Mono Framework package is from an unidentified developer

[bbreak]

Description

It seems the Mono Framework package for use with Visual Studio on macOS isn't notarized. This results in a somewhat alarming message saying the package can't be opened because it is from an unidentified developer, and may contain malware.

Reproduction Steps

1. Download the Mono Framework package for use with Visual Studio on macOS.
2. Double-click the package to open it.

Expected behavior

The Installer opens.

Actual behavior

An error dialog appears saying the package can't be opened because it is from an unidentified developer, and it may contain malware.

Regression?

Unknown.

Known Workarounds

Manually bypass Gatekeeper using the context menu in the Finder.

Configuration

Mono Framework MDK Runtime: Mono 6.12.0.185 (2020-02/a96bde9730e) (64-bit) Package version: 612000185

MacOS "Monterey" 12.5.1

Other information

What obstacles prevent notarizing this framework package?

Although this issue doesn't represent any critical obstacle to the installation of the framework, it would be nice if the OS's built-in mechanism for verifying the authenticity and integrity of the package could be used. If that's not possible, would it be possible to provide a checksum and GPG signature for the same purpose?

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

[steveisok]

@akoeplinger @directhex any ideas?

[akoeplinger]

this shouldn't happen, where exactly did you get this package from?

[akoeplinger]

Ah ok, it looks like we didn't run 6.12.0.185 through the notarization release pipeline, I'm doing that right now and will find out how we missed it.

Thanks for noticing!

[akoeplinger]

Ok so after checking the Visual Studio for Mac installer should only provide you with 6.12.0.182 which is correctly notarized so just to confirm @bbreak where did you get this package from?

[simon-biber]

6.12.0.185 is a preview version. You can get 6.12.0.185 from https://www.mono-project.com/download/preview/ which links to https://download.mono-project.com/archive/6.12.0/macos-10-universal/MonoFramework-MDK-6.12.0.185.macos10.xamarin.universal.pkg

[akoeplinger]

Ok, that's expected then. We only sign/notarize builds in the stable channel or if the preview Mono build ships with a preview VSMac release.

[bbreak]

Thanks a lot for reviewing this report so quickly! Great to know I can correct it by pulling down the latest stable channel release.

[bbreak]

I honestly don't recall exactly how I ended up with a preview version. I guess it's yet another example of the maxim: Never underestimate the power of user error.

[akoeplinger]

No worries, glad we figured out what happened!