Thursday, June 9, 2022

Mac App Notarization at WWDC 2022

Apple:

Notarization works in tandem with macOS to help people safely download software for their Mac outside of the App Store. Learn about the required transition from altool to notarytool and how the Xcode GUI can help you achieve better overall performance when notarizing your app. We’ll also share information about APIs for interacting with the Notary service from any internet-connected machine.

altool is going away in fall 2023.

Rosyna Keller:

The other huge change is the Apple notary service now has a public REST API. Now you can avoid notarytool and Xcode for notarization if that’s how you prefer to roll. Note that stapling isn’t part of this new API and still has to be done from a Mac.

[…]

You can pull notarytool and stapler from the Xcode command line tools and use them on Macs not running the latest Xcode builds.

[…]

[All] versions of notarytool support a --webhook <URL> on the submit command.

[…]

Because spctl tests the certificate chain against the current machine’s policies and your own dev certs are trusted, you may have to move the thing you’re testing to a VM or another Mac to see any errors a typical user would see when running your generally untrusted signature.

Previously:

Update (2023-04-21): TN3147:

Migrate your notarization workflows to notarytool from the deprecated altool.

4 Comments RSS · Twitter

isaiah
June 9, 2022 5:25 PM

really nice improvements. everything about the REST API, including a nice web-hook seem perfect (though i haven't yet tried it out).

i do, however, feel that the notarization system has gone through far too many reinventions: a launch, an overhaul of altool, total deprecation, launch of new tool, and finally a REST API -- all in just a few years.

i've had to rebuild my CI methodology from the ground up it seems every couple years for a while.

please please please please… if those people ever peruse these comments… consider leaving this next iteration in place for a few years. for small devs this busywork hit hard -- and it's especially painful when it's for what feels very much like a "you-problem" (using my teenage sons' rather blunt terminology). ;-)

Adam
June 9, 2022 5:32 PM

Well, here's hoping Quinn writes up the actual, working, procedure for doing this once again, since I'll have to update my build script. Hooray for gratuitous changes to security theater that shouldn't even exist.

Old Unix Geek
June 9, 2022 11:13 PM

Alan Curtis made a documentary/movie called Hypernormalization. It was about the time just before the fall of the Soviet Union when everyone knew the system was failing, but no one could find an alternative to the status quo.

Reading sentences like "Notarization works in tandem with macOS to help people safely download software for their Mac outside of the App Store" which cannot be true, makes me feel we are living in such a world of lies. I'm sure the betrized Apple employees don't see the writing on the wall, but it's there ( https://en.wikipedia.org/wiki/Return_from_the_Stars )

WWDC 2022
June 14, 2022 5:55 PM

[…] Mac App Notarization at WWDC 2022 […]

Leave a Comment

Copyright © 2000–2024 Michael Tsai.