Factorio Forums

[Note: also confirmed with the 0.16.36 demo for macOS.]

For some reason the demos are not signed with an Apple Developer ID, and thus throw a security error when I go to open them. See attached file for a screen shot of the error, and see this Apple site for more details on Developer ID: https://developer.apple.com/developer-id/

I am eager to try Factorio but as a general rule I do not install software from "unidentified developers" for security reasons, so I hope this can be remedied for the next (or at least a future) demo. This is easily remedied and in fact the signing process can be automated in your build process to make it very easy if not completely seamless to perform automatically for future releases of Factorio.

Please let me know if there are any questions or if I can help in any way.

I've been meaning to fix this for a long time, even the full game is not signed. I will add this for 0.17.

HanziQ wrote:I've been meaning to fix this for a long time, even the full game is not signed. I will add this for 0.17.

I've assigned 55063 to you. I'd like to start signing Windows binnaries too, because Windows' Smart Screen also blocks Factorio from launching.

You dont add any security by only running apps from identified developers... just btw.

More important is "what" from "where".

HanziQ wrote:I've been meaning to fix this for a long time, even the full game is not signed. I will add this for 0.17.

Thank you! I look forward to trying 0.17 with this inclusion when it ships. Do you still expect it to ship before year-end?

nuhll wrote:You dont add any security by only running apps from identified developers... just btw.

More important is "what" from "where".

Btw, that's not accurate IMHO. Digitally signing apps is one layer in a security model. It doesn't address all threats, but it does address some. I'm not familiar with Microsoft's implementation, but I'm guessing it tackles similar threats as Apple's. For example, an inexhaustive list includes:

[*]The code being modified by a malicious actor after the developer posts it. This is a not uncommon attack, e.g. by hacking the website to redirect the user to an infected version. Popular games have previously been used as a vector for this type of attack.

[*]A malicious developer purposefully adding malware to their software. This has happened many times with mobile apps and browser extensions which reach a certain level of popularity, sell to a (malicious) third party, who then loads malware. With Identified Developer, this can happen just once before the developer is banned from the platform.

[*]Third party "fan" sites can be created by malicious actors which purport to link to the software, but instead link to malware.

[*]If users are used to needing to bypass these safety checks for legitimate software, it opens them up to installing completely unrelated malicious software. On the other hand, if users are conditioned to never install software from unidentified developers, they would be suspicious and less likely to install malware when they realize it's not digitally signed.

[*]Importantly, existing malicious versions of the software (however they came about) can have their certificate revoked to protect unsuspecting future users who might accidentally download from an unofficial site.

And so on.