JOSM on Microsoft Store

[taylor.smock]

It has been brought to my attention (on #josm IRC) that someone has put JOSM on the Microsoft Store.

​https://apps.microsoft.com/store/detail/openstreet-map-editor/9MVMVXFPM5SV

Notes:

• Charging $4.69 for the app
• Privacy policy links to Google Docs ( ​https://docs.google.com/document/d/18cg8v1GFc2QA4l0v-40GNxifDfhz2QQeKAEAFUWzehE/edit?usp=sharing )
  • I don't think we have an official privacy policy

Should we do something about it?

[stoecker]

As far as GPL license conditions aren't violated it's ok to do so.

[weeklyOSM]

I've just emailed reportapp@…:

I’d like to report ​https://apps.microsoft.com/store/detail/openstreet-map-editor/9MVMVXFPM5SV which is a rip-off of an open source app, https://josm.openstreetmap.de/

It doesn’t follow the licence of the open source app. The description is full of mistakes, which negatively affects our reputation. The $4.69 doesn’t go to the copyright holders. The privacy policy is fake.

Please remove this app from the store.

[taylor.smock]

Fair enough. I figured I'd check just in case it would be something we had to respond to for trademark/copyright/other legal reasons.

Specific concerns:

• We don't know if the distributor made changes to the application (since there is a $4.69 cost, I don't think we could download the application to check and see if there was a GPL violation)
• The privacy policy could give users false impressions

  Our app does not collect or transmit any user's personally identifiable information. No personal information is used, stored, secured or disclosed by services this application works with.
  

JOSM communicates with josm.openstreetmap.de, openstreetmap.org, and any imagery service the user adds. While I don't think we could be legally liable for what someone else represents is our privacy policy, I don't think it is a good idea to take the chance. Especially since I don't think we have a stated privacy policy anywhere.

[stoecker]

Replying to weeklyOSM:

which is a rip-off of an open source app, https://josm.openstreetmap.de/

Which in principle is ok.

It doesn’t follow the licence of the open source app.

Very likely true, but how do you know? To do so you'd need to buy the App and then request the source code. ;-)

The $4.69 doesn’t go to the copyright holders.

That's ok as well. GPL allows this.

The privacy policy is fake.

That's probably right - except the App was modified not to issue tracked information, but that would disable MOTD, Plugins and Maps features as well as any JOSM server related access which is unlikely.

[stoecker]

Replying to taylor.smock:

Specific concerns:

Jupp. See the other text I wrote. Especially the private policy violation may be a cause for Microsoft Store to take it down :-)

[taylor.smock]

Replying to stoecker:

Jupp. See the other text I wrote. Especially the private policy violation may be a cause for Microsoft Store to take it down :-)

I hope so -- I don't want someone to buy the app, read the privacy policy, then come after us, not the distributor. While I don't think that would happen, I don't like giving the legal system a chance to get things wrong.

[Don-vip]

WTF. Thank you for letting us know. I'm also reporting it to Microsoft to take it down. As far as I understand:

• there is no link to the licence nor to the source code, there is no way the GPL is respected here
• the privacy policy is false as JOSM talks home with technical info some purists consider as personal info, and we definitively report performance data
• the privacy policy references Apple (wtf?!)
• we could also consider there is a violation of the "OpenStreetMap" trademark owned by the Foundation

[Don-vip]

I thought we had a discussion some years ago about how we could/couldn't publish JOSM on the Windows (Microsoft) store but can't find the ticket anymore. I found #21877 but I'm thinking to a much older ticket.

[taylor.smock]

Replying to Don-vip:

I thought we had a discussion some years ago about how we could/couldn't publish JOSM on the Windows (Microsoft) store but can't find the ticket anymore. I found #21877 but I'm thinking to a much older ticket.

Things you might have been thinking of:

• #19025 (I don't think we could just upload an MSI to the store. With that said, I'm actually interested in this ticket since MSIX supports automatic updates)
• #14117 (Mac App store)

[Don-vip]

I think I had the long-term goal of publishing a native package on Microsoft store in mind while doing #17083 but seems I never wrote about it :D

[stoecker]

Hello,

• there is no link to the licence nor to the source code, there is no way the GPL is respected here

As said you'd need to obtain the software to know. GPL requests you to offer the source code to everybody "who got the software", not simply "to everybody".

[deichzerleger]

This way of publishing is not allowed by the terms of the Microsoft Store.

​https://www.windowscentral.com/microsoft/microsoft-removes-restrictions-on-generally-free-and-open-source-apps-in-microsoft-store

[anonymous]

Another angle, likely violating OpenStreetMap trademark. OSMF specially does not allow calling a thing "OpenStreetMap" because it damages our brand.

[Don-vip]

I've created PrivacyPolicy, help and review to improve/correct the document greatly appreciated.

[Don-vip]

I've submitted an official version to the MS store, it's currently in validation phase, let's see how long it takes...

[Don-vip]

It's available! ​https://apps.microsoft.com/store/detail/josm/XPFCG1GV0WWGZX

EDIT: I just managed to install it with a single clik on Windows 11 and got the following status report, everything looks fine:

Revision:18570
Build-Date:2022-10-07 11:33:30

Identification: JOSM/1.5 (18570 en) Windows 11 64-Bit
OS Build number: Windows 10 Pro 2009 (22621)
Memory Usage: 432 MB / 30688 MB (253 MB allocated, but free)
Java version: 17.0.4+8-LTS, Azul Systems, Inc., OpenJDK 64-Bit Server VM
Look and Feel: com.formdev.flatlaf.FlatDarkLaf
Screen: \Display0 2560×1440 (scaling 1.00×1.00) \Display1 1920×1080 (scaling 1.00×1.00)
Maximum Screen Size: 2560×1440
Best cursor sizes: 16×16→32×32, 32×32→32×32
System property file.encoding: Cp1252
System property sun.jnu.encoding: Cp1252
Locale info: en_FR
Numbers with default locale: 1234567890 -> 1234567890
VM arguments: [-Djpackage.app-version=1.5.18570, --add-modules=java.scripting,java.sql,javafx.controls,javafx.media,javafx.swing,javafx.web, --add-exports=java.base/sun.security.action=ALL-UNNAMED, --add-exports=java.desktop/com.sun.imageio.plugins.jpeg=ALL-UNNAMED, --add-exports=java.desktop/com.sun.imageio.spi=ALL-UNNAMED, --add-opens=java.base/java.lang=ALL-UNNAMED, --add-opens=java.base/java.nio=ALL-UNNAMED, --add-opens=java.base/jdk.internal.loader=ALL-UNNAMED, --add-opens=java.base/jdk.internal.ref=ALL-UNNAMED, --add-opens=java.desktop/javax.imageio.spi=ALL-UNNAMED, --add-opens=java.desktop/javax.swing.text.html=ALL-UNNAMED, --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED, -Djpackage.app-path=%UserProfile%\AppData\Local\JOSM\JOSM.exe]

[taylor.smock]

@Don-vip: A (hopefully) stupid question: is the app going to automatically update? Or do we need to add something to wiki:DevelopersGuide/Releasing to make certain the app store has the current tested version?

[Don-vip]

Replying to taylor.smock:

@Don-vip: A (hopefully) stupid question: is the app going to automatically update?

That's the plan.

it looks like it should be doable. It will just take some scripting.(1)

(1) ​https://learn.microsoft.com/en-us/windows/uwp/publish/msiexe/store-submission-api

Thanks! I was looking for this.

[taylor.smock]

No problem. An important note(1) I found while looking at the documentation for MSI/EXE installers:

The installer binary on the package URL must not change once it has been submitted. We recommend that you create and submit versioned package URLs (such as ​https://contoso.com/downloads/1.1/myinstaller.msi). If you need to update the package URL, you may create a new app submission with a new package URL.

We already (kind of) have that, assuming we can just link to the GitHub release page.

(1) ​https://learn.microsoft.com/en-us/windows/apps/publish/publish-your-app/app-certification-process?pivots=store-installer-msi-exe#package-url

[Don-vip]

Right now I configured the release with this URL: https://josm.openstreetmap.de/download/windows/josm-setup-18570-java17.msi

[taylor.smock]

@Don-vip: Heads up, I just kicked off the release process for 22.10. I don't know if we have automated the Microsoft Store update process yet.

[Don-vip]

Ticket #21877 has been marked as a duplicate of this ticket.

[Don-vip]

Replying to taylor.smock:

@Don-vip: Heads up, I just kicked off the release process for 22.10. I don't know if we have automated the Microsoft Store update process yet.

Thanks. Not yet, working on it.

[Don-vip]

Almost one hour to complete "Step 1: Complete prerequisites for using the Microsoft Store submission API" :(

[taylor.smock]

Is there anything I can do to help?

I doubt it, since most of step 1 is probably getting the Azure AD setup.

It looks like parts of step 1 might be something we have to do on a yearly/bi-yearly basis. I don't know how long the key for signing the JAR is valid (it expires on 2023-09-11, so two years?), but maybe we should renew both at the same time. I assume there is a README somewhere for stuff that has to happen on a regular basis, like Java certificate renewals.

[stoecker]

Replying to taylor.smock:

I assume there is a README somewhere for stuff that has to happen on a regular basis, like Java certificate renewals.

Rudimentary :-) Problem is that these tasks are different each time. Whatever README we have is outdated the next time we need it.

[stoecker]

@Don-vip:

If there is a new certificate which needs to be renewed, then make the public part available in JOSM download folder, so that

• it's official and can be checked and
• I can add it to my certificate checks.

P.S. Is the Apple package signed with an own cert? I only check the server and the Java cert ATM...

[Don-vip]

It just takes time to setup, but once it's here we'll only have to renew the Azure AD secret which will expire every 24 months. I'm coding the "Step 2: Obtain an Azure AD access token" part right now. @Dirk I'll probably ask you to review my changes once I'm done :)

EDIT: step 2 OK

[Don-vip]

Replying to stoecker:

If there is a new certificate which needs to be renewed, then make the public part available in JOSM download folder, so that

• it's official and can be checked and
• I can add it to my certificate checks.

Right now I didn't have to setup anything certificate-related. I'm only dealing with credentials.

[Don-vip]

Done!
@Dirk can you please review my Perl code and commit the cron file if you agree with the changes?
Here is the new stuff:

sub getazuretoken
{
  # https://learn.microsoft.com/en-us/windows/uwp/publish/msiexe/store-submission-api#step-2-obtain-an-azure-ad-access-token
  my $tenantid = "xxx";
  my $appid    = "xxx";
  my $clientid = "xxx";
  my $secret   = "xxx"; # Expires 01/11/2024 then every 2 years! Impossible to create one that does not expire

  my $curlbase = "curl --silent --max-time 30";
  my $url = "https://login.microsoftonline.com/$tenantid/oauth2/v2.0/token";
  my $data = "grant_type=client_credentials"
  . "&client_id=$appid"
  . "&client_secret=$secret"
  . "&scope=https://api.store.microsoft.com/.default";
  my $cmd = "$curlbase -X POST -H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' -d '$data' $url";
  my $res = `$cmd`;
  #  print $res;
  #  my $d = decode_json(encode("UTF-8",$res));
  my $d = decode_json($res);
  return $d->{access_token};
}

# ...

      if(-f $pwinmsi)
      {
        ln $winmsi,$pwinmsiln;
        # Update application on Windows Store using API
        my $sellerid = xxx; # https://partner.microsoft.com/en-us/dashboard/account/v3/organization/legalinfo
        my $productid = "xxx"; # https://partner.microsoft.com/fr-fr/dashboard/win32apps/xxx/overview
        my $packageid = xxx; # Obtained through API only, not UI : https://api.store.microsoft.com/submission/v1/product/xxx/packages
        my $azuretoken = getazuretoken();
        # https://learn.microsoft.com/en-us/windows/uwp/publish/msiexe/store-submission-api#step-3-use-the-microsoft-store-submission-api
        my $baseapiurl = "https://api.store.microsoft.com/submission/v1/product/$productid";
        my $curlbase = "curl --silent --max-time 30"
        . " --header 'Authorization: Bearer $azuretoken'"
        . " --header 'X-Seller-Account-Id: $sellerid'";
        # https://learn.microsoft.com/en-us/windows/apps/publish/store-submission-api#update-current-draft-packages-api
        $cmd = "$curlbase -X PATCH -d '{\"packageUrl\": \"https://josm.openstreetmap.de/download/windows/josm-setup-$rev-java$winjava.msi\"}' $baseapiurl/packages/$packageid";
        system($cmd);
        # https://learn.microsoft.com/en-us/windows/apps/publish/store-submission-api#commit-packages-api
        $cmd = "$curlbase -X POST -d '' $baseapiurl/packages/commit";
        system($cmd);
      }

@Taylor: ping me if you release an hotfix, I have performed the update by running curl command manually so I'm not 100% sure yet the code above works.

Also not that submissions to Microsoft Store are not live immediately, it takes a few hours to be actually published on the store. Last time it took less than 24 hours but I don't know exactly how long.

[taylor.smock]

Replying to Don-vip:

@Taylor: ping me if you release an hotfix, I have performed the update by running curl command manually so I'm not 100% sure yet the code above works.

Will do. I'm not planning on releasing a hotfix, but then again, I (almost) never am.

[stoecker]

Replying to Don-vip:

@Dirk can you please review my Perl code and commit the cron file if you agree with the changes?

Nothing obvious wrong.

Also not that submissions to Microsoft Store are not live immediately, it takes a few hours to be actually published on the store. Last time it took less than 24 hours but I don't know exactly how long.

Is there any way to access the live version, so we see if it worked.

[Don-vip]

Replying to stoecker:

Is there any way to access the live version, so we see if it worked.

I don't know yet if the binary can be downloaded outside of the Microsoft Store Windows app. The submission is still in progress in the ​partner center:

[matheusgomesms]

Hi folks,

Is the last version on the MS Store? I downloaded from the store and JOSM keeps asking me to update (I am on 18570 and the last version is 18583). On the Store page I cannot check the version number (very poor from MS), but there is no option to update it there.

(I am asking here because I know you are planning to make it updatable from the store, but I am not sure if this was done).

[taylor.smock]

Replying to matheusgomesms:

Hi folks,

Is the last version on the MS Store? I downloaded from the store and JOSM keeps asking me to update (I am on 18570 and the last version is 18583). On the Store page I cannot check the version number (very poor from MS), but there is no option to update it there.

(I am asking here because I know you are planning to make it updatable from the store, but I am not sure if this was done).

I don't use Windows personally, so I don't know how the update process from the store is supposed to work.

First question: Did you pay money for it? If so, you installed the wrong version, and are at the mercy of the third-party. The official version is at ​https://apps.microsoft.com/store/detail/josm/XPFCG1GV0WWGZX .
Second question: Can you provide the information requested in the BadReport macro?

---

Thanks for your report, however your ticket is incomplete and therefore not helpful in its current form.

Please add all needed information according to this list:

• The required parts of the Status Report from your JOSM.
  • Please, use Report Bug from Help menu and copy & paste.
• Describe what behaviour you expected.
• Describe what did happen instead.
• Describe if and how the issue is reproducible.
• Add any relevant information like error messages or screenshots.

To ensure that all technical relevant information is contained, create new tickets by clicking in JOSMs Main Menu on Help → Report Bug.

Remember: This is a generic notice so we don't need to write the same stuff again and again. It may only apply in parts to the specific case!

[matheusgomesms]

Replying to taylor.smock:

First question: Did you pay money for it? If so, you installed the wrong version, and are at the mercy of the third-party. The official version is at ​https://apps.microsoft.com/store/detail/josm/XPFCG1GV0WWGZX .
Second question: Can you provide the information requested in the BadReport macro?

I am using the very same version linked by you (and on JOSM downloads page).

This is the report (just opened JOSM and got the report):

Revision:18570
Build-Date:2022-10-07 11:33:30

Identification: JOSM/1.5 (18570 pt_BR) Windows 11 64-Bit
OS Build number: Windows 10 Home 2009 (22621)
Memory Usage: 372 MB / 4072 MB (163 MB allocated, but free)
Java version: 17.0.4+8-LTS, Azul Systems, Inc., OpenJDK 64-Bit Server VM
Look and Feel: com.formdev.flatlaf.FlatDarkLaf
Screen: \Display0 2560×1440 (scaling 1.50×1.50)
Maximum Screen Size: 2560×1440
Best cursor sizes: 16×16→48×48, 32×32→48×48
System property file.encoding: Cp1252
System property sun.jnu.encoding: Cp1252
Locale info: pt_BR
Numbers with default locale: 1234567890 -> 1234567890
VM arguments: [-Djpackage.app-version=1.5.18570, --add-modules=java.scripting,java.sql,javafx.controls,javafx.media,javafx.swing,javafx.web, --add-exports=java.base/sun.security.action=ALL-UNNAMED, --add-exports=java.desktop/com.sun.imageio.plugins.jpeg=ALL-UNNAMED, --add-exports=java.desktop/com.sun.imageio.spi=ALL-UNNAMED, --add-opens=java.base/java.lang=ALL-UNNAMED, --add-opens=java.base/java.nio=ALL-UNNAMED, --add-opens=java.base/jdk.internal.loader=ALL-UNNAMED, --add-opens=java.base/jdk.internal.ref=ALL-UNNAMED, --add-opens=java.desktop/javax.imageio.spi=ALL-UNNAMED, --add-opens=java.desktop/javax.swing.text.html=ALL-UNNAMED, --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED, -Djpackage.app-path=%UserProfile%\AppData\Local\JOSM\JOSM.exe]

Plugins:
+ FixAddresses (36011)
+ ImportImagePlugin (36013)
+ PicLayer (1.0.2)
+ apache-commons (36034)
+ apache-http (35924)
+ buildings_tools (36011)
+ conflation (0.6.9)
+ continuosDownload (105)
+ ejml (35924)
+ flatlaf (36036)
+ geotools (36028)
+ imagery-xml-bounds (35976)
+ imagery_offset_db (35978)
+ indoorhelper (1.2.2)
+ jackson (36034)
+ jaxb (35952)
+ jna (36005)
+ jts (36004)
+ log4j (36034)
+ opendata (36025)
+ pdfimport (35976)
+ reltoolbox (35976)
+ reverter (36011)
+ tageditor (36011)
+ turnlanes-tagging (v0.0.5)
+ turnrestrictions (36011)
+ utilsplugin2 (36011)

Map paint styles:
- https://josm.openstreetmap.de/josmfile?page=Styles/Lane_and_Road_Attributes&zip=1
+ https://josm.openstreetmap.de/josmfile?page=Styles/Coloured_Streets&zip=1
- https://josm.openstreetmap.de/josmfile?page=Pt:Styles/Coloured_buildings&zip
- <josm.pref>\plugins\indoorhelper\resources\sit.mapcss

Validator rules:
+ https://raw.githubusercontent.com/OSMBrasil/validador-josm/master/Rules_Brazilian-Specific.validator.mapcss

Last errors/warnings:
- 00000.755 W: extended font config - overriding 'filename.Myanmar_Text=mmrtext.ttf' with 'MMRTEXT.TTF'
- 00000.758 W: extended font config - overriding 'filename.Mongolian_Baiti=monbaiti.ttf' with 'MONBAITI.TTF'
- 00001.391 E: java.security.KeyStoreException: Windows-ROOT not found. Causa: java.security.NoSuchAlgorithmException: Windows-ROOT KeyStore not available
- 00003.064 W: Falha ao excluir o plugin desatualizado '<josm.pref>\plugins\flatlaf.jar'.
- 00003.065 W: Falha na instalação do plugin já baixado 'flatlaf'. Ignorando a instalação. JOSM irá carregar a versão antiga do plugin.

[taylor.smock]

Stupid question: What happens if you uninstall JOSM and then reinstall it? While it shouldn't remove the preferences, you may want to back them up.

You can back up your preferences by going to JOSM Preferences -> Advanced Preferences -> select all the preference keys (ctrl+a) -> Export selected items.
To restore your preferences, go to JOSM Preferences -> Advanced Preferences -> Read from file.

[Don-vip]

The update submission is still "in progress" in the MS partner center. It seems I must have missed something when I submitted the update 5 weeks ago. If someone is willing to investigate in the documentation what I did wrong ? The script I ran is in :comment:32. I won't have time to dig again in the documentation before holidays.

[taylor.smock]

Replying to Don-vip:

The update submission is still "in progress" in the MS partner center. It seems I must have missed something when I submitted the update 5 weeks ago. If someone is willing to investigate in the documentation what I did wrong ? The script I ran is in :comment:32. I won't have time to dig again in the documentation before holidays.

Did we log the return output from curl somewhere? Specifically, I'm wondering if there are error details.

[Don-vip]

I didn't log the response but if I 'm sure to have received an HTTP 200 response to the /commit call, otherwise I would have investigated further. Probably the "commit" is not enough and something more must be done.

[Klumbumbus]

Any news about the update? #22686

[skyper]

Ticket #22686 has been marked as a duplicate of this ticket.

[stoecker]

Ok. For newest release I got this as email:

$curlbase -X PATCH -d '{\"packageUrl\": \"https://josm.openstreetmap.de/download/windows/josm-setup-$rev-java$winjava.msi\"}'$baseapiurl/packages/$packageid

→ {"responseData":{},"isSuccess":true}

$curlbase -X POST -d '' $baseapiurl/packages/commit

→ {"responseData":{"pollingUrl":"submission/v1/product/22...dd/status"},"isSuccess":true}

We'll see what happens.

[taylor.smock]

Ticket #22694 has been marked as a duplicate of this ticket.

[UndueMarmot]

Hi, I just installed JOSM from MS Store, as mentioned in the home page and opened the app to immediately receive a fullscreen "You should update!" message. Apparently, the Store version is at v18570 while the current one is 18646.

This is a really bad first impression of the app. :/

[Don-vip]

@Dirk I think I understand what's missing. Right now we:

1. PATCH the package URL
2. POST the "commit" order to effectively upload the package to MS infra. We get in response a pollingUrl to get the upload status

what's probably missing:

3. POST the "submit" order to make the certification process begin and the update be released on MS store:

​https://learn.microsoft.com/en-us/windows/apps/publish/store-submission-api#create-submission-api

[stoecker]

Tested it and it had the same effect as my manual click. Added it to the script. We'll see next month :-)

[Don-vip]

Yay! Finally we should be able to close this ticket and not worry about it anymore :)

[taylor.smock]

Ticket #22838 has been marked as a duplicate of this ticket.

[matheusgomesms]

Hey guys, did it work? I still could not update from MS Store.

[skyper]

Ticket #23973 has been marked as a duplicate of this ticket.