Last Week on My Mac: Making notarization as hard as possible

Creating command tools for macOS used to be so simple. Although you could sign them, there seemed little point as so many were (and still are) unsigned. The messiest step in the process was putting them into an Installer package and signing it with a special developer certificate. Quite why you need a different certificate to make a package has remained a mystery to me. Thanks to Stéphane Sudre’s excellent Packages app, I got all that sorted out well over two years ago.

I was taken aback, then, when I heard from WWDC that Catalina was going to apply essentially the same security rules to command tools as it does to apps. This meant that my four command tools would have to be signed, hardened and notarized in very short order, as at that stage the Catalina beta was already available. When I write have to, I don’t mean that in a strict sense: of course I could just ship an unsigned tool, but if I wanted to continue providing a properly-signed package, I’d have to comply with the new rules.

Ever since Apple started its Notary Service, during WWDC 2018, I’d been looking for information about notarizing command tools, but nothing ever seemed to appear. Earlier this year, when preparing for the introduction of notarization requirements in 10.14.5, Apple revamped most of that documentation, but still didn’t explain how to get a command tool notarized, or even whether that was possible or necessary. The emphasis was almost exclusively on apps.

Apple has also been extremely vague over explaining what notarization really is and how it works. Like all things security, it feeds us small tidbits which it feels we should know, and doesn’t explain concepts, principles, or mechanisms. I knew that I could build a command tool, place it in a signed Installer package, and submit that for notarization, but did that constitute notarization of the command tool or just the package? Was it possible or necessary to harden a command tool, and if so, how?

Look today at the documentation, and it still doesn’t refer to command tools. The main page gives an incomplete list of four different types of “software deliverables” which can be notarized: apps, some other code bundles (not explained any further), disk images, and Installer packages. None of those covers command tools, unless they’re delivered in a package. And does that notarization cover just the package, or the installed tool too?

A little further down, Apple lays down the requirements for notarization:

all executable code is to be signed using a Developer ID signature;
the signature must include a secure timestamp;
apps and “command line targets” are to have hardened runtimes;
the com.apple.security.get-task-allow entitlement isn’t to be set;
code is to be linked against the macOS 10.9 or later SDK.

I knew that I could meet the first of those by adding an Info.plist to the command tool and enabling signing. I presumed that using Xcode’s Archive feature, a secure timestamp would then be added with the signature, and that entitlement wouldn’t be set, and I was already using the macOS 10.14 SDK. That left only 3, the requirement for a hardened runtime.

So I followed the link there to see how I could enable a hardened runtime for a command tool. It takes you to Xcode Help, which refers only to the Capabilities library offered for an app. That doesn’t exist when your Xcode project is for a command tool.

I next scoured Apple’s article on customising the notarization workflow, which was of no help as it makes the opening assumption that you have already hardened your code. I then read advice on resolving common notarization issues, which refers back to the same Xcode Help page which I had already found of no help.

After a lot of Internet searching, I stumbled across a discussion which mentioned the Xcode option to Enable Hardened Runtime buried in the Signing options. Without that, I would have consistently failed in all attempts to follow Apple’s instructions, and notarization would have been doomed to failure.

The processes that I then had to go through to sign, harden, package and notarize each of my four command tools were a revelation. They’re detailed step by step in this article and in this PDF:
NotarizeCmdTool

They demonstrate how badly this common task in development has been cobbled together without any design: it’s not a workflow but an obstacle course. To turn 260 lines of code into an installable and duly notarized 33 KB package took a total of 5 apps (including Xcode itself), 4 command tools which I had to invoke in 6 different commands, 2 different developer certificates (one for the tool, one for the package) and an app-specific password to be able to run altool to submit the tool for notarization.

Of course no Apple engineer has to negotiate this tortuous labyrinth. So why should they bother to make it straightforward for third-party developers?

Apple: if you want to encourage developers to adopt your new security policies and stop delivering unsigned code, try providing tools which facilitate rather than obstruct, and document such common workflows as if someone there has actually bothered to test them out. Preparing software for distribution shouldn’t be harder than writing the code in the first place.

9Comments

Add yours

1

Matt B on June 17, 2019 at 12:41 am

I’m not surprised. As I mentioned on Twitter, I’m unable to notarize at all. I’ve contacted Developer Support, which told me to file a bug (Feedback). Which of course is a black hole. I’m not the only one either. There are multiple of us. And I read one person has been waiting nearly a month after submitting their Feedback.

They demand we notarize, and yet the process to fix a notarization issue (most likely an account issue, not a bug) is non-existent. I ended up not notarizing my app. I had to get a release out and couldn’t wait any longer.

LikeLiked by 1 person
2

apple4ever on June 17, 2019 at 12:43 am

I’m not surprised. As I mentioned on Twitter, I can’t notarize at all. I get an error. I’ve contacted Developer Support, who only told me to file a bug (Feedback). Which we all know is a black hole. I’m not the only one either, as you can see from this thread. One guy has been waiting weeks to hear back from Feedback.

They demand we notarize, then don’t have a good process to do so, or to fix issues. I ended up not notarizing, because I couldn’t. I had to release. I’ll fix it later when ever they fix it for me.

LikeLike
3

User on June 17, 2019 at 1:00 pm

Command Line tools, especially free 260-line ones, should really really be open source and user-compiled nowadays. TBH I am quite interested in your software, but there is no way
I’d accept something akin to a bash script if distributed as a closed source .pkg not matter what. This is really too suspicious in 2019. That would also remove these distribution problems (and I guess that’s what Apple expects as well hence the lack of documentation). You tell me Adobe Photoshop is closed source, well what a pity but I get the rationale behind it. On the other hand you tell me you made a free and super nice 100 line bash script and it’s closed source, I’m starting to have a problem.

LikeLiked by 1 person
- 4
  
  hoakley on June 17, 2019 at 2:04 pm
  
  Well, we seem to be writing at cross-purposes here. If you read the above article, you’ll realise that I’m not referring to bash scripts, but to compiled tools written in Swift. And one of them happens to come with its source too.
  Now if you’re trying to tell me that a user-compiled open source unsigned command tool is somehow more secure than one which is signed, hardened, checked by Apple and notarized, then I’d love to see your working and know how you can monitor its code integrity.
  Howard.
  
  LikeLike
  - 5
    
    User on June 17, 2019 at 2:43 pm
    
    I am absolutely thinking that a user-compiled open source unsigned command tool which is subject to public scrutiny is A LOT more secure than an 4 kB binary offered for free without apparent motivation. Code signing, app review and so on do offer a degree of protection against fraudulent apps, false claims, ads, and so on. As protection against malware it is very weak, in fact Adware Doctor was sold on the MAS and was a best-seller. Apple *routinely* validates malware, absolutely. NB: I am NOT claiming your software is malware, absolutely not, and I don’t think so. 😉
    
    LikeLiked by 1 person
    - 6
      
      hoakley on June 17, 2019 at 3:12 pm
      
      I fear that you’re being misled. Up to the moment a user builds a tool, sure. They then put total trust in the build system to generate what they’re expecting. Do you remember Xcodeghost which transformed genuine iOS apps into malware?
      Then, when the tool is built, as it’s unsigned, the user has no check of its integrity. They can never tell whether something else has subverted the code in that tool, because there’s no signature to check it against, and macOS doesn’t have a clue whether it’s genuine or subverted, and never will.
      Because it’s not hardened, a malicious app can do all sorts of things with it to subvert it too. If it relies on accessing frameworks or libraries, their integrity isn’t checked either, and could easily be subverted.
      Hardening and notarization are not app review – they’re quite different, and I suggest before making claims about them it would be good to see just what they entail.
      You’re actually referring to apps in the App Store, which aren’t hardened or notarized at all. Can you tell me of one piece of malware which has been hardened and notarized?
      Nothing gives you an absolute guarantee. But unsigned executable code is a disaster waiting to happen.
      Howard.
      
      LikeLike
7

Michael Tsai - Blog - Notarizing Command-Line Tools for macOS 10.15 on June 17, 2019 at 7:24 pm

[…] Howard Oakley: […]

LikeLike
8

Post-WWDC thoughts | Riccardo Mori on June 21, 2019 at 3:30 am

[…] command‐line tools: I’m no developer, but when I read this piece by Howard Oakley, I almost felt pangs in my stomach. Again, check the associated commentary on the […]

LikeLike
9

Weekly News Summary for Admins — 2019-06-21 – Cebu Scripts on June 22, 2019 at 12:02 am

[…] Last Week on My Mac: Making notarization as hard as possible – Howard Oakley (Follow-up) […]

LikeLike

Share this:

Related