显,虽然肯定不能和昂贵的音响系统比,但在桌面空间紧张,不想放多余杂物的情况下,这台显示器的扬声器效果足够令人满意了。

我之前主要的顾虑是接口实在太少,相比 Dell U2711 的所有接口都全 (DVI, HDMI, DisplayPort, VGA, Component),只有 Mini DisplayPort 实在不方便连接其他的设备,但后来考虑到手头其他设备的接口也只有 HDMI 一种了,用投影足够处理,而笔记本的 Mini DisplayPort 输出要转到 U2711 上却需要用到 Mini DisplayPort 到 Dual-link DVI 或者 DisplayPort 的转接,也稍嫌麻烦。如果实在需要把 HDMI 输出转接到 Mini DisplayPort 上,也可以用 Kanex XD