Thursday, April 2, 2020

altool 4.01

Rosyna Keller:

This is a tweetstorm discussing the new features of altool 4.01 (included with Xcode 11.4), changes to the notarization documentation, and a change to notary service requirements, with the far majority coming directly from user requests


All versions of altool now default to --transport HTTPS, which is much faster and doesn’t require UDP to be unblocked at the firewall.


There’s now an explicit note on what happens to plugins if they’re quarantined but not notarized on a user’s computer box.

Specifically, they’ll have to allow the quarantined plugin in the Security & Privacy preference pane.


The bottom of the Customizing the Notarization Workflow document (see above) now very explicitly gives information on how long notarization can take after an upload is completed and steps you can take to reduce notarization time.


The biggest change is that proper entitlement format is now enforced in the notary service and on macOS 10.15.4 and later.

They must be properly formed ASCII-encoded, BOM-less XML files. Xcode enforces that for you, but the codesign tool doesn’t.

Edovia thinks that macOS 10.15.4 also changed the way certificates are validated:

The problem is that one of our signing certificate expired today. Normally, this would only prevent us to submit an update until we generate a new certificate but it seems like Apple changed the rules with macOS 10.15 where an app that contains an expired certificate may refuse to launch.

However, I am able to launch other apps that were signed with certificates that have expired. It only matters that they were valid at the time of signing.

Keller thinks the crash at launch may be due to the stricter validation of the entitlements plist, and it looks like the same issue affected KeePassXC.

This was an unfriendly change, suddenly crashing apps that had previously been accepted by Apple’s own tools, with no warning period. Customers can’t just auto-update to a version that fixes the problem because the system crashes the app before it can check for updates.


Comments RSS · Twitter

Leave a Comment