
Notarizing Your App Before Distribution - tambourine_man
https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution?language=objc
======
mikenew
Here's how I'm understanding this:

Currently, you have three options to distribute software on macOS.

1) You register as an Apple Developer (which costs $100 a year) and distribute
through the Mac App Store, where Apple will do their review/automated
scans/whatever, resign the app with their certificate, and then distribute it.

2) You register as an Apple Developer but _don 't_ distribute through the app
store, and instead sign your software with the certificate you get through the
developer program. It looks like, starting in macOS 10.14.5, you'll have to
upload your software to Apple to be "notarized" if you want to distribute this
way. It sounds like it's only for new software at first, but eventually old
software will stop working unless it's notarized.

3) You don't register as an Apple Developer, and you just build and distribute
software however you like. Currently, if a user tries to run your software it
simply won't run, and the user has to know to go into system settings and
manually give it permission. What isn't clear (at least to me) is weather this
option will remain unchanged. This sentence:

> In a future version of macOS, notarization will be required by default for
> all software.

kind of makes it sound like like _all_ software will have to be notarized,
which implies that you have to be an Apple Developer to distribute at all. But
saying "by default" makes it seem like there's some kind of option given to
the user, so maybe it just means that software that's distributed by a
registered Apple Developer but isn't notarized just moves down into the third
tier of software that has to be explicitly allowed to run by the user.

It seems like Apple's ideal model is that if a user wants to run software of
any kind, it has to go through them (like iOS). I don't _think_ that's what
they're announcing for macOS, but it's a little hard to say for sure.

~~~
willio58
As a life long Mac user, if option 3 is removed i will be leaving for Linux.

~~~
marssaxman
Why wait? You can do it gradually. I've been using Macs since 1985, and I
still have one on my desk at work, but I noticed a few years ago that I'd
gravitated toward doing most everything on Linux without really thinking about
it. Just get a Thinkpad or something, put Ubuntu or Mint on it, and see how it
feels.

~~~
inferiorhuman
_Why wait?_

Because I don't want Linux. MacOS largely still just works and Linux is moving
away from its strengths as quickly as possible. _I don 't want systemd_. I
don't want pulse audio. I don't want Wayland. Linux's strength, for me, has
been that it's unixy. If I'm moving to a non-unixy setup, like Linux is
becoming, I want it to be as polished and well supported as possible. Linux,
simply put, is none of those.

And, quite frankly, I don't want a Thinkpad (and I can't stand that eraser tip
pointing thing). I bought a 2015 rMBP late last year and cross shopped
offerings from Dell, Lenovo, and one of those Linux laptop companies whose
name is escaping me right now. The Mac won out and didn't command a premium
over comparably specced alternatives.

I'll spare the ranting about the Gnome 3, new GIMP UI and systemd in general
(but these are both major issues for me and symptomatic of a culture I don't
want to buy into). I recently tried to set up a Pi Zero with an Audioquest
DragonFly DAC. The DAC _just works_ in FreeBSD and MacOS with no hassle. I was
able to tweak ALSA to get sound out of it, but shairport-sync can't set the
volume (which works just fine on FreeBSD). WiFi was a struggle as well. I
forgot what an archaic mess of procfs tunables and bizarre config files Linux
on the desktop can be, and I don't want to spend my days debugging my desktop
system.

One of my coworkers at megacorp got the officially sanctioned Linux laptop
(some Dell thing). Like a good end user he installed updates as they became
available. Turns out megacorp bought the Windows version of the laptop and
installed Linux on it. Well, my coworker installed some firmware updates that
promptly re-enabled secure boot borking his system. He lost a day trying to
figure out what happened (Dell wouldn't support Linux on it and corporate IT
was entirely indifferent). I don't want to dodge a minefield masquerading as a
support matrix.

It seems like it's been the year of the Linux on the desktop for most of my
adult life.

Edit: Downvotes don't win over users.

~~~
ufo
I think that is a strange argument to make for preferring macs over Linux.
Many of the things you mentioned are inspired by osx counterparts (for
example, launchd was the main inspiration for systemd)

~~~
inferiorhuman
_I think that is a strange argument to make for preferring macs over Linux.
Many of the things you mentioned are inspired by osx counterparts (for
example, launchd was the main inspiration for systemd)_

How is it a strange argument? Apple did a good job developing its daemons, and
did so for a brand new operating system. Pottering did an abysmal job
imitating Apple and is doing a worse job at maintaining his software (e.g.
Pottering refusing to open CVEs for known vulnerabilities), and has worked
tirelessly to replace working solutions.

If I want non-unix, I go with MacOS. If I want unix-ish, Linux doesn't fit the
bill. Much like how I chafe at the GIMP developers chasing non-existent "pro"
users with unwieldy UI changes, Linux on the desktop seems to be chasing
change for change's sake.

~~~
simula67
You can avoid using systemd[1]. If you don't like the churn of desktop
environments, may I suggest Xfce ? It is usable and does not overhaul things
that often.

I personally prefer systemd and moved from Ubuntu to ArchLinux a long time ago
in order to use it. But I agree with you, the constant overhaul of UI is a
problem which is why I have stuck to Xfce for a long time. I however, do not
use GIMP, but there may be other options out there.

By the way MacOS is Unix, it is a POSIX compliant OS. Also, you can run Linux
on your Mac.

[1] [http://without-
systemd.org/wiki/index.php/Linux_distribution...](http://without-
systemd.org/wiki/index.php/Linux_distributions_without_systemd)

~~~
inferiorhuman
Right, I can do a lot of things with Linux with enough effort. But for a
desktop OS I want things to just work. Pretty much any major distro that's
supposed to just work is going to be systemd at this point.

And, sure, MacOS is unix-ish but Apple is ripping more and more of the old
NextStep and BSDish things in favor of their own stuff with each version. As
long as it just works I'm pretty happy. There are, however, lots of little
quirks and gaps with their POSIX layer which is why I'd hesitate to call it a
proper UNIX.

 _Also, you can run Linux on your Mac._

Which would be great if I wanted Linux. I don't. MacOS is working just fine
for me.

~~~
saagarjha
macOS is certified UNIX under the Single Unix Specification:
[https://en.wikipedia.org/wiki/Single_UNIX_Specification#macO...](https://en.wikipedia.org/wiki/Single_UNIX_Specification#macOS)

~~~
inferiorhuman
Yep, I'm well aware. But as I said the little quirks and whatnot make MacOS
feel less unixy. Obviously they're not deal breakers for me, but things like
telnet, ftp, and OpenSSL disappearing make it seem like Apple is moving away
from SUS (more than it is?). The delta between MacOS and everything else seems
to grow with each release. It's probably worth noting that no vendor has tried
to get Linux SUS certified and most distributions aren't even LSB compliant.

~~~
JdeBP
In fairness, the command-line world of the BSDs of the 1980s is long gone in
some respects, and this _is not_ just some Apple/NeXT idiosyncrasy.

OpenBSD's ftp command has become a generic multiple-protocol file transfer
tool, different to the ftp commands of the other BSDs. (FreeBSD puts this
functionality into a tool named fetch, instead.)

The r- commands were eliminated from FreeBSD some time ago, with much the same
happening to them as happened with telnet on MacOS. They are no longer in the
operating system, but are applications that one can install from
packages/ports.

BSD re-vamped its command-line interface to ps in 1990. It has been getopt-
based, and documented as such, for 29 years and 7 days.

rc.local was labelled obsolete in FreeBSD in 1995, and deleted from base in
1998.

And so on.

------
kbenson
You know, I really don't mind the idea of something like this (which is really
one of the added benefits of an app store), but I really wish there was a way
to add different trusted parties that could sign apps. _Sort_ of like Android
where you can add third party apps, but actually go the full distance and
allow separate app signing authorities, and while it should be covered in
numerous warnings about not adding another signing authority without complete
trust and nobody should be walking you through it, it shouldn't be terribly
hard to do. If I want to install Amazon App Store apps instead of Android apps
(or vice versa), that shouldn't require me disabling security mechanisms on my
phone and installing a separate program to manage everything.

I guess I basically want the web certificate system but much more selective,
and don't ship a bunch of trusted ones by default. Of course there's basically
zero chance of Apple or Android doing this without outside pressure since it's
essentially them giving up the monopoly they have over their ecosystems.

~~~
threeseed
It's nothing to do with monopolies. It's just that it's an unworkable idea.

The worst a website can do is trick the user into downloading something. The
worst an app can do is steal their data, capture video from their mic/camera,
wipe their computer, turn it into a DDOS bot etc. It's night and day.

And so trusting third party certificate issuers who currently don't verify
websites or their owners and having them now certify apps is a pretty big
leap.

~~~
kbenson
You misunderstood what I was suggesting. I'm not saying existing certificate
authorities should sign apps, but that allowing a trusted authority to sign
and distribute apps that a user could opt in to would be beneficial. Think
yum/apt repo signing keys, and how if you add a third party repo you can
require the public key signatures to match, except tied into the OS much
closer. I used the CA analogy because vastly more people are familiar with
that than the intricacies of open source package management for a few distros.

~~~
dwaite
Even technical users have a limited capacity to properly vet what an authority
should be allowed to do. Not to mention, this becomes a very heavy-handed
choice to the user (as people already see on android), like "either allow this
new app version to now root your phone, or you can't use this service at all"

The reason we can trust the CA certificates loaded in our browsers have proper
processes and operate transparently is that the browser makers leverage those
certificates being preloaded as bargaining power.

Would we have the opportunity to retain that sort of power in this
decentralized world? Or do we start seeing the "essential" apps move out of
the store and doing things like background monitoring of the user?

------
Schnitz
This isn't a big surprise, you should expect the tightening of the screws to
continue and the pace of it to accelerate. The real issue here is general
purpose computing. General purpose computing makes it possible to block ads,
to rip your CDs instead of the industry forcing you to buy the same music
again, etc. and as a result it is THE major obstacle to unlimited rent seeking
and squeezing the last penny out of every user. Expect the industry to keep
working in this direction until everything is as locked down as an iPhone.

See also:
[https://www.youtube.com/watch?v=HUEvRyemKSg](https://www.youtube.com/watch?v=HUEvRyemKSg)

~~~
CharlesW
> _General purpose computing makes it possible to block ads, to rip your CDs
> instead of the industry forcing you to buy the same music again, etc._

I understand the point you're trying to make, but (1) Apple has delivered
software which rips CDs with the OS for 18 years now, and (2) this feature not
only doesn't block any number of ways to block ads, but Apple provides an API
for blocking content (including ads) with both macOS and iOS.

~~~
bangonkeyboard
_> (1) Apple has delivered software which rips CDs with the OS for 18 years
now_

I would be surprised if iTunes survives this one.

 _> (2) this feature not only doesn't block any number of ways to block ads,
but Apple provides an API for blocking content (including ads) with both macOS
and iOS._

Apple's content blocking API is less flexible and useful than the more
powerful general purpose API it replaced in the Safari 12 lockdown, which
proves the parent's point.

~~~
scarface74
It doesn’t allow third party ad blockers to record or intercept your browsing
history.

And seeing that all music sold by Apple has been DRM free for a decade, are
you thinking they are not only going to reenable DRM, they are going to make
it more restrictive in 2020 than it was in 2003?

------
jimmy1
Seems like we need to relearn the concept of liberty, but again in the digital
world.

Yes, liberty is sometimes difficult, and it allows people to make _bad
choices_. Liberty is _hard_.

We've seen this story play out enough times to know that it isn't a slippery
slope. It starts of as a play to "protect the users" or "avoid the bad guys",
or as we have seen in the security theater of other domains, namely the
aviation industry, "for your safety and security"

~~~
airstrike
> but again in the digital world.

You can always buy a different platform. Seems like that's plenty of liberty.

~~~
jimmy1
It seems like a false choice. Can I go start my own oil refinery because I
don't like Exxon, Chevron, BP, or Shell?

------
quotemstr
The death of general-purpose computing is well underway.

Just imagine the world in a decade or two: it'll be one of mandatory secure
boot, remote attestation, and centralized app store distribution. Regular
people just _installing_ software? That's unthinkable. It'll put themselves
and others at risk. Even browser extensions will be tightly restricted. If you
want to write software, you'll have to get a developer's license and
accreditation from an industry-wide professional association, who can remove
your accreditation (and ability to get a run-your-own-code certificate) for
any reason. Sure, you can find some 2019 laptop and run Linux on it, but your
ISP won't forward your packets if they're not signed by a trusted kernel. Good
luck running some tin-pot mesh network in whatever tiny sliver of unlicensed
spectrum remains.

Think this scenario is unlikely? I wouldn't be so sure. All the bits of
technical infrastructure we need for this dystopia already exist in one form
or another. There's also significant social and political pressure to rein in
the internet --- pick your favorite pretext --- and it's inevitable that
platform vendors will respond to this pressure. I've heard a disturbing amount
of talk lately of the need for centralized control in order to combat
"disinformation", for example. Already, we've lost an amazing amount of ground
on software freedom relative to what we had ten or fifteen years ago. Most
people already use a primary computer that they can neither control nor
inspect --- and they _like_ it.

Mark my words: in ten or twenty years, policymakers and very serious
establishment types will regard letting regular people just make their own
software and connecting it to the public internet as unnecessary, dangerous,
and suggestive of some kind of moral fault. It's starting already.

~~~
djsumdog
You can disable secure boot on most modern machines, install Linux, create a
cert and sign Grub or your EFI stub kernel, add that cert to your UEFI (delete
the stock ones) and then you have a machine that can boot Linux and not
Windows.

Of course the major distros like Ubuntu can boot with the default secure boot
keys.

I have a feeling x86 manufactures would face considerable backlash if they
tried to lock down SecureBoot in a manner where it's impossible to disable.
(and yes, I do know there are some Microsoft devices that are already setup
this way, but the majority of manufactures do allow control over SecureBoot).
Then again we have Intel ME on all our machines and that's somehow still okay,
so maybe you're right.

~~~
oscargrouch
Part of the point of the OP, as i understand it, is that theres also a
cultural war going on, where if corporations end to get their way, by
controlling/locking developers and users on their platforms, people will see
this as normal.

This happened before with radio and TV signals. A great way to have peer to
peer comunication, with local TV's and radios, ended up being regulated.. and
in our culture, its normal to sit in front of a TV, and have a few monopolies
to choose what we will watch.

And right now its unthinkable to revolt to those kinds of laws that forbid us
to transmit content, as we accepted as normal (where's the cultural aspect of
it, shaping our behaviour).

The same will happen to the next generations if we dont take a stand against
this. Normal users wont understand the social, cultural and political
implications of this. Companies like Apple defining what you can or cannot
use, listen, see or install in your own device.

~~~
Wowfunhappy
> A great way to have peer to peer communication, with local TV's and radios,
> ended up being regulated.. and in our culture, its normal to sit in front of
> a TV, and have a few monopolies to choose what we will watch.

I don't think this is comparable. Radio and OTA TV _needs_ to be regulated by
a central authority or it won't work for _anyone_ beyond a certain level of
technological penetration. There's a set amount of data that can fit in the
amount of spectrum available, and a radio station is transmitted to everyone
whether they request it or not.

You've always been free to create and distribute VHS and cassette tapes
because those don't eat into the amount of spectrum available to everyone.

------
makecheck
This model needs to evolve from “you must sign with Apple” to “you must sign
with one of $TRUSTED_LIST”. There should be a (non-trivial) way to set this,
and if I decide all software signed by my best friend is OK then I should have
that option. Grandmas should be able to trust software from their IT-expert
grandsons and so forth.

There is value in requiring all software to be validated by _somebody_ but
it’s a slippery slope to have ONE. The main reason is, even if I trust “Apple”
now, what is “Apple” in 10 years? (Heck I thought I “trusted” them to always
make desirable hardware, got burned on that one.) Things change. I want
another signatory.

~~~
_wmd
This is literally how code signing worked for Windows. Unsurprisingly signed
malware has been far from uncommon

~~~
jake_the_third
This is literally also how cert signing works for tls. Unsurprisingly miss-
issued certs have been far from common.

This model can work. It's just that microsoft is being sloppy.

~~~
swiftcoder
Mis-issued certs are common enough that Google et al had to force Symantec out
of the cert issuing business. It's a model that only works with a monopolistic
cartel gatekeeping the ability to issue certs (which is basically Apple's role
in this scenario).

------
floatingatoll
TLDR highlights:

 _Beginning in macOS 10.14.5, all new or updated kernel extensions and all
software from developers new to distributing with Developer ID must be
notarized in order to run. In a future version of macOS, notarization will be
required by default for all software._

—

 _Apple recommends that you notarize all of the software that you’ve
distributed, including older releases, and even software that doesn’t meet all
of these requirements or that is unsigned._

~~~
crooked-v
So the actual title should be "In a future version of macOS, apps signed with
Developer ID will require notarization by default".

~~~
tambourine_man
“…for all software.”

It’s very vague as usual.

I guess the current work arounds will still apply (right click open, for
instance)

But we'll probably have to wait for WWDC for a definitive answer

~~~
sjwright
I wonder, will that include random terminal apps like gnu grep, and if so, how
will the notary be attached?

~~~
saagarjha
They can be distributed without a signature.

~~~
tylerhou
But the post says "all software." Surely that implies that macOS won't let
unnotarized software run?

~~~
saagarjha
That software will not have the quarantine bit set, so I don't think these
restrictions will apply.

------
Nextgrid
I am concerned about the UI for this that says "Apple has checked it for
malicious software and none was found".

How does Apple check against malicious software? What is even considered
"malicious" software? Software that someone might consider benign might be
considered malicious by someone else - it isn't a black and white thing.

The UI just provides a false sense of security. I assume they check it for
known malware, but it wouldn't do anything against a targeted attack where the
malware is custom made and only ever used once. In fact, it would facilitate
the attack by giving the user a false sense of security that everything is OK.

~~~
saagarjha
> How does Apple check against malicious software? What is even considered
> "malicious" software?

It's an automated check that Apple has not disclosed.

~~~
applecrazy
I see how this can help protect against outright malware. However, what if
there's a flaw in the heuristics, and some malware slips through the cracks?
Sure, they can fix their malware scanner, but will they take the time to
retroactively scan all software with their new and improved scanner? Will they
even store every single notarized app on their servers for this to be
feasible? Or will they mandate re-notarization every now and then?

So many questions, hopefully Apple answers these soon.

Edit: phrasing

~~~
saagarjha
They can revoke certificates and add the software to XProtect's blacklist.

------
currymj
I hope a well-informed person will clarify what exactly this means in
practice.

I have to assume that it will still be possible to compile some code and run
the executable without first passing it through Apple’s servers.

~~~
lunixbochs
This is my understanding:

To notarize an app, you upload it to Apple. They'll run malware scans on it
and such.

This only applies to people distributing apps outside the app store with the
$100/year Developer ID certificate. If you're not signing your apps, I believe
the behavior will be unchanged, because your app would already be blocked from
running by default.

When you download an app from the internet using a browser or other
quarantine-aware tool, it receives a "quarantine" bit and metadata recording
the download URL. When you try to run the app for the first time, a window
pops up saying "You got this app from shadywebsite.com, are you sure you want
to open it?". Right now, the app's code signature is checked, and you get a
message saying "this app can't be trusted" if the code signature check fails
or the app isn't signed. Once notarization is required, signed apps that are
not notarized will be prevented from launching in the same way as unsigned
apps.

1\. This will probably be a setting under "Allow apps downloaded from:" in
System Preferences -> Security & Privacy you can revert if it breaks your
workflow.

2\. If the notarization check reuses the current mechanism, it will only apply
to quarantined apps. If you're compiling something yourself, the compiler
won't put a quarantine bit on it and it will execute fine. Same with
homebrew/friends.

~~~
Wowfunhappy
> 1\. This will probably be a setting under "Allow apps downloaded from:" in
> System Preferences -> Security & Privacy you can revert if it breaks your
> workflow.

There's no longer a GUI option to allow unsigned apps by default. It was
removed from System Preferences some versions ago.

But, you can do it via a one-line terminal command:

    
    
      sudo spctl --master-disable

~~~
lunixbochs
I'm talking about the setting to disable requiring notarization for
quarantined apps, which doesn't exist yet so I'm simply guessing it will show
up there initially.

~~~
dwaite
Without notarization, the signature of the app is tied to the lifetime of the
developer id certificates. Thats one of the benefits of notarization (which
Microsoft also I believe requires now) - the notary can say 'it was signed
while the developer id certificate was still valid', which allows the
signature to outlast the certificate.

I would expect Developer ID certificates to all expire by the changeover, with
the only point for continuing to ship Developer ID certificates would be so
that new app builds can work on pre-Mojave OS releases. Or I suppose skipping
any Apple-run scans of your software.

~~~
lunixbochs
Without notarization, you can still `codesign --timestamp` to have Apple co-
sign your app, which validates that your certificate was valid when you signed
the app, even if your certificate later expires.

Notarization is an advanced version of this where Apple adds to the signature
"we have scanned the app for vulnerabilities and will continue to do so"

------
writepub
This is Apple moving one step closer to completely shutting down execution of
apps that haven't been signed - a virtual app store so to speak. Because
there's no longer a GUI option to allow unsigned apps by default. It was
removed from System Preferences some versions ago.

Apple knows and relies on the fact that a regular Mac user would be
intimidated by requiring a terminal command: `sudo spctl --master-disable` to
enable un-trusted apps!

EU, FTC, et. al. need to look into this monopolistic behavior, where Apple
constantly cock blocks anything it hasn't blessed, the fee for the blessing -
a cool $100/year, assuming they don't start arbitrarily rejecting the said
blessing, as is the case with their iOS app store.

~~~
overgard
I personally dislike it, but I don't think it's monopolistic behavior. macOS's
market share is comparatively pretty low and you can install windows or linux
on your mac if you choose to.

~~~
writepub
"Install another OS" is not an acceptable solution, it smacks of technophile
arrogance. Try giving that advice to any senior owning a Mac, wondering why
their favorite (unsigned) app doesn't launch after updating their Mac OS.

Apple's entire marketing strategy revolves around customer empathy, but their
actions don't

~~~
scarface74
But you’re okay with giving that same “senior owning Mac” the responsibility
of choosing which apps to trust? How has this worked out for the last 30+
years?

~~~
lostmyoldone
It has worked mostly fine for OS X during that period, not so much for Windows
though. The blame for thelatter is squarely on Microsoft for having had
terrible security defaults and a confusing UI.

~~~
scarface74
Isn’t that exactly what Apple is doing - good default security that won’t
affect most users? What software is granny using that isn’t actively supported
and not already coming from a trusted developer who isn’t already signing
their software to avoid the work around for running unsigned software?

But, no security defaults with either Mac, Linux, or Windows stops an app that
has user level access from having access to all of the user’s documents -
except for apps that are either in the App Store or voluntarily sandbox
themselves.

------
gardaani
Currently, apps distributed in Mac App Store must be sandboxed. Notarized apps
distributed outside Mac App Store must have hardened runtime enabled.

It's interesting that Apple has created two similar protecting technologies.
Here's a good article explaining the similarity / differences:
[https://lapcatsoftware.com/articles/hardened-runtime-
sandbox...](https://lapcatsoftware.com/articles/hardened-runtime-
sandboxing.html)

------
r_singh
It’s slightly surprising to see people here support this.

I own my Mac, I’m responsible enough to decide what app to use and not to, I
don’t need apple’s help. This transition of OSX to be more like iOS is
definitely gonna result in me switching to Linux for good.

This, plus things like advertising on the App Store are really gonna make me
switch all my devices.

Thanks Apple, but no thanks.

~~~
Wowfunhappy
I don't mind as long as it's optional. I as a user still have the ability to
run unsigned/un-notarized apps, and there's no indication that's changing. I
can also turn off SIP and load unsigned drivers if I want (and I do).

iOS, by contrast, doesn't give you any choice in the matter. That's a big
difference.

~~~
r_singh
You're right, we have a choice. It's just that when my mom or dad download an
app from the browser and it says, app is from an unidentified developer,
they're just not gonna no how to turn it off and Apple knows that about a lot
of its user base too well.

------
delfinom
All I'm reading is Apple is working really hard to avoid calling it an anti-
malware/anti-virus scanner and even centralizing it to cover it up (that's one
of the notarization process main action).

------
bobwaycott
If notarization is going to be required by default, and Apple wants users to
depend on this as a signal of trust, they really need to use something other
than light gray text on a gray dialog to inform users that the software
they’re opening for the first time is checked and notarized. That dialog that
you’re trying to open software from the internet feels like a BE CAREFUL
warning—which feels odd when the light gray text says they’ve checked it and
found nothing malicious.

Not that I think users shouldn’t be encouraged to be aware ... but it feels
rather odd.

------
timeimp
How would this affect things like Steam?

~~~
ravenstine
Or Homebrew?

~~~
saagarjha
Homebrew doesn't sign software, so it would be unaffected.

------
supernes
With regards to the bit about plugins, will Apple make exceptions for their
own software like Logic Pro X? I'm not entirely sure what the
hosting/execution model is for AudioUnits and VSTs, what I do know is that
many of them will never be updated to meet any new security requirements. I
bet we're in for a few more years of terrible advice like "run this command
that disables security in the Terminal, then reboot in order to use the
product you bought."

------
pier25
To play the devil's advocate here...

From what I see around me, the vast majority of Mac users spend the vast
majority of their time in mainstream apps (Chrome, Adobe, Office, Safari,
Xcode, Final Cut, Logic, Ableton Live, etc). I don't think this will impact
the majority of mac users negatively.

This will only really impact macOS developers without an Apple Developer
account, which I guess are a minority. Probably in that minority most are
compiling to macOS from Windows or Linux.

~~~
oscargrouch
> To play the devil's advocate here...

You are not being the devil's advocate here.

Whatever MS, Google or Facebook do its the end of the world (as it should),
but apparently for the HN crowd, Apple can do whatever they want.

This monopoly over our digital life will have severe consequences in the
future. People here are so smart, but when its about Apple, their sentimental
reasoning start triggering.

Actions like this one, as many others, are some of the reasons why i never use
anything from Apple. Its like a car factory being able to decide where you
cannot go with "their" car (Its yours). Or the clothing company choosing the
places i can use "their" clothes.

The hacker spirit here ends when is anything related to Apple, when in doubt
just read the top comments here in this thread. Its not a 'benevolent ditactor
hacker' sort of social contract.. its a company which need to raise their
profits so their shares keep being valuable to the stock market. If consumers
and developers let them, they will own our digital life, and lock us with
them.

We have no legal framework, and no State to intervene in our interests as it
should be.. States and democracies are a dying species, and we are the ones to
blame.. we, as in the general population, just want the next shiny gadget.

But i bet we will miss the things we have, but dont give much value now. Lets
not forget the share of our lives that are constantly being transfered to the
digital dimension, and how important they are now.

~~~
pier25
On one hand I see your point and agree somewhat, but OTOH the wild unregulated
west has had its issues. Look at NPM for example.

> But i bet we will miss the things we have, but dont give much value now.

For a minority. A vast portion of users are happy with the iOS model.

I don't think the majority of Mac users share your ideology.

~~~
oscargrouch
The problem is not in they using digital signatures, as this is a trend that
is here to stay. The problem is when they are the sole provider of the trust
model.

As others have pointed out, at least they should allow third-parties in where
users could let trusted parties (from his point of view) provide him software
for a machine he owns.

People are being näive thinking this is really about security, when in fact,
its about control, power and profits. And when (some) people wake up to this
fact, it will probably be too late to take any action. And i bet the majority
wont even know what they have lost.

Its clear they are not thinking in their users insterests first with this
move, because they are giving security with one hand, and taking freedom with
the other hand.

For instance, if some app compete with them in things they think is strategic,
with the control they have, they can make the app vanish and not be a problem
at all for them.

We see this happening with Google everyday in search results for instance. We
saw this with Windows before, but this time i think it will be much worse..

Hackers will find a way to unlock the kernel, but im sure by that time, those
companies would be so powerful, they would have a legislation for that, so
those kind of actions could be punished with fines or even prison.

I know im exagerating in this last scenario, but it is all possible, and with
time it get more and more likely to happen.

------
moreorless
When I found out that Mojave doesn't work on my Macbook, I moved on to
[https://www.bunsenlabs.org](https://www.bunsenlabs.org) which has its roots
from #!. Good lord it is snappy.

------
dgellow
Slightly related: I’m a mac user since almost forever but I’m becoming more
and more frustrated by Apple’s decisions concerning their laptops and macOS in
general. Recently I’ve been looking at Microsoft Surface Book as a potential
alternative if I decide to jump the ship, I also started to move away from
Apple applications as I want to be able to switch to an other platform without
too much hassle. I still have to find an alternative to Pixelmator and iTerm2
(this one is really more difficult to replace if I consider moving to
windows).

Do you have experience to share concerning the Surface Book or moving from
macOS to Windows?

------
maxehmookau
Thanks Apple. Like code signing wasn't already a massive pain in the ass!

------
egorfine
Does this mean that Apple gets notified every time a user runs an executable?

------
mapcars
Why on earth would anyone use apple?

------
nutjob2
Just another reason to build and use a Hackintosh, if you want to be free to
choose your own software. Apple is slowly moving towards an iPhone model with
macOS.

~~~
george_perez
Kernel extensions will also need to be notarized, so Hackintosh doesn't seem
very likely.

~~~
Wowfunhappy
Hackintosh user here: this has literally no impact on anything.

If you turn off SIP, you can run unsigned kernel extensions without issue,
both on a Hackintosh and on a real Mac†.

If you're a Hackintosh user, but for some strange reason you want to leave SIP
enabled, you can inject unsigned kernel extensions via the Clover bootloader.
(I think you may need to temporarily disable SIP during setup or something
like that, I don't fully remember. I just turn SIP off.)

† I actually find this _much_ easier than Windows, which is a royal pain in
the neck if you want to install unsigned drivers.

~~~
auslander
You can have partially enabled SIP. With CSR = 0x01, SIP is fully enabled
except kext signing, more secure then disabled SIP.

~~~
saagarjha
Selectively disabling parts of SIP is unsupported, FYI

~~~
auslander
What do you mean? You can always check: 'csrutil status'. I have all items
enabled except kext signing.

~~~
saagarjha
Does csrutil status not give you the "This is an unsupported configuration,
likely to break in the future and leave your machine in an unknown state."
warning?

~~~
auslander
Warning, not error. And it shows the rest of protections enabled, good enough
for me.

~~~
saagarjha
I guess if you’re willing to live dangerously it can’t hurt :)

~~~
auslander
It is hackintosh. All guides tell you to disable SIP, so I live rather
cautiously :)

