Notarization in Mojave and Catalina

Whatever you do with your Mac, there are two major changes which are coming in macOS 10.15 Catalina, and one of them already applies to Mojave.

The most obvious is the loss of all 32-bit software, which only applies to Catalina, and was all but pre-announced. Apple has confirmed that no 32-bit software – app, command tool, or anything else – will run in Catalina. There’s no let-out or special configuration which will allow it. If you need to run 32-bit software when you have upgraded to Catalina, then probably the best way is in a VMWare virtual machine running Mojave or earlier.

The other change which was also effectively pre-announced is the requirement for notarization of software. In this article I’m going to look in more detail at what this means for both Mojave and Catalina, based on Apple’s excellent presentation for developers at WWDC, by Robert Kendall-Kuppe and Garrett Jacobson. Most importantly, this doesn’t just affect macOS 10.15 when it ships this autumn/fall.

What is notarization?

It’s the next step beyond code signing. To get software notarized, you have to be a signed-up developer with an Apple-issued developer certificate, and submit the software to Apple for checking to ensure that it doesn’t contain malware.

It’s also more complex than that, as there are two different routes to notarization. Developers can submit existing apps under a legacy process, or they can build a new version and submit that for a new notarization. In the latter case, the software also has to be hardened, a new security setting which I’ll explain later.

New notarizations normally attach or staple a special ‘ticket’ to an app (but not to some other types of executable code), which is checked when they undergo their first run with the quarantine flag set. Legacy notarizations don’t usually come with a ticket attached. But in all cases, when macOS puts them through first run checks, if the quarantine flag is set, macOS should verify their notarization and signature with Apple’s servers. What isn’t clear at present is how that behaviour works if your Mac can’t connect with those servers, but you want to run that app.

Where notarization goes a significant step further is in checking not only the signature, but the version and approval of that app. Prior to notarization, any developer who had a code signing certificate which was valid could sign any app or other software that they liked, including malware, and they still can. So long as my developer certificate remained valid, I could re-sign and distribute a specially doctored release of Microsoft Word, for example. Notarization doesn’t allow that, and is specific to developer, software, and that particular version. If any of those don’t check out at first run, the app should be crashed out immediately.

When is notarization required?

Most of us were expecting it to become a requirement for apps downloaded from the Internet rather than the App Store, getting a quarantine flag, and undergoing their first run in Catalina. It isn’t as simple as that, and already partly includes Mojave 10.14.5.

Software built before 7 April 2019, even when being first run with a quarantine flag, shouldn’t require notarization in Mojave or Catalina.

Two types of software built from 7 April 2019 do require to be notarized, even when being installed on Mojave 10.14.5, according to Apple:

kernel extensions, but only new extensions and new versions signed from 7 April 2019 onwards. If they aren’t notarized, there’s a workaround which bypasses checking of notarization, at least on Mojave;
apps signed by new developers, whose first use of their code signing certificate occurred from 7 April 2019 onwards. This is likely to apply to very few products, and is apparently enforced in 10.14.5, although you can probably bypass it by using the Finder’s contextual Open command.

This article discusses how you can check whether an app, kernel extension or other code is notarized.

This changes again as of 1 June 2019 with respect to Catalina, but not (as far as we know) in Mojave. From that date onwards, all newly-signed apps and other executable code which undergo first run checks (because of a quarantine flag) are required to have been notarized. You can still run apps which haven’t been notarized or even remain unsigned in Catalina, though.

What benefits does notarization bring?

In Mojave, although there are mechanisms for checking notarization, there might appear to be no direct benefits to the user other than the added confidence of knowing that Apple has checked them for malware, as their first run dialog states.

In fact, both Mojave and Catalina are quite different from High Sierra. In addition to undergoing first run checks, hardened (thus all newly notarized, but not legacy) apps run in a protected environment which isn’t a sandbox (already used for App Store and other apps), but which severely limits the ability of malware to hijack them.

Code which they run is subject to signature checking, and their own integrity may be checked at times too. Their code signatures aren’t going to be largely ignored after first run, and some kinds of tampering with a hardened app should make it impossible to open without it crashing immediately. These additional layers of security are provided by the SIP mechanism. Where they need to, hardened apps can opt out of some of that protection, but by default they should benefit from it. Notarization is for life, not just first run.

Protections claimed by Apple include:

code can’t create executable memory without it being associated with a code signature;
when read from storage, all code and data mapped into the running code must match their code signatures;
code which is modified in memory and doesn’t match its signature can’t be executed;
protection from code injection and dylib hijacking.

Do your own apps need to be notarized too?

If you build your own apps, using Automator, AppleScript, another scripting system or even Xcode, you don’t need to acquire a developer ID, code signing certificate, and start notarizing them unless you provide them to others via the Internet. Catalina still runs apps which haven’t been notarized or even signed, including those built after 1 June 2019. But you may find them more complex to run, and they don’t of course benefit from any of new security protection unless they’re signed and hardened.

Apple has, though, announced that it intends that a future version of macOS (possibly 10.16) will not run unsigned code so readily. How that will affect those who build their own apps isn’t yet clear. Let’s get notarization sorted first.

One other factor which might have played a role in all this is the version of Xcode and its SDK which software is built with, but Apple doesn’t suggest anywhere that might be the case. It is of importance when considering Catalina’s new privacy protection – a subject I will cover here soon.

Thanks to Rosyna Keller @rosyna for corrections to the benefits of the hardened runtime given above, pointing out that these also apply to Mojave and haven’t changed in Catalina.

8Comments

Add yours

1

Joss on June 7, 2019 at 7:58 am

AppleScript & Automator apps will need to be notarized on the command line with the new `altool` CLI that is installed together with Xcode.

As for blocking of unsigned code execution on macOS 10.16 (or 10.17?), Apple said that this will just be the “default” setting, and that their stance will forever remain that they want users to be able to run *any* code, app or program on their system, even apps that change themselves at runtime, so there will most definitely be a way around it. I just hope that it doesn’t involve switching off Gatekeeper as a whole. I’d rather register an unsigned, but trusted app for launch with the system. I’d even be fine with signing unsigned bundles, but Apple can’t expect every user to create a developer account, download Xcode, then install the free Mac Developer certificate to do that, i.e. they will need to provide every user with their own code-signing certificate by default, one that’s only valid locally.

Though, my main fear is for unsigned CLIs, programs installed by package managers etc. Gatekeeper has been extended to now scan processes, even when they’re launched with a different method than LaunchServices. So I fear there will be some restrictions or obstacles, including pre- & postflight scripts in installer packages.

And speaking of package managers: with the system now being on its own read-only volume—which I think is (in principle) a great idea, by the way—, what will happen to user-generated files in root, e.g. /opt, which you need for MacPorts?

LikeLiked by 1 person
- 2
  
  hoakley on June 7, 2019 at 8:23 am
  
  AppleScript and Automator apps are only required to be notarized when they are delivered over the Internet, so given a quarantine flag. Catalina continues to run unsigned apps and other code, and that includes users’ own AppleScript and Automator actions, and those which are shared without the quarantine flag.
  There are already some third-party tools appearing to make notarization of such tools easier than using the command-line tools supplied with Xcode. I expect those to flourish over the next few months, as notarization via the command line is a pig. It’s a great shame that Xcode 11 doesn’t currently provide a more friendly system, and only bundles command tools for this task. altool has been available in Xcode for a year or so now, and doesn’t staple the ticket to the app, for which you need to use stapler. Neither of those can check notarization, so you also need to use spctl to do that. Even for those comfortable at the command line, this isn’t easy; as many use AppleScript and Automator because they don’t want to work at the command line, there is a substantial problem.
  It remains to be seen what this ‘default’ setting entails. However, Apple definitely wants to end users running unsigned code on macOS except under special circumstances, and a very good thing too. Clearly it has to look at how best to implement that, and what is practical. We’ll no doubt hear more in the future.
  I have yet to look in detail at the new system volume layout, but it isn’t correct to say that it’s read-only: it’s not. It is, though, largely protected by a combination of SIP and root permissions, the latter covering the many files which are writable.
  Howard.
  
  LikeLike
  - 3
    
    Joss on June 7, 2019 at 8:32 am
    
    Don’t forget that the dedicated system volume is still read/write in the first Developer Beta. (At least that’s what I’ve read.) It’s said that in the next beta release Apple will then switch to read-only. You could probably run the df command on files to see if they’re on the system device, i.e. if they will be read-only eventually.
    
    LikeLiked by 1 person
4

Michael Tsai - Blog - Security & Privacy in macOS 10.15 Beta on June 10, 2019 at 7:45 pm

[…] Howard Oakley: […]

LikeLike
5

brunchboy on July 8, 2019 at 11:18 pm

I’ve been struggling mightily to understand how I am going to cope with this for the application I currently deliver as a code-signed disk image for the convenience of my Mac users. Beat Link Trigger is not created by xcode: it is an executable cross-platform Jar file built from Clojure source using leiningen, and its purpose is to allow users to create custom integrations with Pioneer DJ gear, writing their own snippets of Clojure code that get compiled and run at the appropriate times when DJs play tracks. So I can’t figure out how I would notarize it (I am hoping the javapackager tool, which keeps slipping to future OpenJDK releases, will support notarization, in addition to the way the old Oracle Java 8 version supported code signing, but I am not holding my breath). And even if I can get the notarization to work, how would I even express entitlements for something that is intended to be able to load aribtrary third-party libraries of the user/developer’s choice, and compile and run arbitrary code at run time?

I fear I will have to give up on having a nice self-contained application with icon and easy launching, and go back to telling people to install Java on their own and use the command-line “java -jar …” incantation to run it, but that seems like such a step backwards being foisted on them by Apple.

Or am I being too pessimistic?

LikeLiked by 1 person
- 6
  
  hoakley on July 9, 2019 at 7:45 am
  
  I see your problem, but don’t think it’s insurmountable. The hardened runtime does allow for JIT use and various other features. Would it be worth contacting developer support to see if the security team might be able to provide more explicit advice? I’m sure that you’re not the only one in this situation.
  Howard.
  
  LikeLike
7

Harold on November 24, 2019 at 8:36 am

ClickInstall can create a notarized installer for your macOS App, see https://www.excelsoftware.com/clickinstallmac

LikeLike
- 8
  
  hoakley on November 24, 2019 at 4:37 pm
  
  Thank you – it does appear to be able to, for $395.
  For my freeware here, that seems quite expensive!
  Howard.
  
  LikeLike

Share this:

Related