Monday, April 8, 2019 [Tweets] [Favorites]

macOS 10.14.5 Requires New Developers to Notarize

Apple:

Beginning in macOS 10.14.5, all new or updated kernel extensions and all software from developers new to distributing with Developer ID must be notarized in order to run. In a future version of macOS, notarization will be required by default for all software.

In theory, this shouldn’t be a big deal. It’s like Gatekeeper, but signed by Apple. But, in practice, the notarization service sometimes goes down, or takes an unpredictably long time, or silently adds a requirement that wasn’t there the last time you deployed a build. So you never know how long it will take to get a bug fix out.

Via Rosyna Keller:

There’s also a new section about apps with plug-in SDKs and the hardened runtime.

Other sections of the Notarization docs were updated to address developer feedback.

Previously:

See also: Howard Oakley, Jeff Johnson.

Update (2019-04-09): Rosyna Keller:

Resolving Common Notarization Issues has also been updated.

Additionally, it includes information regarding the fact devs with apps with plugin SDKs no longer have to separately ship a debuggable version and a notarized version.

Felix Schwarz:

TIL why I can no longer enter a fax number in the #macOS Print Dialog & therefore no longer use my Epson MFP to send faxes in #Mojave.

With 10.15 killing 32bit support, my ScanSnap’s software will stop working next.

I’ll soon need a VM to use my Mac for basic office tasks.

Jeff Johnson:

The reality now for Apple OS updates is that there’s no longer a distinction between major and minor updates.

All updates potentially include major new features. Or breakages.

Apple is now a full-on “Agile” shop, for better or worse.

(Narrator: For worse.)

Paul Haddad:

Apple is getting aggressive with this stuff. Normally any Mac changes are years in the making.

Arturo:

This is awful. I really really hope they add an option to disable this just like SIP. I don’t really understand if this is possible.

Probably I need to move from macOS. Its a great OS but this kind of changes that could break anything...

Calum Hunter:

who would want to develop on this platform or use this platform for IT professional services anymore. I’m 18 year veteran mac says admin/engineer and now considering switching to a linux machine to get my work done. apple have lost the plot.

Paulo Andrade:

My question here is: is it really that hard for a bad actor to pass the notarization checks that makes this worthwhile to impose on all other developers?

Jeff Johnson:

No, the whole thing is a complete joke, because apps can software update themselves outside the App Store and avoid Gatekeeper entirely. Submit a harmless version to Apple, notarize it, then flip the switch server-side to update to a new malware version after install.

[…]

The technical term would be “security theater”. :-)

John Daniel thinks it will still be effective against adware:

Because they would have to start writing code instead just running an automated app generation script. It is possible, but gets more and more difficult and costly.

Nikolaus Gebhardt:

About 28% of my users running my apps on macOS switched to the Windows version in the last 2 years. Apple now making it even more difficult for devs to create macOS apps will probably not improve this situation for them.

McCloud:

I haven’t worked on macOS for a year or two, but it seems like notarized apps are non-debuggable, and future versions will keep adding friction for non-notarized apps. Is it just me or is the Mac slowly losing its UNIX roots and leaning towards stripping users of control?

Jim Rea:

I haven’t seen any definition of “new developers” -- who fits into that? Does it mean developers that sign up for a developer app starting from today? And how is this enforced on the user’s computer? Or maybe this is enforced during the signing process? Seems weird.

Jeff Johnson:

My guess: info in the DeveloperID cert. It’s the only thing that makes sense at the OS level & explains why it applies “if you’re new to distributing macOS software, regardless of how long you’ve developed for other Apple platforms”. In other words, on generating new DevID cert.

See also: Hacker News and MacRumors.

Update (2019-04-10): Howard Oakley:

As ever, life isn’t quite as simple as Apple’s announcement might seem. It doesn’t, for example, address problems with command tools, which currently don’t pass through Gatekeeper checks, and are often unsigned, although it is possible to attach signatures to them. Apple still doesn’t have a scheme to provide an equivalent to notarization for command tools which aren’t embedded in an app or other code bundle. If you distribute your command tool as part of an Installer package, it is supposed to be possible to get the whole package notarized, although Apple hasn’t detailed a workflow for doing that, nor said whether all installer packages will be required to be notarized. Hopefully some time before 10.15 is released this will become clearer.

[…]

Notarization is only checked when you first run an app which has been downloaded from the Internet and has gained a quarantine flag as a result.

Howard Oakley:

The requirement coming for non-App Store apps is notarization. You said its purpose is malware detection. That may be the purpose of uploading apps to Apple, but there’s more to it than that: you can’t notarize an app unless it’s hardened. So what’s the purpose of that?

Jeff Johnson:

There’s no good reason for the requirement. Notarization is a convenient excuse.

Apple is using the threat of Gatekeeper not allowing your app to launch in order force developers to do something Apple wants, self-impose the hardened runtime on your apps.

It’s a jerk move.

Tom Bridge:

Kerio’s VPN Client was now dead in the water and not functional, no matter what I could do to follow up. An inspection (which requires Xcode 10.2 and not just the command line tools) of the kvnet.kext file in /Library/Extensions indicated I did not have a valid kernel extension any longer[…] Without a valid ticket stapled to the kext, I was going to have a problem running it, as the secureTimestamp value is after 2019-03-11.

Well crap. I need that kernel extension to work for my VPN to client locations to work, so how am I going to get around it? Thanks to #notarization on the Mac Admins Slack, and Allen Golbig at NASA Glenn, Graham Pugh, and the help of others, the answer was already in our hands: User-Accepted Mobile Device Management and Team ID Whitelisting in the Kernel Extensions Whitelisting payload in MDM.

Update (2019-04-11): Apple:

We’re working with developers to create a safer Mac user experience through a process where all software, whether distributed on the App Store or outside of it, is signed or notarized by Apple. With the public release of macOS 10.14.5, we require that all developers creating a Developer ID certificate for the first time notarize their apps, and that all new and updated kernel extensions be notarized as well. This will help give users more confidence that the software they download and run, no matter where they get it from, is not malware by showing a more streamlined Gatekeeper interface.

Howard Oakley:

So if I understand these results:

- declare built with 10.14 SDK, hardening is required for notarization
- lie about that, or use older SDK, and you can notarize unhardened apps.

Rich Trouton:

The part about “notarization will be required by default for all software” made me think, because there are a few apps that I’ve written over the years that are still useful (at least to me). All of them were built using Automator, which meant that the usual Xcode-based ways of notarizing applications wasn’t going to work for me.

Update (2019-04-12): Howard Oakley:

So if you’ve got folders full of your own apps which haven’t gained a quarantine flag because they weren’t downloaded from the Internet, or which have already cleared quarantine following download, they will continue to open and run fine in 10.15. Apple hasn’t announced that it’s changing the way that Gatekeeper works, and if it were even to consider that, the penalties would be seismic.

That does, though, leave many wondering how they’re going to be able to share tools as they have in the past. Unfortunately, the news for them isn’t good at all. If you want to make such apps available to others via download, the only way that this will work in 10.15 and later is for you to go through the whole process of signing them with a developer ID and notarization. Probably.

[…]

How on earth can an app be hardened, something only available in recent versions of Xcode, to meet the first requirement, but remain unsigned?

The answer seems to rest in what built the app in the first place. If the app declares that it was built using a recent version of Xcode, which supports hardening and notarization, then the latter will expect it to comply with the new and rigorous rules, including code-signing and hardening. If your app is built with an older version of Xcode, or a different tool, then legacy rules apply, as described later in that article.

Twocanoes Software:

We use Packages for easily creating distribution packages, and DropDMG for making great looking disk images. The notarization process involves uploading a copy of the app to the notarization service at Apple, then polling the service until it is complete, then downloading the ticket and “stapling” it to the app. So our new process looks like this:

Archive Build->Upload->Poll Until Success->Staple->Package->Add to DMG

Update (2019-04-22): Howard Oakley:

Typical notarizations take less than 5 minutes, from completing upload to Apple’s server to the app being ready to distribute. It’s been unusual for any to take much longer than that, although there were a couple of occasions last October which were delayed by over an hour. I’ve not had any failures at all, neither have I discovered the service to be unavailable. Generally speaking, I can get an app from final test build to distribution on this server within 10-15 minutes when I need.

Twice, just recently, Xcode 10.2 has reported silly errors as if I wasn’t notarizing but trying to send for review for the App Store. I simply quit Xcode, opened it again, and notarization worked fine.

Undoubtedly your experience will vary, as will mine now that the Notary Service is becoming more heavily used.

Tom Bridge:

So, if you deliver an unstapled object, as DisplayLink has, it may still pass muster, but that requires your machine to be able to talk with Apple at the time of install. If you are operating a network which embraces 802.1X user certificates, and you install software at the login window (with Munki, say) you may run into a circumstance where the software is actually notarized by Apple, but without that stapled ticket, you’re stuck if you can’t talk to Apple to prove it. This will result in a failed install.

16 Comments

> In a future version of macOS, notarization will be required by default for all software.

Wait, what? What if I build apps not with Xcode but with Python or Mono or Xojo or Java? What if I distribute the app to my local network? Will macOS 10.x not run them because they're not notarized? It's already like this for kexts - I can't simply build my own personal kext and use it on 10.14. Which sucks big time. Now, Apple wants to extend that to any regular app as well? Please tell me I got this wrong.

Related question: Is there a way to enable the hardened runtime for an app built via the command line with xcodebuild?

Does anyone have any experience on notarizing a user-space CoreAudio driver (aka AudioServerPlugin)?

Will Notbepublished

The "geniuses" at Cupertino are not able to fix their own bugs in minor OS updates but on the other side they require 3rd party developers to make important changes breaking backward and forward compatibility and production workflows in those same minor OS updates.

Is there anyone with a bit of sanity at Apple in the Mac division? Is there even still a Mac division?

@Thomas It applies in the same circumstances where Gatekeeper would.

@remmah If you’re using xcodebuild, you have an Xcode project, and you can enable it in the project. You could also run codesign --options runtime afterwards to enable the hardened runtime.

Bill D Catt

>Is there even still a Mac division?

No, the last vestiges of Mac OS X as a nominally independent structure were done away with several years ago. iOS is all that matters to anyone in charge, unless there's bad press.

John Daniel

@Thomas,
You got that wrong. Notarization only applies to publicly distributed software. You should not experience any significant changes. It is possible that some methods of local, networked distribution would need to change or have some modifications. Don’t believe all the hype. Even doing notarization takes about 2 minutes to wait for the token. If you need to add something to whatever network distribution system you have, it might take you a few minutes, once, to add that step.

I have always thought that kernel signing was not security related. It is just an effort to make kernel extensions harder to do so that fewer developer will attempt them and destabilize their users’ machines.

In general, developers just need to un-freak themselves out about this. Apple makes consumer devices. It assumes developers are distributing consumer software. That’s what all this is for. If you aren’t doing that, then none of it even applies to you. If you are doing that, then notarization is trivially easy.

@John Daniel "Apple makes consumer devices. It assumes developers are distributing consumer software."

Wrong. Apple assumes developers are distributing single bundled apps. Which is not the reality.

Also I'm wondering whether this notarization process does not make it more interesting to write an Electron app instead of a real native Mac application.

I'm genuinely curious what does "XXX must be rebuilt with support for the Hardened Runtime" means for eg. executable command line utilities build without Xcode.

@Marcin It means enabling the hardened runtime when code signing and including special entitlements (if necessary).

At first glance this sounds like a decent idea. But as the comments indicate, its not as simple as it seems.

Right now it seems that only Developer ID apps are affected, correct? So if you developer or distribute without that you will have to just allow Gatekeeper to run unsigned apps, right?

But how long is that going to be allowed?

@Matt Apple already removed the setting to automatically allow non-Gatekeeper apps, and the manual contextual menu override only works for admin accounts.

@Michael oh shoot I totally forgot they did that. Man... what is Apple doing?

Will Notbepublished

@Matt "So if you developer or distribute without that you will have to just allow Gatekeeper to run unsigned apps, right?"

A solution that I would not recommend: give people the curl command required to download your apps. curl won't set the Quarantine Flag and last time I checked, GateKeeper will see nothing. If you're distributing a Kernel Extension this is another story.

So basically, you can no longer release software for the Mac without Apple's permission. (Well, I guess you can, but users will need to know how to use Terminal to use curl, strip the xattr, or disable gatekeeper.)

Today, they may notarize anything anyone sends; tomorrow, they'll refuse to notarize if you use deprecated API, private API, or any of the other crazy rules we see with their App Store.

It's dark days ahead I fear. I dread WWDC.

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment