
Notarizing Your Mac Software for macOS Catalina - draugadrotten
https://developer.apple.com/news/?id=09032019a
======
chadlavi
Apple doesn't require a paid developer account to do this, and it's also not
actually required. A user can still click "Open" from the right-click menu on
a newly downloaded app to open it for the first time, and then double click
the app to open it subsequent times like normal.

This is Apple's official line, but no one is going to actually have to do
anything different if they don't want to. Some not-so-tech-savvy users might
end up with apps they don't understand how to open after downloading them, but
those are also the user most susceptible to falling for malicious downloads,
so I'd call it a pretty good security feature.

Anyway, were any of you who are complaining in this thread planning on
actually publishing an app for macOS, or just here to beat a dead horse?

~~~
filleduchaos
> Anyway, were any of you who are complaining in this thread planning on
> actually publishing an app for macOS, or just here to beat a dead horse?

Anecdotally, I find that the people who are loudest about Apple's misdeeds
(both real and assumed) are often people who've never even used an Apple
product.

There is plenty of legit criticism of Apple to be made, and you certainly
don't have to be an Apple customer to make it. But half the time what I see
instead is pearl-clutching from people who don't have enough experience with
the platform in question to tell what an announced change even does, blowing
up what amount to minor inconveniences into the end of all life as we know it.

~~~
Wowfunhappy
> Anecdotally, I find that the people who are loudest about Apple's misdeeds
> (both real and assumed) are often people who've never even used an Apple
> product.

The other side of this is, when I complain about Apple not allowing
sideloading on iOS, I get asked why I use an iPhone if I don't like the
policy.

(fwiw, I have no issues with macOS as long as unsigned apps can still be run,
and lots of issues with iOS where they cannot be.)

~~~
hultner
But you can sideload an application, you just need to use as computer to do
it.

~~~
rock_artist
there’s no way to publish apps to iOS except paid Apple Developer account.
That’s different than all other platforms where we can get any binary to run.

Other companies only require account for using non-OS API such as Firebase /
Google Services for example.

~~~
filleduchaos
You very much can build and sideload an IPA on iOS if you have (access to) a
computer running macOS.

Sure that's beyond the reach of most people, but how on earth do you people
imagine that people develop and test new apps on iOS devices if you think an
app _must_ be published to the App Store to run at all?

~~~
Wowfunhappy
I feel like I have this discussion every week. It’s technically possible
but—by design—practically unworkable for apps you actually want to use rather
than just test. They expire after seven days, at which point you need to
reconnect to a computer and reinstall them.

------
jakobegger
If you are interested in how app notarisation is enforced in detail, I
recommend watching the WWDC 2019 session "Advances in macOS Security" [1]

Here's a quick summary:

App Notarisation is enforced by Gatekeeper. Gatekeeper only checks software
with the "quarantined" attribute [2]. The "quarantined" attribute is set by
web browsers, email clients, messaging apps, etc.

So this means that Gatekeeper does not check software installed with curl /
brew / port.

You can circumvent Gatekeeper by right-clicking the file in Finder, or by
removing the quarantine attribute.

A change from previous versions of macOS is that Gatekeeper now also checks
programs you start from the command line (if they have the quarantine
attribute set).

[1]:
[https://developer.apple.com/videos/play/wwdc2019/701/](https://developer.apple.com/videos/play/wwdc2019/701/)
(Transcript:
[https://asciiwwdc.com/2019/sessions/701](https://asciiwwdc.com/2019/sessions/701))

[2]: Actually Gatekeeper now also checks programs that don't have the
quarantine attribute set, but it only checks the signature against a known
malware database, and doesn't require notarisation. Details are in the video
linked above.

~~~
shoeffner
And to remove the quarantine attribute when you are sure you want to run
something:

    
    
        xattr -d com.apple.quarantine FILE

------
terracatta
As far as I can tell, Notarization only impacts apps/executables that have the
quarantine bit set in their extended attributes. This bit is typically added
by web browsers and other programs when they download files directly from the
internet.

Before notarization, when this bit was set, the user would receive a simple
warning that the software was downloaded from the internet and they should
proceed with caution.

All notarization does is add additional logic to this flow. If the
notarization is "stapled" to the executable, then macOS can verify it offline,
otherwise macOS will connect to Apple's servers to verify the notarization of
an app/binary. This means that by notarizing an existing app, you do not need
to re-distribute it.

This quarantine bit behavior is why upgrading to Catalina does not impact
previously installed apps (regardless of their notarization status) as they do
not have this bit set.

~~~
kjksf
Slow boiling frog.

Given the history of what Apple did in the past, I think it's very naive that
this is the last restriction Apple will add.

First the user could run any app.

Then you had to sign the app or the user would see a scary warning.

Then you had to sign the app or, by default, the user could not open the app,
unless he enables it via a UI that is very confusing (and I assume on
purpose).

Now you have to notorize the app.

It's pretty clear that the end goal for Apple is to lock down Mac OS the same
way they locked down iOS.

Apple needs to protect the hostages, I mean users, from the likes of Mozilla
which produces a dangerous app that duplicates built-in OS functionality,
which is confusing. And it can deliver porn so think of the children!

And they will in Mac OS 10.20, unless the government steps in.

~~~
vunie
>Slow boiling frog.

I agree. All this infrastructure and support doesn't make sense if it is only
used on executables that have some easily modifiable fs attribute set.

I fully expect apple to try to expand this on all executables at some point in
the future. It'll be interesting to see if they will be able to pull it off.

------
ur-whale
Phone vendors (iOS + Android) invented the whole "t'is your phone, but
actually, it isn't, we'll decide what you're allowed to run on it" trend.

It was just a matter of time until the disease spread to the desktop.

I am no fan of RMS for many reasons, but one thing can no one can take away
from him: he totally foresaw the curtailing of freedoms decades before anyone
else did.

It's fully here now.

I expect the next step to be: if you use an unrestricted platform (Linux,
OpenBSD, etc...), you won't be granted access to major chunks of the internet.

And then next: if you want to use Linux, you'll need the IT equivalent of a
carry permit from the govt.

~~~
vunie
> I expect the next step to be: if you use an unrestricted platform (Linux,
> OpenBSD, etc...), you won't be granted access to major chunks of the
> internet.

We already have this in the form of browser drm modules. It's not hard to
imagine similar modules being implemented for network stacks. ISPs and
internet exchanges can be required by law to drop any unencrypted traffic.

Lock down is an inevitability for any technology. General computing, Machine
learning, Encryption, and other technology will inevitably get locked behind a
sea of regulation. The only way to combat this is to keep governments playing
catch up by innovating faster than they can legislate (e.g. mesh networks as a
response to telecom overregulation).

------
timrichard
Scary looking submission, but from what I've read the right-click-menu-open
trick to bypass Gatekeeper still works.

~~~
sjwright
I can't speak to that particular method as I haven't personally played with
Catalina, but you are correct.

    
    
      $ sudo spctl --master-disable
    

definitely works.

~~~
duiker101
Problem is, the average user will never ever do that or even think it's
possible.

~~~
maxaf
Apple’s position is that the average user isn’t supposed to be installing apps
from outside the App Store anyway. Who is the average user, you ask? No one
who posts to or reads HN, that’s for sure. Your parents, grandparents, and
clueless neighbors are all average users. They will benefit from the decrease
in malware and increase in assurance that the app won’t do something fishy.

Everyone else will bypass protections and continue as before.

~~~
raxxorrax
Apples position might also be the knowledge about creating money from
signatures that can increase the value of their company from their possession.

[https://www.zdnet.com/article/illicit-certificates-worth-
mor...](https://www.zdnet.com/article/illicit-certificates-worth-more-than-
guns-on-the-dark-web/)

I think the security effect will be marginal.

~~~
saagarjha
This is quite a reach: I'm sure the amount of money Apple could possibly make
with something like this is marginal.

------
Communitivity
I've used a Mac since the IIGS. This year I bought my first non-Mac (a
desktop) in a long time. Now I am looking at a laptop. I don't think I'll ever
own a Mac again because of this, plus all the other semi-recent things (I need
to have a developer license to write software for an OS built on BSD, what I
perceive as deteriorating quality, low-value features such as the touch bar,
Mac OS becoming more and more IOS like, and more).

My new go-to for dev laptops is a System 76 machine [1]. I am unaffiliated
with System 76 in any way.

[1] [https://system76.com/](https://system76.com/)

~~~
mrunkel
You don't need a developer license to write software on OS X.

~~~
heavyset_go
You do if you want to release it and have your users be able to use it without
being warned that your product is insecure.

------
arthurfm
The blog post below contains a useful flowchart showing how to open a non-Mac
App Store app on Catalina.

[https://eclecticlight.co/2019/10/04/will-gatekeeper-let-
me-r...](https://eclecticlight.co/2019/10/04/will-gatekeeper-let-me-run-that-
app-in-catalina/)

A follow-up post mentions that standard users will not see an Open button at
all.

[https://eclecticlight.co/2019/10/05/what-to-do-when-a-
newly-...](https://eclecticlight.co/2019/10/05/what-to-do-when-a-newly-
installed-app-cant-be-opened/)

------
awwaiid
How does this work with Brew? (Dear lazyweb...)

~~~
geocar
It shouldn't affect brew or software you build yourself.

~~~
swiley
How can it tell you've compiled it and haven't just signed it yourself?

Or does it only check signatures when you're launching things from the GUI?

~~~
Angostura
Or does it only check signatures when you're launching things from the GUI?

Yes. If you;re tinkering with Homebre, you are not the target demographic.

~~~
flohofwoe
...which makes it all the more annoying for "power users" that there's no
simple switch anymore to allow _all_ apps to run without the
scare/confirmation popups (there used to be a third option in "Security &
Privacy" settings next to "App Store" and "App Store and identified
developers" for this).

~~~
my123
That third option is hidden in the GUI, but can be re-enabled via:

sudo spctl --master-disable

------
jordigh
"Notarised", what a loaded, feel-good term.

~~~
sjwright
I for one welcome our notarizing overlords. Running a terminal command to
disable it is a very minor inconvenience for us nerds... in return we'll get
fewer tedious house calls from family and friends asking why their computer is
doing weird things.

~~~
johnisgood
I already posted it elsewhere but: on the other hand, people who have been
doing this for a living will have less work to do! I know some people who live
off those calls. :)

~~~
sjwright
Don't worry, endlessly escalating software complexity will keep us all busy. I
love current MacOS but my perception it's never been quite as bug-free as it
was in the Snow Leopard era. And I attribute that to increasing complexity.

Part of me wishes that Apple would slow down the big innovation for a couple
of years and get the entire development team working on bug-fixes and polish.

~~~
heavyset_go
> _And I attribute that to increasing complexity._

I attribute it to Apple focusing on iOS and letting their desktop products
slide.

------
chj
This does not require developer membership at least for the moment. That being
said, it's worrying that Apple is becoming the single point of failure in Mac
App Distribution. Windows allows your binary to be signed by third party CA.

------
tomp
If we instead focused of containerization / sandboxes and/or capabilities-
based security, life would be much better (not to mention more secure).

~~~
AgloeDreams
MacOS has all of this, but none of this can protect against abuse of
privileges or tricking customers into thinking their copy of an app is
legitimate and entering third party information into it.

This process, agree with it or not, is meant to stop things that cannot be
stopped with just basic security technology.

~~~
tomp
So they're going to also vet all webpages before consumers can visit them?
That's ridiculous.

~~~
AgloeDreams
The concept of HTTPS must sound crazy to you. Edit: Or this guy:
[https://www.intego.com/mac-security-blog/wp-
content/uploads/...](https://www.intego.com/mac-security-blog/wp-
content/uploads/2016/03/Browser-Fraudulent-Website-Protection.jpg)

~~~
tomp
Ah, I see what you're getting at. Well, there's better ways of achieving that,
other than just banning non-compliant apps. Like, similar to HTTPS, we could
add "ticks" into the app toolbar (or something similar) to indicate "verified"
apps. Currently, there's nothing preventing websites from impersonating other
websites, except consumer vigilance and green ticks in the adderss bar.

------
runn1ng
How to notarize a binary if one does not have macOS? I used to have a cross-
platform build on Docker for macOS, I wonder how would I do it now.

~~~
delinka
_You_ do not notarize. Apple does. You submit the app to Apple for them to
notarize. Pretty sure you don't need a Mac for that.

~~~
icebraining
> Pretty sure you don't need a Mac for that.

Maybe you do, I can't find any way besides using Xcode, either on the GUI or
using "altool", which comes with it.

~~~
delinka
Indeed the only instructions rely on Xcode tools. That sucks.

------
apple_losing_us
I hope Apple is prepared for a massive exodus of developers / ISVs and a class
action or three if they try to force all software through the App Store.

I owned a business focused on iOS and shut it down because of the dumpster
fire the App Store has become. My livelihood will not depend on some halfwit
middle manager.

The day they force Mac software through that dumpster fire is the day 100% of
my Apple products go in the trash.

Enough with the fucking greed already.

------
bobx11
What about python and node binaries? Assuming those don’t fall under the same
group, can we also run electron from the cli if it’s not notarized?

~~~
saagarjha
None of those involve GateKeeper at all, so they'll be fine.

------
tomlong
Is software that isn't currently notarized going to stop working when we
upgrade to Catalina?

~~~
tumult
The other person who replied to you is wrong (edit: assuming they meant in
general, not for only software that you have specifically already downloaded
and run on a single computer before upgrading it to Catalina.)

Non-"notarized" software, when freshly downloaded to a computer running
Catalina, will not run. A dialog will be displayed, telling the user that the
developer needs to update their app for compatibility. There is no further
indication telling the user what to do, and no "run anyway" button.

The developer will need to "notarize" the software with Apple, and receive
their approval. If that happens, then the "notarization" information for the
app bundle will be available via Apple's servers when users attempt to run the
program, and Gatekeeper will attempt to look it up from the Apple's servers if
the "notarization" information is not "stapled" into the app bundle.
Optionally, and probably preferably, the app developer can "staple" the
notarization information directly into the app bundle, and Gatekeeper won't
need to look anything up over the internet the first time the user attempts to
run the program.

~~~
filleduchaos
They aren't "wrong" \- sure there's no further indication telling the user
what to do, but you can right-click and run the app from Finder all the same
(requires admin permissions).

It's basically an upgraded Gatekeeper. I'm not quite sure what the pearl-
clutching is about.

~~~
tumult
It's a problem for commercial software for end-users that isn't from the Mac
App Store. Apple continues to tighten the leash, and it's approaching
strangulation.

~~~
filleduchaos
...how exactly is right-clicking (once) to run an app approaching
strangulation, again?

~~~
tumult
Please. I don't think you are replying to me in good faith. (Edit: on further
reflection, I don't think I have anything useful to exchange with you. If you
can't understand why this is a problem, there is nothing more we have to say
to one another. Here's a hint, though: there is no regular menu item to do
this. It's not discoverable at all, intentionally. Macs don't have a right-
click button, and right-clicking or control clicking is not expected to be
necessary to accomplish anything in macOS.)

~~~
filleduchaos
> Macs don't have a right-click button

I am...rather confused as to how you think people bring up context menus on
macOS.

Unless you're being extremely pedantic and mean that I should call it
"secondary-click" instead of "right-click", which wouldn't exactly be in the
best of faith.

------
Tepix
About notarizing:

 _Give users even more confidence in your software by submitting it to Apple
to be notarized. The service automatically scans your Developer ID-signed
software and performs security checks. When it’s ready to export for
distribution, a ticket is attached to your software to let Gatekeeper know
it’s been notarized._

So, on this page it reads:

 _Mac software distributed outside the Mac App Store must be notarized by
Apple in order to run on macOS Catalina_

What does this mean? Is this something that affects merely the default
security setting?

------
elteto
What is the extent of this? Dos it apply to every binary I could run on my
computer?

~~~
qtplatypus
Only binaries downloaded via a browser.

------
m-p-3
Is there some contingency for open-source softwares? Some really nice app out
there are release by a single dev that does this as a hobby, and imposing a
fee on them to release a software they make simply out of passion may make
them leave the platform if that is the case.

~~~
scarface74
There is no fee.

~~~
m-p-3
Thanks for the info!

------
daffy
One more reason to switch to Linux.

~~~
sgt
Most apps you'd care about in those cases would be perfectly buildable via
Homebrew.

~~~
diffeomorphism
Note that "buildable" is much more of a hassle than "installable".

There is a reason not everybody is using gentoo.

~~~
delinka
homebrew removes that hassle. "brew install" doesn't make you download and
build everything from source.

~~~
diffeomorphism
At present. The impression I got from the threads above is that will change
with this requirement.

> brew cask quarantines, but not regular brew.

> ...which makes it all the more annoying for "power users" that there's no
> simple switch anymore to allow all apps to run without the
> scare/confirmation popups

------
fortran77
You don't own your computers, folks!

~~~
sjwright
Correct. And that's almost universally true for any software program and
operating system you didn't personally write. You don't "own" any software on
your computer, including your favourite Linux & GNU distribution. You agree to
a license which almost always places certain restrictions on what you can do
with the software.

~~~
ForHackernews
This is not necessarily the case:

[http://thedjbway.b0llix.net/license_free.html](http://thedjbway.b0llix.net/license_free.html)

[http://cr.yp.to/softwarelaw.html](http://cr.yp.to/softwarelaw.html)

~~~
sjwright
Sure, if you accept the feel-good corporatist double-speak that is "owning
copies" of intellectual property.

~~~
dahart
There are restrictions on what you can do with almost all products, commercial
_and_ open source, e.g., see licenses, copyrights, moral right, trademarks,
patents, trade secrets, etc.

What do you want “own” to mean, exactly? What do you want to do with your
software that you can’t do right now?

------
atoav
»Beautiful _General Computation Device_ you got there. Would be a shame if it
couldn’t generally compute anymore..«

~~~
atoav
(this was just a joke, sorry if it annoyed you)

------
mikece
Officially this is being done in the name of security... is it really or is
this a cash grab to coerce everyone making apps for macOS to pay the $99/year
fee which is required for the signing/notarizing being mentioned?

~~~
realusername
The "security" part is of course complete bullshit. They slowly want to turn
macOS into a walled garden for more control and profit like they did in the
mobile space.

~~~
Angostura
Except of course it isn't complete bullshit. It's saved me a few times where
naive family members (one greater than the age of 80, the other under 12) has
inadvertently downloaded mal/annoyanceware and tried to install it.

Crapware is a substantial cause of 'my machine's not working properly' among
the less technically savvy

~~~
realusername
There's no relation between proper sandboxing (actual security) and a walled-
garden like apple is building.

You also can download malware on the App Store.

~~~
Spivak
Okay, your wish is granted. "Apps that want to escape an extremely minimal
runtime sandbox need to be approved by Apple."

~~~
realusername
I would prefer to leave that choice to the user.

~~~
qtplatypus
And the user can choose to bypass that check by removing the quarantined flag.

~~~
realusername
You have a point but that's exactly the same on an app store. They can just
select "yes" to the permission dialog and we have exactly the same issue.

------
orf
So now you need a 100$ a year license to publish any software on MacOS?

~~~
sjwright
No, Apple doesn't require a paid developer account for you to receive a
notarizing certificate.

~~~
duiker101
*yet.

This sort of things are always gradual to not scare people off. First it's a
popup that you need to right click->open to bypass, then it's notarising, soon
no software from outside the store will be allowed.

~~~
sjwright
Worry about the slippery slope when the slippery slope actually slips. For now
there's good reasoning behind what Apple has done and I applaud their active
concern for badware.

~~~
badsectoracula
> Worry about the slippery slope when the slippery slope actually slips.

Wouldn't that be too late? After all we have "warning! slippery surface" signs
to avoid slipping, we don't just let people slip and fall over to figure out
the surface is indeed slippery.

~~~
sjwright
Too late for what?

~~~
badsectoracula
For not falling down. By the time you have slipped, you are already in pain.

------
davidhyde
If you want to develop apps for Windows you have to get around their smart
screen which is particularly difficult to do if you are not well known. I
don't think Apple should charge so much because it doesn't cost them that but
it is a good thing that they have some sort of mechanism for connecting the
original authors to the built software. Follow the money and you find the
source.

~~~
TruthSHIFT
Actually, Apple doesn't charge anything for a developer account to notarize
Mac software.

~~~
davidhyde
Cheers, that's good to know

