Thursday, October 17, 2019

Catalina Notarization

Rich Trouton:

This is not to say that you can hold up a “Notarized!” sign to the auditor, watch the auditor leave after just tossing the checklist aside and commence the post-audit party. But for those folks who have to undergo regular compliance auditing, I would recommend you examine your auditing requirements carefully to see which IT audit controls on your list now get handled automatically on macOS Catalina with its notarization requirements.

Gus Mueller:

“Your Mac software was successfully notarized.”

Thank god Apple finally changed the subject of the notarization email- it was driving me a little insane, one email at a time.

“You can now distribute your Mac software” was the previous subject. As if we weren’t doing OK before.

Rosyna Keller:

Now that macOS Catalina is live, I’m interested in any reports of users running into non-notarized software.

I’d really appreciate screenshots of the “not notarized” dialog and any information you have on the app or quarantined plugin that wasn’t notarized.

The most obvious example I ran into was Catalina’s own installer, which I copied from one of my Macs to the other via screen sharing.

Hayden:

Apple disabled the GUI option to allow unsigned apps in 10.15 and now users are passing around a sudo command on Twitter that disables all app security checks as the workaround to get things working again.

I think the “Anywhere” radio button in System Preferences was actually removed several releases ago.

Armin Briegel:

As with the previous Gatekeeper checks for a valid signature an administrator user can override the check by choosing ‘Open’ from the context menu instead of double-clicking to open.

[…]

When you install software using the installer command from the Terminal or a script, it will bypass quarantine and the Gatekeeper check.

This is also true when you install software using a management system such as Jamf Pro, Munki, Fleetsmith, etc.

[…]

There are some cases where notarization would be useful for MacAdmins but might not even be possible. I met a MacAdmin working at a university at MacSysAdmin last week. They need to re-package a VPN client with customized configuration files to be installed on student-owned machines.

There is really no solution without the students running into the notarization warning.

Howard Oakley:

From comments being posted on articles here, there’s still some confusion over whether macOS 10.15 Catalina will allow you to install and run old apps which aren’t notarized, or new ones which aren’t either. To clear this up, I’ve diagrammed the whole process in detail, to show you how you can work with Catalina’s new security rules.

Howard Oakley:

Using the Finder’s Open command doesn’t bypass the security assessment sub-system completely. It allows wider tolerance in the application of its rules, such as letting un-notarized apps run in Catalina, and unsigned apps run. Signature revocations and errors should still be detected and result in refusal to run, and XProtect should still check the app for known malware signatures.

Turn the whole sub-system off, and you going to be trying to force macOS to run something which is very likely to be malicious or damaged.

Removing the quarantine flag from a freshly-downloaded app or installer isn’t quite as bad, as signature checks still take place, and in Catalina (but not Mojave or earlier) the app should also be checked by XProtect.

ross tulloch (MacRumors):

I think Apple’s notarization server may have died under the Catalina induced load. I submitted a dmg 4+ hours ago. Still “in progress”.

I ran into delays as well, following Catalina’s release, and then performance returned to normal.

Jeff Johnson:

Don’t worry, they said. It won’t be a problem, they said. It just works, they said.

Frank Reiff:

Ok, so now that everybody is notarizing their apps at the same time.. it’s painfully slow. Who would have thought that Apple would build a required feature that does not scale?

Apple:

We will be conducting scheduled maintenance on Sunday, October 20, 2019 at 6:00 a.m. PT for up to 8 hours. App Store Connect on the web, the App Store Connect app, the App Store Connect API, and the Developer ID notary service will be unavailable during this time. We apologize for any inconvenience and recommend that you make critical deliveries or changes on another day.

All distribution of Mac software will be blocked for 8 hours. Apple’s servers are a chokepoint even if you aren’t using the Mac App Store. Hopefully no one needs to ship an emergency update.

Michael Love:

The big worry censorship-wise is that notarization still presents a single point of failure; in theory the PRC could mandate that Apple use different sideloading code signing certificates for them and that only apps that register w/govt and pass censors can get signed.

Previously:

Update (2019-10-18): Rosyna Keller:

The “Upload Your App to the Notarization Service” section of the Customizing the Notarization Workflow documentation has been updated to include descriptions of new features in altool 4.0 such as making a keychain entry, listing provider membership.

Mark Munz:

Also, the fact that I’m forced to agree to some new Paid Applications Schedule to NOTARIZE my app (not in app store) is absolute crap!!

Update (2019-10-22): Mark Munz:

Where do I go at Apple to get my entire lost morning back while waiting for Apple’s notary service to “bless” my app?

Update (2019-10-23): Mark Munz:

Apple has been providing its Notary Service since June 2018.

This morning, it went from Performance issues to later finally admitting an outright Outage.

Luc Vandal:

I hope you had nothing important to ship today. 🤨

Jeff Johnson:

They took it down on purpose Sunday.

Now it’s down again.

Mark Munz:

Apple’s Developer ID Notary Service back up after being out most of the day.

Great service you got Apple, can’t wait for the next time this REQUIRED SERVICE injects itself into my critical path and eats away at my productivity. 🙄

Update (2019-11-01): Paul Kim:

Anyone seeing issues with notarized apps being unable to run third party Automator actions?

To follow up: to run Automator workflows with third-party actions, you need to check the Disable Library Validation in the hardened runtime entitlements.

[…]

Also, if you create a new workflow and drag a third party action into it, you’ll get a warning. Clicking that brings up an alert where you can enable third-party actions. I don’t see any evidence of this setting in Security & Privacy

Rosyna Keller:

If an app plugin created after June 1st, 2019 is ever going to be quarantined* on Catalina, it needs to be notarized, or else users must approve it in the Security & Privacy prefpane.

*Occurs when downloading from the internet, transferring via AirDrop, iMessage, et cetera.

Update (2019-11-06): Howard Oakley:

I first submitted SilentKnight version 1.5 using Xcode. This was the first time that I had used version 11.2, and I proceeded in the normal way. It reported that the app had been successfully uploaded, and a few minutes later I was puzzled that it hadn’t yet been notarized and was still not ready to distribute. I gave it a bit longer, then checked its service status, which was green. But when I queried the status of my notarization request within Xcode, it reported that no record of that request could be found, and advised me to submit it afresh.

[…]

[Developers need:]

Accurate error messages which provide the right advice. As it turned out, every error had been misleading, and repeatedly resubmitting wasn’t the right way forward. Had the service informed me there was a problem and notarization would be delayed, I could have done something else instead of wasting most of an evening.

Accurate service status indicators. The service was down, but there was no indication of any problem except after you had submitted a request.

A contact point (Twitter, email) for informing Apple that the service wasn’t working properly.

Update (2019-11-26): James Thomson:

The yellow diamond of doom.

Update (2020-04-23): Norbert Doerner:

Apple claims you can use their main developer tool Xcode to notarize your macOS application with a few simple clicks.

Truth is, that doesn’t seem to be the case. For our NeoFinder project, for example, Xcode doesn’t even show the options to notarize the build and archived product. And yes, we have filed a bug report about this 16 months ago, and Apple said that somehow Xcode couldn’t really see that NeoFinder was actually really an application, so it probably possibly didn’t really work. And that was all. No help from Apple at all beyond that point.

4 Comments RSS · Twitter


Sören Nils Kuklau

We apologize for any inconvenience and recommend that you make critical deliveries or changes on another day.

Assuming they allow themselves eight hours of downtime every year, that’s actually worse than a three-nines 99.9% SLA (which would be about 8 hours, 45 minutes per year). But my understanding is that this is on top of their usual holiday shutdown.

I guess at least whoever wrote the “recommend you make critical deliveries on another day” quip doesn’t run a maternity ward.


Okay, is there a silver lining anywhere here? Does notarization actually help security or is it simply Apple controlling the platform even more?



ClickInstall can generate an installer for your macOS software that can be quickly code signed and notarized with Apple. See the https://www.youtube.com/watch?v=qoqDnrPYwzo

Leave a Comment