Microsoft Smartphone Code Signing and the GPL?

spacemonkey asks: "I am a professional developer, but in my spare time I have been developing games for the Microsoft Smartphone platform. Included in this work is a port of gnuboy a GPL gameboy colour emulator. Where does the GPL stand on the question of codesigning applications where required? Basically gnuboy is available, with full source for smartphone, however there are a large number of users out there who are unable/unwilling to remove the certification requirements from their smartphone devices, so to allow for these users, I need to sign the code. To enter into the code signing program will cost me approximately £500. I am interested in signing the application to make it available to a wider audience, however since I am not running a charity I was wondering whether charging some nominal fee for the code signed version was compatible with the GPL or not. So users would have an option on a signed version for less than £5, or an unsigned version free, which will include the full source code. Am I allowed to charge for GPL software in this way, where the charge is to cover the packaging of the application into a signed form?"

GPL says you can charge whatever you want

[ArmorFiend]

You can charge money for GPL software. You just have to make the source easily available. I think that would be covered by a URL in the about-box.

In fact, the signing works nicely in your favor, since nobody can undercut you on price. Or they can, but they too have to pay the L500, in which case they'd have to either 1) charge as much as you or 2) hate you enough to take an intentional loss. Both are a lot of hassel. Seems to me like you just win.

Re:GPL says you can charge whatever you want

[Tom7]

> In fact, the signing works nicely in your favor, since nobody can undercut you on price. Or they can, but they too have to
> pay the L500, ... or purchase a copy from him and then resell it!

Re:GPL says you can charge whatever you want

[ArmorFiend]

In fact, the signing works nicely in your favor, since nobody can undercut you on price. Or they can, but they too have to pay the L500, ... or purchase a copy from him and then resell it!

DOH!
LoL

Re:GPL says you can charge whatever you want

[SagSaw]

In fact, the signing works nicely in your favor, since nobody can undercut you on price. Or they can, but they too have to pay the L500, in which case they'd have to either 1) charge as much as you or 2) hate you enough to take an intentional loss. Both are a lot of hassel. Seems to me like you just win.

Not quite, unless I compleatly mis-understand the way this instance of code-signing works. Lets say that Bob has a piece of GPL'ed software avaiaible on his website. Bob makes three files availaible for download: a source tarball, a binary distribution, and a signed binary distribution. In order to cover the cost of code-signing, Bob requires a payment of $25 to download the signed version. Joe pays Bob $25 to download the signed binary. Now, as he is allowed to redistrute Bob's work under the GPL, Joe posts Bob's signed binary package on his own website and allows anyone to download it for free. Bob sees no further downloads of the $25 signed version and never re-coups the $500 it cost him to sign the code in the first place.

I can see two possible solutions for Bob:
1. Bob Obtain the software from the software's copyright holders under a licence which would allow Bob to prevent redistribution of the signed binary version.
2. Bob can write his own software and release the source and normal binary under the GPL, but release the signed binary under some other licence.

Re:GPL says you can charge whatever you want

[g4dget]

or purchase a copy from him and then resell it!

As far as I can tell, the major rights/obligations of the GPL are:

• You are permitted to redistribute the software in source form.
• If you distribute the software in binary form, you must make source available to the recipient.

Maybe I'm overlooking it, but I don't see that the GPL requires people to let you redistribute their binaries. As far as I can tell, the creator of this software can prohibit you from redistributing his binaries, even if they are derived from GPL'ed source code.

Re:GPL says you can charge whatever you want

[Tom7]

Maybe I'm overlooking it, but I don't see that the GPL requires people to let you redistribute their binaries. As far as I can tell, the creator of this software can prohibit you from redistributing his binaries, even if they are derived from GPL'ed source code.

No way. Look at section 3, which begins:

3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following ...

And section 6, which says:

You may not impose any further restrictions on the recipients' exercise of the rights granted herein.

Re:GPL says you can charge whatever you want

[PhilHibbs]

but release the signed binary under some other licence.

That's the key to the problem - but you have to have sole copyright to the code. If anyone else has contributed code to the project and holds joint copyright, then you have to get them to agree to the dual-licence release. On large projects this becomes increasingly difficult if it isn't done right early on.

Source Code is the small charge

It's the Source Code you are only allowed to charge the reasonable 'media charge' for. The application itself you can charge anything you want. The idea of this is to prevent you from charging $5 for the Application, and $50,000 for the source... you know, open source and all.

Re:Source Code is the small charge

[kenthorvath]

Okay, but you have the right to only distribute the source for people who pay for the app first, right?

Re:Source Code is the small charge

[Rick+the+Red]

What difference would it make? The source is useless unless they pay the L500 to get it signed.

Re:Source Code is the small charge

[alyandon]

You (as in the original author) have the obligation under the GPL to provide the source code to people you've distributed the binary to (whether for financial consideration or not).

However, the GPL doesn't prevent those same people from posting the source to an ftp/web site and distributing it freely.

Re:Source Code is the small charge

[Paul+Jakma]

As the author he is under /no/ obligation to provide source, he merely chooses to do so.

I think the answer is:

- Provide source under the GPL

- Provide certified binaries for a fee to cover the certification cost, and /not/ under GPL. Eg, some licence licence that allows use for free, and making of copies for ones /own/ use, but redistribution forbidden.

He is the copyright holder i presume, so he can do what he wants with the licences.

Re:Source Code is the small charge

[Black+Copter+Control]

It's the Source Code you are only allowed to charge the reasonable 'media charge' for.

It's not really a question whether you have to release the source code. That's a given for GPL code. The functional question is whether or not the source code includes the signing key (if you distribute a signed version). I believe that the answer to that (underlying) question is yes.

First of all we have to distinguish what we think source code is from what the GPL defines it as. In this case:

If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.
. . . .

For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

From this definition, I'd be inclined to rule (if I were a lawyer or judge) that the signing key would fit within the GPL's definition of source code. The final key is both derived from the code and is part of the installation process. In other words, you would be required to include the signing key in any source code package.

Two things I'd add here:
1) This isn't charity. This is the "cost" of using other people's GPL code. The people who wrote the original code have to be able to use the results for free too.
2) You can talk to the copyright owners and possibly get an exception to the GPL for this. If they're sympathetic to your plight, they may be willing to grant such an exception.

Charging is okay, but...

[funkhauser]

I suppose as long as you make the source available, charging for the signed version wouldn't be a problem. After all, people by packaged distributions of Linux all the time, and I hear there's quite a bit of GPL'd code in there. :)

However, I would wonder if the GNU folks would really be so thrilled that about it. After all, you're writing code for a platform that supports code-signing technology, which many people fear could greatly hamper the free software movement. So why support the platform? Perhaps you should consider writing games for more open-source-friendly platforms, like the Linux PDA's for example? Just a suggestion though.

Re:Charging is okay, but...

[rpresser]

Yes, you're buying into an unfree platform. But you're doing it with free software. I think that feels more like shafting the bastards than ignoring the platform completely would.

"You think you can kill off free software by closing your standards? I'll prove you wrong. Free software can thrive even in an unfree environment. Like money, good software drives out bad."

I'd have paid your 500 pounds in full, myself, if it would have run on my wife's Nokia phone. Those games suck.

Take up a collection

[moncyb]

Besides showing MS your middle finger (which I think you should do) or charging everyone money. Why not just ask interested people to donate money until you have enough to pay the fee? You are only interested in not having to pay the fee yourself, I believe this is a fair plan.

If you want to make money of the deal, the Street Performer Protocol may work for you. This will be less risky because you don't have to front the £500 yourself. Another guy has one called The Rational Street Performer Protocol if it suits your tastes better.

Maybe not...

[anthony_dipierro]

"For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable."

Would the signing script be considered a script used to control compilation?

Hey, why won't it let me post this anonymously?

Remember: ''source'' is more than just the code

[Tom7]

The GPL defines the source as "the preferred form of the work for making modifications to it." If the work includes the signature and you don't plan on distributing the private key (or can't, because the signing authority won't give it to you) then you are probably in violation. This makes sense--if the platform *only* accepted signed binaries, then users would be unable to make modifications to the program, which is an important freedom that the GPL is intended to protect. You might be okay if the signature can somehow be separated from the GPL'd work, but that's probably not likely for these phone apps.

Aside from that, if you're looking to recoup your 500 pounds for the signing fee, you might also be in for trouble since once someone buys a single copy, he can legally put up his own web site giving it out for free.

Re:Remember: ''source'' is more than just the code

[Elm+Tree]

??? Since when is the prefered form for modification the binary version? He said that he was freely distributing the source and an unsigned binary, clearly this meets the GPL... Or at least the GPL as I understand it as IANAL.

Re:Remember: ''source'' is more than just the code

[Tom7]

> ??? Since when is the prefered form for modification the binary version? He said that he was freely distributing the source
> and an unsigned binary, clearly this meets the GPL... Or at least the GPL as I understand it as IANAL.

I think you misunderstood my post. What I'm saying is that if he has a piece of software on his site, "signed gameboy emulator," that is a derivative work of the GPL gameboy emulator whose code it is based on. Therefore he has to provide the tools and source code for modifying that work. Because it's not possible to build a signed binary without the signing key, the signing key becomes part of the "source" as defined in the GPL. If the CA gives him a vendor key, he could do this, but if the CA signs the binaries themselves (probably true) then he wouldn't be able to distribute the signed binary at all.

Re:Remember: ''source'' is more than just the code

[thumperward]

You can distribute source which only compiles on Microsoft's Visual C++ compiler, even though it isn't possible to recreate the binary without using proprietary pieces of software. You can redistribute the source to Quake, even though you can't actually get Quake out of it unless you already have the proprietary map and texture files.

The point is that the eventual outcome is the same: without additional proprietary data, it will eventually be unable to recreate a given binary from the given source. However the precedents all point to this being acceptable under the conditions being presented.

- Chris

Re:Remember: ''source'' is more than just the code

[Tom7]

> You can distribute source which only compiles on Microsoft's Visual C++ compiler, even though it isn't possible to recreate
> the binary without using proprietary pieces of software.

Well, the GPL makes exceptions for tools that come with major components of the operating system (it even mentions the compiler specifically). Rememember that when the GPL was made, there were no free software platforms or compilers! They obviously thought about this situation...

> You can redistribute the source to Quake, even though you can't actually get Quake out of it unless you already have the
> proprietary map and texture files.

iD licensed the source to the Quake engine, but did not put Quake I the game under the GPL. If they did, they'd have to release the map and texture files as well, since those are required for making modifications to the game.

> However the precedents all point to this being acceptable under the conditions being presented.

What precedents? The GPL is fairly clear about what must be included as "source" for a GPL work, and I don't think that the signing key (and software) fall under the "usually included" exemption.

Re:Remember: ''source'' is more than just the code

[Elm+Tree]

I understood your post, however he is providing the materials neccesary to modify the program. Just because I'm providing a pre-compiled binary, which is not easily edited, I'm not breaking the GPL. Similarly, if I provide a signed binary, which is *VERY* not easily edited, as long as I'm providing the source, and from what I understand of the GPL, that doesn't break the GPL.

Re:Remember: ''source'' is more than just the code

[Tom7]

You have to provide the source for *the work* offered, which in this case is the signed binary. The source is the preferred form for making modifications to the work. If you can't even reproduce the work without the key, then I can't see how that could possibly be considered the preferred form!

Re:Remember: ''source'' is more than just the code

[Elm+Tree]

But you can reproduce the work! I can't make a signed RPM of a work even if I have the source RPM can I? But that release is still covered by the GPL isn't it? You can still make modifications to the program, and still run the program once it's modified, you just can't run it in an environment that requires it to be signed.

Re:Remember: ''source'' is more than just the code

[Tom7]

No, because the work is the program with the signature of the CA that allows it to be run in the signed environment. You can't just conveniently forget a certain part of the work--the GPL requires that you give the source for *all* of it. That doesn't just mean the program code, but anything else that it needs to run. If somehow you can argue that the signature is a separate work (not likely for these phone devices) that's not a derivative of the original GPL work, then you'd be in the clear.

Re:Remember: ''source'' is more than just the code

If I may quote the GPL:
"Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted"

So he's allowing copying, distribution, and modification, but not running. Looks good to me.

Re:Remember: ''source'' is more than just the code

[Tom7]

An AC writes,

If I may quote the GPL:
"Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted"

So he's allowing copying, distribution, and modification, but not running. Looks good to me.

It's true that the GPL does not restrict how you can run a program.

Nonetheless, you must provide the source (the preferred form for modifying the work) along with the work (the signed binary).
The source must include the signing key, because without that the (not inconsiderable) functional aspect of the work (its ability to run) is destroyed during the process of modification. Such a form could hardly be considered the "preferred" form for modifying it! If he was distributing a work that didn't run in the first place, then your argument would hold some water...

interesting...

[Dr.+Awktagon]

My "gut feeling" is that the signed version cannot be distributed under the terms of the GPL unless the recipient can generate it herself from the source code, including a signature.

Then again, if the unsigned version is functionally equivalent to the signed version, then someone savvy enough to compile it would also probably not need the signed version to begin with, they would turn off the signature checking (or whatever... I'm not familiar with the platform).

Probably the easiest thing to do is to contact the copyright holder(s), since it's their work, they will let you know if distributing code-signed versions is okay with them, regardless of the GPL. Basically they could give you a separate license, or include an exception in their license that allows code-signed versions if an identical non-signed version is available.

As for charging money, you can charge whatever you like. You could offer three versions: the signed one for $X, the unsigned for $Y, and the unsigned for $0. The last two would be identical and 100% GPL. The first one could just be a simple "no warranty, don't copy" non-free license to save yourself headaches.. if you get permission to do this from the gnuboy folks of course.

The "hard-line Free Software" approach would be to not distribute any kind of signed version at all, since it would interfere with people's rights to modify and re-distribute.

Re:interesting...

[m0rph3us0]

if this is true then why doesn't every copy of a an application written in C come with a platform specific compiler and the source to the compiler.

Ransom License

[gehrehmee]

Sounds like a perfect job for the Ransom license: http://www.theoretic.com/Ransom

not going to work...

[Eneff]

Because you'd have to give the key out as well. (It's part of the source code, after all... You need it to compile the binary you give out.) Not only this, but anyone who receives it could go in turn redistribute his copy.

Why not try to get the authors to license it to you by a modified GPL? All you would have to add is an exception for redistributing the private key.

The better option sounds like getting others to front the 500 and get the authors to license it to you under a modified gpl for this case that allows binary redistribution with the sources for the unlocked code, and free binary redistribution under the same circumstances.

You own it, you can license it however you want

[Cyberblah]

It doesn't matter if you can release it under the GPL signed. Release it under two sets of licensing terms, like MySQL. The licences:

unsigned version license: free, straight GPL; anyone can get the source and use it for anything they want, free as in speech and beer.

signed version licence: 5 pound charge, binary only, no redistribution allowed.

This might really fit the "spirit" of the GPL better than releasing a signed binary with GPLed source (but no key) where the user can't reproduce the exact executable from the source.

Re:You own it, you can license it however you want

[clifyt]

"signed version licence: 5 pound charge, binary only, no redistribution allowed."

"This might really fit the "spirit" of the GPL better than releasing a signed binary with GPLed source (but no key) where the user can't reproduce the exact executable from the source."

Hmmm...Why do that? Considering its open source software, let people do what they want with it. If folks are willing to turn off the security on their phone, let them use the unsigned. Let the pay for the signed ones...how can ya do this and STILL be in the spirit of GPL?

Sign the sucker and give the key to anyone that wants to compile it. Give the EXACT options need to compile it so that the binaries are identical and that the key still lines up...

BUT if I'm not wrong, isn't there a way to read the phone number or some other unique identifier for these phones? Put in a licensing code in there that forces folks to register the software if they want to use it utilizing that unique ID.

With this in place, if someone wants to compile the software, cool as hell. They can get it running and use your key to activate it in the phone. They STILL have to get to you to open up the software (put in a public key in the software and key it against the UID -- of course YOU are the only one with the private key)...if someone wants to remove this, they are welcome to do so, BUT they'd either have to run the unsigned version OR pay the $500 for the signing fee. There would be NO other way to compile this and have the signing authorize the file if they modify the code.

It fits the GPL and while it might not agree with the spirit of some of the folks in the OS world, it fits nicely with those of that believe things like the BSD is far freer and less religious than GPL. The signing actually makes it a little closer to a happy medium than either extremes of BSD (COMPLETELY altruistic) and GPL (Pray to RMS as he is your high priest).

Heh! I'm surprised I didn't see anyone else suggest this -- just don't be greedy, and if you want to me nice, you'll give away the software for the key gen as soon as you get the $500 you needed...

clif

EXCEPT

[Cyberblah]

It's a port, he doesn't own it.

Bleah, I'm an idiot too.

Why are you asking Slashdot?

[Rick+the+Red]

Ask the Free Software Foundation, or ask a lawyer.

Re:Why are you asking Slashdot?

[ClosedSource]

He can certainly ask the FSF their opinion out of a desire to be a "good citizen", but remember, the only legally relevent interpreters of the GPL are the courts. With no GPL trial record available, a lawyer is unlikley to provide much insight either.

But...

[ianezz]

From the GPL:

...For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable...

Just wondering if the signing tool could fall in the highlighted category.

Re:But...

[m0rph3us0]

You know when you download the kernel and you see those files that have the md5sum's and they are signed.... ever notice when you unpack the kernel you don't get Linus's private key, and you don't get GPG, nor md5.

The kernel source is signed, the signature just isn't in the same file as the source, and it isn't required by tar.

Re:But...

[ianezz]

You know when you download the kernel and you see those files that have the md5sum's and they are signed.... ever notice when you unpack the kernel you don't get Linus's private key, and you don't get GPG, nor md5.

Signed and md5summed tarballs are fine, they don't keep me from getting the kernel sources, modify them, recompile and install.

OTOH, apparently I need some non-free tools and secret data (which I'm assuming that are not part of the normal distribution) in order to install a modified version of this gnuboy port.

Now, it can be argued that I don't really need them, it's just that without them the installation becomes higly inconvenient. But if it is so, why require the installation scripts at all in the source?

Re:But...

That's not true, you just have to "trust" the recompiled version, or get it signed yourself.

Joe is not able to release Bob's software...

[leonbrooks]

...at least not legally. Go read the EULA on the keys. Distributing the binary under the GPL requires shipping source, fine, but "mere aggregation" of the key does not force it under the GPL or grant Joe the right to redistribute the key.

This gets interesting for the GPL, since the key is not required to run the software on Microsoft-based phones (dial the emergency number, get a blue screen? ...or get a request for your serial number, can you remember all 20 digits?), there is no GPL requirement that Bob distribute the key. If the key was necessary, Bob could not distribute his signed app under the GPL (he would have to sual-licence it), since the key would otherwise form part of the source.

The bottom line is that Joe has to sign his own copy of app.

Sadly, this world contains enough dickheads that sooner or later, a Joe will appear on the scene. However, if we shut down the universe for fear of dickheads misusing their rights, the dickheads win (a pyrric victory, it's true, but probably a win in their eyes anyway).

why charge?

[shaitand]

Instead put up a site, manage to get slashdotted twice. Put up your non-signed version of the program and a donation link with your paypal email, allow donations of any amount and suggest $20. You keep a log of what accounts donated what (this is your payment history in paypal, not work). If the donations add up to $500 (or close enough your happy) then not only is your problem solved but you also know there is enough interest for the port. Keep the donation link of course, nobody expects you to turn it down if someone wants to say thankyou. If it doesn't add up to enough simply refund the money minus paypal fees.

Why?

[mike_sucks]

Look, I know this -2 (Offtopic, Troll) but why in god's name are you developing applications for Windows phones? You should be building apps for J2ME. *All* of the major phone manufacturers (Nokia, Sony-Ericsson, Motorola, Siemens, etc) are already supporting J2ME - I can't count the number of models of phones that support J2ME on both hands, but I can count the number of Windows phones with no hands.

Switching to J2ME also solves your code-signing issue; you don't have to sign your programs at all.

/mike

Re:Why?

[toast0]

wow... so theres at least 1024 phones that'll do j2me?

(i'm not terribly surprised, but that does sound like a lot)

I'm assuming binary use of your hands... i suppose you could easily do ternary since it'd be pretty easy to determine between unbent, fully bent, and halfway bent on figures... which would make the number of phones you'ld need to have to be more than you can count 59,050

Re:Why?

[mike_sucks]

wow... so theres at least 1024 phones that'll do j2me?

Oh, at least. In fact, I wouldn't be suprised if there were several gazillion.

/mike

Re:Why?

[WhiteDragon]

interestingly enough, there are several million phones . Perhaps you meant to say:

wow... so theres at least 1024 phone models that'll do j2me?

:-)

Re:Why?

[toast0]

arg... i hate it when i miss something stupid like that when i'm being a twit

Code signing

[Mr_Silver]

It's worth pointing out here, before the baying masses start shouting, that code signing on the smartphone device is at the discretion of the network operator and not Microsoft.

In the UK, Orange decided to go with code signing because of the concerns about virus' and the fact they could get some money from each application produced for it.

Microsoft merely provides the ability to enforce it, if the operator so desires.