FSF EU Notarization Complaint
Free Software Foundation Europe (via Hacker News):
The EU’s Digital Markets Act (DMA) aims for a structural reset of power in digital markets, a shift from corporate control toward device neutrality, where users decide what runs on their devices. For Free Software, this legislation can be a unique opportunity by finally opening closed ecosystems - like iOS - to Free Software alternatives. Apple has reacted aggressively against the DMA, litigating against regulators, and unfairly excluding Free Software from iOS and iPadOS by blocking the unfettered installation of software (sideloading), prohibiting alternative app stores, and hindering interoperability.
[…]
Apple’s complete review of apps – known as “notarisation” process - a mandatory step for distributing any software on its platforms, represents the very gatekeeping behaviour the DMA was written to prevent.
Notarisation forces all apps, even those distributed outside Apple’s App Store, to be submitted to Apple’s servers for scanning, approval, and cryptographic re-signing before installation. The result is that Apple retains full control over what software users can install and how developers can distribute it. This transforms Apple’s self-appointed “security review” into a choke-point of power, locking in developers and users into the company’s proprietary ecosystem.
[…]
The alternative to Apple’s notarisation already exists, and it works. Decentralised curation, as practised by repositories like F-Droid, shows that security and software freedom coexist inherently. Instead of concentrating trust in a single private authority, decentralised systems distribute it: through transparent verification pipelines, reproducible builds, and community audits. Users choose whom to trust, and curators are accountable to the public, not to corporate shareholders. This model embodies the DMA’s vision of interoperability and openness far better than Apple’s notarisation.
I continue to have problems with even the automated notarization for Mac apps. Seemingly every other build these days, I get an error like this:
[15:16:58.729Z] Warning [KEYCHAIN] Couldn't find keychain item matching ["r_Attributes": true, "acct": "com.apple.gke.notary.tool.saved-creds.AppleNotaryProfile", "sync": "syna", "labl": "com.apple.gke.notary.tool", "class": genp, "m_Limit": m_LimitOne, "r_Data": true]. An error occurred while accessing the keychain. The specified item could not be found in the keychain. [15:16:58.729Z] Info [KEYCHAIN] No Keychain password item found for: AppleNotaryProfile Error: No Keychain password item found for profile: AppleNotaryProfile
The first few times, I would run notarytool store-credentials to fix this, but I later found that the item really is still in the keychain, and if I keep retrying the notarization it will eventually work. So, aside from the broader policy question, the reality on the ground is that notarization was introduced more than 7 years ago (with macOS 10.14) and it still adds friction and unreliability to the development process.
We need to push a phrase like “freely installed apps”. Don’t use their terms. When Apple talks “sideloading” correct the record “I don’t want sideloading from the App Store either, I want freely installed apps from anywhere”.
[…]
At this rate I think we’re all going to end up using Steve Jobs’s original “sweet solution” to break free.
Previously:
- iOS 26.2: App Marketplaces and Browser Choice in Japan
- Google to Require Developer Verification for Android Sideloading
- Apple’s DMA Compliance Criticized
- Mini vMac for iOS Rejected via Notarization
- iOS Notarization’s Human Review
7 Comments RSS · Twitter · Mastodon
Keychain stored credentials have been broken forever, however at least providing username & password directly works reliably.
/usr/bin/xcrun notarytool submit --apple-id "XXX" --password "YYY" --team-id "ZZZ"
Not great but never encountered any issues with that.
The whole process is frightening though. Your app's notarization might have worked fine for years but suddenly notarization stops working and you basically have no way to get more information nor are you able to release an emergency update in such a case. I recently encountered this where my app was apparently put onto the deep / manual review queue (https://developer.apple.com/forums/thread/784919?answerId=840091022#840091022) and I needed to wait 1-2 days before the status finally changed from "In Progress" and I was able to notarize new builds again.
Yes to freely installed apps. Preferably with a "my device, my choice" or some such.
And then people will day "But what about scams" you just point out that there are scams a plenty on the app stores as it is.
I've recently started making chrome extensions using Claude, and it's so nice to just build and run my own url to QR code, or Url to bluesky post, Or full page screen shot extension without any hoops trip jump through.
"The alternative to Apple’s notarisation already exists, and it works. Decentralised curation, as practised by repositories like F-Droid,"
How, you mean the thing Google is actually killing: https://android-developers.googleblog.com/2025/08/elevating-android-security.html
As long as someone who's not a computer wiz, and thinks your MAC address is your street address, has somewhere to get software that they can feel mostly confident isn't going to be malicious. It's one thing to be asked if an app can have all your most private data, it's another to have it stolen from you.
Not every computer user these days is a hobbest. Not every computer user enjoys the challenge of digging through Wireshark logs to trace network traffic between app and remote command and control servers. And with the commoditization of computers for the past 25-35 years there's been less and less expectation that you have to wrap tape around the bridge of your glasses and wear a pocket protector to be comfortable with computers.
Apple's process is flawed, doesn't catch every malicious app, and does offer them some degree of control over the platform. But it offers a greater sense of security to the grandmothers and parents of kids using the iPhone.
There are too many ill meaning developers to happily open things up to anybody who can write hello world in swift or can get Claude to write a malicious app.
> Apple's process is flawed, doesn't catch every malicious app, and does offer them some degree of control over the platform. But it offers a greater sense of security to the grandmothers and parents of kids using the iPhone
That was true a couple of years ago. However the Epic complaint revealed that Apple is willing to use notarisation to block software for reasons other than security, e.g. https://www.reuters.com/technology/epic-games-says-apple-stalling-launch-its-game-store-europe-2024-07-05/
Fundamentally, in the modern world Apple and Google have a duopoly on software sales and purchases.
if somehow you antagonise these two companies -- or, for example, share a name with someone who's antagonised Apple and Google -- you cannot use any app.
This means you may not be able to do your banking, check into a hotel, contact your utility or otherwise partake in society. Increasingly phone apps have features that websites lack, or are required as a first step to initiate a call with customer support.
Similarly if your employer antagonise these two companies, it cannot sell software to anyone, and so will be finished off.
Its to no-one's benefit for such a duopoly to gate-keep people's access to the world like this.
Here, here Chris above.
I'm amazed Apple are digging in their heels so much when it is never going to be appreciated.
A better solution would be to offer users, when first setting up the phone, the curated (however poorly) App Store or, after a reboot, the freedom to download and install things from the web with the express understanding that any problems users get themselves into will be the responsibility of the European Commission.
Job done.
