Thursday, October 17, 2019 [Tweets] [Favorites]

Catalina Notarization

Rich Trouton:

This is not to say that you can hold up a “Notarized!” sign to the auditor, watch the auditor leave after just tossing the checklist aside and commence the post-audit party. But for those folks who have to undergo regular compliance auditing, I would recommend you examine your auditing requirements carefully to see which IT audit controls on your list now get handled automatically on macOS Catalina with its notarization requirements.

Gus Mueller:

“Your Mac software was successfully notarized.”

Thank god Apple finally changed the subject of the notarization email- it was driving me a little insane, one email at a time.

“You can now distribute your Mac software” was the previous subject. As if we weren’t doing OK before.

Rosyna Keller:

Now that macOS Catalina is live, I’m interested in any reports of users running into non-notarized software.

I’d really appreciate screenshots of the “not notarized” dialog and any information you have on the app or quarantined plugin that wasn’t notarized.

The most obvious example I ran into was Catalina’s own installer, which I copied from one of my Macs to the other via screen sharing.

Hayden:

Apple disabled the GUI option to allow unsigned apps in 10.15 and now users are passing around a sudo command on Twitter that disables all app security checks as the workaround to get things working again.

I think the “Anywhere” radio button in System Preferences was actually removed several releases ago.

Armin Briegel:

As with the previous Gatekeeper checks for a valid signature an administrator user can override the check by choosing ‘Open’ from the context menu instead of double-clicking to open.

[…]

When you install software using the installer command from the Terminal or a script, it will bypass quarantine and the Gatekeeper check.

This is also true when you install software using a management system such as Jamf Pro, Munki, Fleetsmith, etc.

[…]

There are some cases where notarization would be useful for MacAdmins but might not even be possible. I met a MacAdmin working at a university at MacSysAdmin last week. They need to re-package a VPN client with customized configuration files to be installed on student-owned machines.

There is really no solution without the students running into the notarization warning.

Howard Oakley:

From comments being posted on articles here, there’s still some confusion over whether macOS 10.15 Catalina will allow you to install and run old apps which aren’t notarized, or new ones which aren’t either. To clear this up, I’ve diagrammed the whole process in detail, to show you how you can work with Catalina’s new security rules.

Howard Oakley:

Using the Finder’s Open command doesn’t bypass the security assessment sub-system completely. It allows wider tolerance in the application of its rules, such as letting un-notarized apps run in Catalina, and unsigned apps run. Signature revocations and errors should still be detected and result in refusal to run, and XProtect should still check the app for known malware signatures.

Turn the whole sub-system off, and you going to be trying to force macOS to run something which is very likely to be malicious or damaged.

Removing the quarantine flag from a freshly-downloaded app or installer isn’t quite as bad, as signature checks still take place, and in Catalina (but not Mojave or earlier) the app should also be checked by XProtect.

ross tulloch (MacRumors):

I think Apple’s notarization server may have died under the Catalina induced load. I submitted a dmg 4+ hours ago. Still “in progress”.

I ran into delays as well, following Catalina’s release, and then performance returned to normal.

Jeff Johnson:

Don’t worry, they said. It won’t be a problem, they said. It just works, they said.

Frank Reiff:

Ok, so now that everybody is notarizing their apps at the same time.. it’s painfully slow. Who would have thought that Apple would build a required feature that does not scale?

Apple:

We will be conducting scheduled maintenance on Sunday, October 20, 2019 at 6:00 a.m. PT for up to 8 hours. App Store Connect on the web, the App Store Connect app, the App Store Connect API, and the Developer ID notary service will be unavailable during this time. We apologize for any inconvenience and recommend that you make critical deliveries or changes on another day.

All distribution of Mac software will be blocked for 8 hours. Apple’s servers are a chokepoint even if you aren’t using the Mac App Store. Hopefully no one needs to ship an emergency update.

Michael Love:

The big worry censorship-wise is that notarization still presents a single point of failure; in theory the PRC could mandate that Apple use different sideloading code signing certificates for them and that only apps that register w/govt and pass censors can get signed.

Previously:

Update (2019-10-18): Rosyna Keller:

The “Upload Your App to the Notarization Service” section of the Customizing the Notarization Workflow documentation has been updated to include descriptions of new features in altool 4.0 such as making a keychain entry, listing provider membership.

Mark Munz:

Also, the fact that I’m forced to agree to some new Paid Applications Schedule to NOTARIZE my app (not in app store) is absolute crap!!

Update (2019-10-22): Mark Munz:

Where do I go at Apple to get my entire lost morning back while waiting for Apple’s notary service to “bless” my app?

Update (2019-10-23): Mark Munz:

Apple has been providing its Notary Service since June 2018.

This morning, it went from Performance issues to later finally admitting an outright Outage.

Luc Vandal:

I hope you had nothing important to ship today. 🤨

Jeff Johnson:

They took it down on purpose Sunday.

Now it’s down again.

Mark Munz:

Apple’s Developer ID Notary Service back up after being out most of the day.

Great service you got Apple, can’t wait for the next time this REQUIRED SERVICE injects itself into my critical path and eats away at my productivity. 🙄

Update (2019-11-01): Paul Kim:

Anyone seeing issues with notarized apps being unable to run third party Automator actions?

To follow up: to run Automator workflows with third-party actions, you need to check the Disable Library Validation in the hardened runtime entitlements.

[…]

Also, if you create a new workflow and drag a third party action into it, you’ll get a warning. Clicking that brings up an alert where you can enable third-party actions. I don’t see any evidence of this setting in Security & Privacy

Rosyna Keller:

If an app plugin created after June 1st, 2019 is ever going to be quarantined* on Catalina, it needs to be notarized, or else users must approve it in the Security & Privacy prefpane.

*Occurs when downloading from the internet, transferring via AirDrop, iMessage, et cetera.

Update (2019-11-06): Howard Oakley:

I first submitted SilentKnight version 1.5 using Xcode. This was the first time that I had used version 11.2, and I proceeded in the normal way. It reported that the app had been successfully uploaded, and a few minutes later I was puzzled that it hadn’t yet been notarized and was still not ready to distribute. I gave it a bit longer, then checked its service status, which was green. But when I queried the status of my notarization request within Xcode, it reported that no record of that request could be found, and advised me to submit it afresh.

[…]

[Developers need:]

Accurate error messages which provide the right advice. As it turned out, every error had been misleading, and repeatedly resubmitting wasn’t the right way forward. Had the service informed me there was a problem and notarization would be delayed, I could have done something else instead of wasting most of an evening.

Accurate service status indicators. The service was down, but there was no indication of any problem except after you had submitted a request.

A contact point (Twitter, email) for informing Apple that the service wasn’t working properly.

3 Comments

Sören Nils Kuklau

We apologize for any inconvenience and recommend that you make critical deliveries or changes on another day.

Assuming they allow themselves eight hours of downtime every year, that’s actually worse than a three-nines 99.9% SLA (which would be about 8 hours, 45 minutes per year). But my understanding is that this is on top of their usual holiday shutdown.

I guess at least whoever wrote the “recommend you make critical deliveries on another day” quip doesn’t run a maternity ward.

Okay, is there a silver lining anywhere here? Does notarization actually help security or is it simply Apple controlling the platform even more?

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment