
New notarization requirements from macOS 10.14.5 onward - dwniydc2hkynuzh
https://developer.apple.com/news/?id=04102019a
======
rgovostes
The crowd here tends to interpret code signing requirements as nefarious steps
down a slippery slope where Apple locks down macOS and applies draconian rules
to deny us access to our own computers. The reality is a little more boring:

macOS has a growing malware problem. The initial solution to this was to
introduce the Mac App Store in 2010, where users could acquire trusted apps
that had been vetted by Apple.

But the Mac App Store wasn't successful by many measures and users continued
acquiring apps elsewhere, including the occasional malware. So in 2012, Apple
introduced Developer ID, tying every app to a developer identity which is
supposed to be verified through the Apple Developer membership application.
This means malware cannot be released by a nameless entity, and that it can be
revoked.

However, having recently cleared off a relative's computer of something like 5
separate "Adobe Flash updaters" all signed by different, and apparently fake,
developers, it seems that the $99 membership fee and identity verification was
not enough to deter fraud and abuse in the program.

The logical next step to protect users is to give Apple more insight into what
is being signed, so that they can be more proactive in detecting and blocking
malware. Thus, notarization, which involves uploading a copy to Apple.

Apple's software engineering org is populated by some of the developers of
your favorite open source projects and indie apps. They're not trying to
destroy the platform that they love. In the past, they've given advanced users
an escape hatch---option-click to run an unsigned app, Gatekeeper settings,
System Integrity Protections settings---and I hope this doesn't change in
10.15. But they are trying to balance this with the needs of 99% of users who
just want their Mac to be protected from malware.

------
whizzkid
"Notarization is not App Review. The Apple notary service is an automated
system that scans your software for malicious content, checks for code-signing
issues, and returns the results to you quickly"

If they truly mean this, and only check done is for malicious content then it
does not sound that bad except the ~100$ developer account each year to be
paid to Apple. Tim Cook needs to be aware of developers being one of the main
legs when it comes to creating a happy user base. If he treats them as second
class citizens, then making shareholders happy will not last long.

------
asaddhamani
It seems like we keep losing more and more control over what we're allowed to
run on our own machines.

~~~
jjoergensen
Comply with the App Store or die :'(

~~~
Yetanfou
Comply with a commercial operator or use free software. Make sure to buy
hardware which supports such from the get-go, especially make sure the
hardware can not be disabled or crippled by the manufacturer for violating
some nonsensical licence. In plain English this now means "don't buy Apple
hardware" as this platform is hostile to free software (e.g. T2 chip which
shuts down the machine when 'unlicensed' software (read 'Linux') is used,
etc).

------
chewz
I wonder how does it affect Hackintosh community?

~~~
realusername
Probably not at all, they will just disable the checks or add another
certification authority.

~~~
jacobush
Hm, maybe time to run "Hackintosh" on a Macintosh.

~~~
alluro2
How about no. When I don't have to pay 2x for an Apple laptop, ridden with
thermal and keyboard issues and to carry dongles for everything ("but it's so
thin!"), I'll be very happy to.

Until then, my X1E, which is durable, maintainable (still to an extent), has
all the ports I might need, light, doesn't throttle, while more powerful, cost
1.7x less on top of that, AND running Mojave - will be making me happy, thank
you very much.

------
vortico
No problem, I'll just add installation instructions to my software for users
to disable notarization. Perhaps even an AppleScript, .pkg installer, or
Terminal command to copy-paste to make the process easier.

~~~
Zr40
No problem, I'll just remove software that requires me to disable
notarization.

~~~
vortico
Your loss

