Will my app/tool/extension run on Catalina?

Following recent articles here and elsewhere in the press, several people have asked me whether their software will run in macOS 10.15 Catalina. This article is an attempt to make this complex issue clear, and guide you in your preparations over the coming months.

1. Does it contain any 32-bit executable code?

Catalina won’t run any executable code which is 32-bit. There’s no magic switch or compatibility mode. Check your apps and other executable code using my free 32-bitCheck and/or ArchiChect: if they report that it contains 32-bit code, then Catalina won’t run it.

There are two good solutions where you must still run code which is 32-bit: setting up a dual-boot system, able to fall back to starting up in Mojave, or running Mojave in a Virtual Machine, hosted perhaps in VMWare, which seems the most flexible and reliable virtualisation platform for this task.

Recent versions of macOS have made dual-boot systems progressively more difficult, with changes in APFS, snapshots, and other underpinnings which can cause cross-version incompatibility. I will be opting for a VM myself, as that is generally cleaner and doesn’t affect the underling macOS.

2. Is the code signed or notarized?

Apple’s WWDC is its annual conference for developers, the overwhelming majority of whom work on commercial products. What Apple tells developers there is what they should be doing, and those who distribute their software outside the App Store should now be getting it notarized by Apple. That doesn’t, though, apply to regular users or those who build their own scripts and other tools.

Apple has made it clear that Catalina will still run unsigned code in apps, command tools, and pretty well anywhere else – except of course in kernel extensions. If you build your own, whether using open source or your own, then you can continue to do so, and Catalina will continue to run it.

At some time in the future, though, you may find that you need to run at a different security setting in order to be able to run code which hasn’t been signed. Catalina adds more security-checking of apps and other executable code, more than any previous version of macOS. Although unsigned code can still be run, without a signature it can’t have its integrity checked, and it is a potential vulnerability.

Provided that an old app or tool hasn’t broken its signature (or, even worse, broken its notarization), it should therefore still run OK in Catalina.

3. Do you distribute your code beyond immediate friends/family?

Passing useful scripts, tools, even home-brewed apps around informally is still perfectly permissible in Catalina. Hell, if you want you can post it on an unsecured website and let others download it from there if you really want to. Catalina might want you to Open it using the Finder’s contextual menu, throw you an extra dialog or two, or want you to put Terminal into another list in the Security & Privacy pane, but it isn’t going to stop you.

But if you make your code available in executable form (already built) for those you don’t know to download over the Internet, you should pause for thought. Providing source code for others to build their own app/tool/whatever is one thing, but providing it ready-built but unsigned and not notarized is inviting others to install a potential vulnerability. What if someone you don’t know downloaded your software and it was promptly hijacked by malware, for instance?

Even – perhaps especially – when you give your software away, you should respect others, many of whom may not understand the security implications, and ensure that it’s hardened and notarized too. But Catalina doesn’t force you to.

4. What software does have to be notarized then?

To the best of my knowledge, the only software which Catalina won’t run without its notarization are kernel extensions (KEXTs) signed from 7 April 2019. Even then, you may be able to bypass that in Recovery mode. KEXTs which were signed before that, using a special certificate for the purpose, should still install and run fine. This also applies to the new System Extensions and drivers built with DriverKit which are being introduced with Catalina; as those couldn’t exist before 1 June, they must all be notarized (thanks to Scott Knight @sdotknight for pointing this out).

Trying to launch an app which hasn’t been notarized but was signed before 7 April 2019 should result in the same behaviour as in Mojave.

Apps signed by new developers from 7 April onwards, and by any developer from 1 June onwards, should be notarized. Double-click them in the Finder, and if they’re not notarized and in quarantine and you’re using the default level of security protection, macOS may warn you and refuse the launch. You might then be able to Open them using the Finder’s contextual menu if necessary. This doesn’t apply to software which is delivered through the App Store: that runs in a sandbox under very different security rules, and isn’t hardened or notarized.

Hardened and notarized software is for our protection. If any commercial developer still offers anything else, you should still be able to use it but ask its developer when it will be fully notarized. And don’t take no for an answer.