If you develop and sign apps for macOS, it won’t have escaped your attention that life changed on 1 June 2019. That’s the day from which all apps shipped by developers outside the App Store are expected to be not just signed, but hardened and notarized as well. You’ll no doubt already have experience of Apple’s Notary Service. This article summarises the performance I have experienced with my notarizations over the last eight months, since November 2018, on 108 notarizations of 35 different apps.
Although I have also notarized four command tools using the command line, here I’ll confine myself to regular (and relatively small and simple) apps which were notarized entirely from within Xcode. For what it’s worth, performance at the command line was at least as good as that in Xcode. Once I had worked out what I needed to do, the notarization process itself was very quick.
I’ve been using Apple’s Notary Service since July 2018, soon after it opened its doors during WWDC 2018. Overall I’m delighted with the service it provides, which has been much faster than Apple’s target, and generally very reliable.
My notarizations haven’t been exactly even over the eight months: in November I performed 24, and this month (June) 21, but I seem to have nodded off during January (6) and February (only 3). The median time between completion of upload and receipt of the notarization ticket, for Xcode to staple to the app, has been 2 minutes, and the maximum (outside of service outage periods) has been 24 minutes.
Median times (red in the chart, with maxima in blue) haven’t changed over this period, but apart from my oddball month of February (only 3 notarizations, of 2, 16, and 24 minutes) have been consistent at 2 minutes. Some developers have expressed concerns that, as demand on the Notary Service increased in advance of WWDC 2019, performance would deteriorate. I can see no evidence of this, although I did experience one wait of 10 minutes in May. June has been an exemplary month, with every one of my 21 notarizations completing within 3 minutes.
The exceptions to all of these were in November, when I was unfortunate enough to submit four notarizations during one of the rare periods in which the Notary Service was unavailable for a significant time, on 4 November. Apps submitted that day weren’t notarized until the service was back up and running the following morning, 5 November. I have excluded those delays of 525-1251 minutes from this analysis, although they have little impact on median times, of course.
Of my 108 notarizations, only 4 (4%) were affected by service outage and delayed beyond 24 minutes, and they all occurred during that same outage period.
Another issue which some of us have raised with Apple concerns not the time between the completion of uploading to the Notary Service, but the time prior to that, during which Xcode syncs with the service and then uploads the Zip archive. Prior to June, that typically took 3-5 minutes, sometimes slightly longer, but recently seems to have increased to a minimum of 8 minutes. Apple is currently fixing whatever has been causing those modest delays.
Overall, based on my experience, Apple is far exceeding the advertised performance of the service, with very infrequent periods of outage, and consistent median times to notarize of only 2 minutes.
But all is not sweetness and light. Performing simple notarizations like these from within Xcode is the best case. Apple needs to:
- introduce a method of stapling the ticket to standalone (Mach-O) code such as command tools, which should make them easier to deal with;
- document notarization thoroughly at both a conceptual and practical level, with explicit workflows for more complex cases and command tools;
- provide more coherent tools, either within Xcode’s GUI or separately, which integrate steps in the notarization process and allow developers clean and error-free workflows.
When a major platform such as macOS undergoes such a radical change in developer procedure, there is a great deal of scope for problems and failure. Congratulations to Apple for getting this right, and thanks to all those who have made it so. But please don’t overlook the documentation and non-standard workflow support.