hoakley April 12, 2019 Macs, Technology

How does notarization affect your own apps and scripts?

If you read Apple’s latest article about notarization of software, you could be forgiven for assuming that the ominous words “in a future version of macOS, notarization will be required by default for all software” apply to macOS 10.15. If that were literally true, the problems brought would make dropping 32-bit support look trivial in comparison.

If you want to take a quick look at how few apps are currently notarized, and Xcode installed with its command tools, open Terminal and run this little script, written by @tperfitt at Twocanoes Software:
for i in /Applications/* ; do stapler validate "${i}"|grep -B 1 worked;done

Thanks to Al (in his comment below) for providing a version for those who don’t have Xcode installed, but do have its command tools:
for i in /Applications/* ; do /Library/Developer/CommandLineTools/usr/bin/stapler validate "${i}"|grep -B 1 worked;done

Unfortunately, there isn’t an equivalent tool bundled with macOS Mojave itself, although you can inspect signatures using spctl, something which my free app Taccy does.

That should list all the apps in your Applications folder which are currently notarized. In many cases, you’re likely to find less than half a dozen, and those from major vendors such as Adobe and Microsoft won’t be among them. What if some of the tools you have are your own apps and scripts: how on earth are you going to keep them running in macOS 10.15?

Of course, the answer is that Apple’s words are quoted out of the context of the rest of that article, which is aimed at developers who distribute their apps over the Internet, outside the App Store. If they’re not responding now and getting their apps notarized, then they may have a problem when 10.15 arrives. But recall my summary of a couple of days ago:

Notarization is only checked when you first run an app which has been downloaded from the Internet and has gained a quarantine flag as a result.
None of this affects your existing apps, provided that they have already been run, even if migrated from an older Mac.
This affects apps and executable code bundles, including kernel extensions, but not command tools, nor apps installed from the App Store.
This also affects updates to existing apps and kernel extensions which are downloaded from the Internet.

So if you’ve got folders full of your own apps which haven’t gained a quarantine flag because they weren’t downloaded from the Internet, or which have already cleared quarantine following download, they will continue to open and run fine in 10.15. Apple hasn’t announced that it’s changing the way that Gatekeeper works, and if it were even to consider that, the penalties would be seismic.

That does, though, leave many wondering how they’re going to be able to share tools as they have in the past. Unfortunately, the news for them isn’t good at all. If you want to make such apps available to others via download, the only way that this will work in 10.15 and later is for you to go through the whole process of signing them with a developer ID and notarization. Probably.

I write probably because Apple’s article glosses over many issues, some of which surfaced in exchanges of tweets with @tperfitt, Jeff @lapcatsoftware, Michael Tsai @mjtsai and others, and some live experiments by them. This concerns the apparent contradictions in Apple’s instructions in the section headed Prepare Your Software for Notarization, notably:
Apple’s notary service requires you to adopt the following protections:
Enable the Hardened Runtime capability for your executable targets
and
Apple recommends that you notarize all of the software that you’ve distributed, including older releases, and even software that doesn’t meet all of these requirements or that is unsigned.

How on earth can an app be hardened, something only available in recent versions of Xcode, to meet the first requirement, but remain unsigned?

The answer seems to rest in what built the app in the first place. If the app declares that it was built using a recent version of Xcode, which supports hardening and notarization, then the latter will expect it to comply with the new and rigorous rules, including code-signing and hardening. If your app is built with an older version of Xcode, or a different tool, then legacy rules apply, as described later in that article.

The problem with trying to get an app notarized under the latter legacy rules is that you can’t use the sleek and simple process built into Xcode 10, but must use its command tools instead. Apple’s account seems fairly straightforward, but Rich Trouton gives a fuller account from his recent experience in notarizing some Automator workflows. But don’t worry: you’ve got this to look forward to every time that you build a new release version!

There is another catch in Apple’s glib recommendation “that you notarize all of the software that you’ve distributed, including older releases” which you should think through carefully. I have been progressively notarizing my free apps here since 1 August last year. If I were to notarize old versions from before that date, as Apple recommends, would I really want users downloading, installing, and trying to use those old versions in macOS 10.15?

If you’re still distributing apps which were last built before the introduction of notarization, you might like to think about whether they would benefit from a fresh build for 10.15, and use your time notarizing that instead.

Postscript

Another valuable resource for those struggling to integrate notarization into their workflow is Twocanoes Software’s account here.

15Comments

Add yours

1

alvarnell on April 12, 2019 at 10:05 am

Since I only have Command Line Tools installed and not Xcode, I needed to change @tperfitt’s command to:
for i in /Applications/* ; do /Library/Developer/CommandLineTools/usr/bin/stapler validate “${i}”|grep -B 1 worked;done

LikeLiked by 1 person
- 2
  
  hoakley on April 12, 2019 at 10:27 am
  
  Thank you. I was forgetting that dependence and will amend the article later to make that clear.
  Howard
  
  LikeLike
3

David C. on April 12, 2019 at 2:49 pm

I think there may be more panic than necessary over notarization here. If you look closely at Apple’s statement, they say: “In a future version of macOS, notarization will be required by default for all software.” (emphasis mine).

Note they do not say “will be required”, but “will be required by default”. This strongly implies that it will be possible to configure Gatekeeper to permit un-notarized apps (much like how you can configure it to allow unsigned apps today), and/or that you can manually right-click/open an app to approve something that would normally be blocked.

Of course, it still makes sense for anybody with a paid-up developer ID to go through the notarization process, but for small-time/individual developers (like myself) who only have the free developer account (in order to download Xcode and related tools), I will still be able to send a copy of something I slap together to friends and family.

LikeLiked by 1 person
- 4
  
  hoakley on April 12, 2019 at 4:41 pm
  
  That’s possible, but nowhere has Apple indicated that it is going to happen in 10.15. I wouldn’t bank on it. In all Apple’s pronouncements, it has given the options for downloaded apps in ‘a future version of macOS’ as being notarization or the App Store.
  There are other workarounds, of course, such as stripping the quarantine flag before first run.
  Howard.
  
  LikeLike
5

Michael Tsai - Blog - macOS 10.14.5 Requires New Developers to Notarize on April 12, 2019 at 6:33 pm

[…] Update (2019-04-12): Howard Oakley: […]

LikeLike
6

Jon Gotow on April 12, 2019 at 7:33 pm

IRC, you can also notarize disk images – perhaps that’s what Apple’s referring to when they say “Apple recommends that you notarize all of the software that you’ve distributed, including older releases, and even software that doesn’t meet all of these requirements or that is unsigned.” If you distribute apps on disk images, you could presumably just notarize the disk images to get them through Gatekeeper checks without touching the application(s) on the image at all.

LikeLiked by 1 person
- 7
  
  hoakley on April 12, 2019 at 7:38 pm
  
  Thanks.
  No, this is one of the most confusing parts of Apple’s docs. When I read it, I understood what you have. But it’s wrong: you can’t notarize a disk image at all. What you can do is submit your app (or whatever) in disk image format. The thing that gets notarized is the app in the disk image, which in turn either has to comply with the new rules for Xcode 10, or the legacy rules.
  Confusing, isn’t it?
  Howard.
  
  LikeLike
- 8
  
  hoakley on April 12, 2019 at 7:41 pm
  
  I was initially excited about this, as I have a few command tools here. As you know, you can’t notarize a command tool. But I distribute these in Installer packages, which I sign using a Developer Distribution certificate. So I thought that I would be able to notarize those Installer packages, another option offered. But if the app in the package isn’t notarizable, that doesn’t work, as it’s not the package that gets notarized, it’s the app inside it.
  Howard.
  
  LikeLike
  - 9
    
    gotow on April 12, 2019 at 9:50 pm
    
    Argh – ok – I haven’t investigated it as thoroughly as you have. That sucks. I’m still put off by the fact that I can’t notarize an app because my Xcode project builds multiple application targets to generate its helper apps as well as the primary executable. Xcode won’t create a distributable archive for a multi-executable app, so I can’t upload it for notarization. Unless I’m missing a simpler way, I’m going to have to split this complex project into two projects and have my app’s project build the helper app project with a custom build phase that calls xcodebuild.
    
    LikeLiked by 1 person
    - 10
      
      hoakley on April 12, 2019 at 10:44 pm
      
      I didn’t realise that Xcode couldn’t do that. That sucks badly. Have you contacted Mike Bombich? Carbon Copy Cloner has helpers, and he is notarising already, so may able to explain how he has managed it.
      Howard.
      
      LikeLike
    - 11
      
      gotow on April 13, 2019 at 3:59 pm
      
      Yeah, the Xcode archive process was designed for iOS App Store apps, so has its limitations. Thanks for the tip – I’ll contact Mike.
      
      LikeLiked by 1 person
12

Leo on June 3, 2019 at 6:05 am

Howard, I read with interest your articles regarding notarization – thanks for posting all this info!

On the other hand, there’s still one situation on which I can’t find info anywhere: how to notarize apps that are installed with a custom installer.

For example, I have some tools for Adobe InDesign. The tools are just Cocoa apps. I also have a custom installer for those tools, which is also a Cocoa app.

The installer contains an app for InDesign inside its package. The installer then copies the app into InDesign’s Plug-Ins folder.

I couldn’t find any info on notarizing apps in this situation… Should I notarize the app and installer separately? Or should I notarize the app, put it inside the installer, then notarize the installer?

I did ask Apple – but they only linked me to their documentation where I can’t find any answer anyway.

I wonder if you have a better clue on the subject by a chance?

Thanks!

LikeLiked by 1 person
- 13
  
  hoakley on June 3, 2019 at 6:15 am
  
  Thank you.
  Apple’s documentation isn’t explicit about this situation, and I’m hoping that WWDC this week will bring much greater clarity.
  As far as I can see at the moment, each app which you want to run under 10.15 will need to be notarized. So in this case, the installer app will need to be notarized for sure. But when a user comes to run the apps which that has installed, they too may need to be notarized: I don’t think that the notarization of their installer will cover that, particularly if they get quarantine flags attached prior to first run.
  If that’s true, you’ll need to notarize the tools first, then package them all in the installer app, and finally notarize that as well.
  But hopefully by the end of this week we’ll all be a bit wiser.
  Howard.
  
  LikeLiked by 1 person
  - 14
    
    Leo on June 3, 2019 at 7:03 am
    
    Thanks Howard – I’ll be watching for new info this week. And it’s good to have a confirmation that this scenario isn’t clearly documented by Apple indeed.
    
    LikeLiked by 1 person
15

Updated List of macOS 10.14.5 - 10.15 Notarization Links & Info on August 7, 2019 at 2:05 am

[…] How does notarization affect your own apps and scripts? – 04/12/19 […]

LikeLike

·Comments are closed.

Share this:

Related