hoakley September 8, 2019 Macs, Technology

Last Week on my Mac: Notarization devalued?

For fifteen months, since its unveiling at WWDC in June 2018, Apple has been preaching the virtues of the improved security to come with notarization. Then in one short announcement to developers last week, it abandoned much of this grand plan until January next year, over a quarter of the way through Catalina’s release cycle.

The plan revealed to developers last year was simple and ambitious. From a future version of macOS onwards, there would be two ways for third-party developers to distribute their software:

through Apple’s App Store, which requires sandboxing and imposes strict limits on what apps can do;
independently, which will require every app to have additional limitations known as ‘hardening’ as well as complying with much stricter rules on signing of code, and for Apple to check every app for known malware through its free Notary Service.

Although Apple provided good tools for those with simple build workflows within its Xcode SDK, many independent developers don’t use Xcode, and discovered that the command line tools didn’t integrate well with their workflows. In some cases, code signing requirements have proved impossible to achieve. For example, I’ve heard from developers whose code integrates with cross-platform apps which will never be signed, let alone notarized, who have just hit a brick wall in their search for solutions.

Even what should have been simple tasks such as notarizing a command tool have become complicated because, well over a year since notarization was introduced, Apple still hasn’t worked out how to ‘staple’ the ‘ticket’ to a single file of executable code, which is something of a fundamental feature.

One underlying issue is that notarization doesn’t affect any of Apple’s own software products. They’re signed using Apple’s certificates, which exempt them completely. So hardly any Apple engineer knows what it’s like to prepare complex software and get it notarized. Indeed, there are times when I wonder if Apple realises how many developers don’t use Xcode at all.

Earlier this year, Apple introduced another form of notarization which it encouraged developers to use for existing releases of products, which I’ll refer to here as ‘legacy notarization’. The idea was to submit previous releases of your products to Apple, so that they could be checked for malicious software, and awarded notarization ‘tickets’. This seemed a bit odd, as it now meant that there’d be two types of software going around with their tickets:

software which had been thoroughly signed according to stringent rules, hardened, and submitted to Apple’s Notary service;
older software which wasn’t signed to the same standards, wasn’t hardened, but had been checked by Apple for malicious code.

The presumption was that newly-built and -signed products wouldn’t fall into that second class of legacy notarization, which seemed fair enough, as many of the latter wouldn’t even support recent features such as Dark Mode, and may not be particularly compatible with Catalina anyway.

Then Apple changed its mind again, and on 3 September, only 3-4 weeks away from the release of Catalina, it suddenly announced that developers could submit almost anything for notarization, including apps which weren’t hardened, didn’t comply with the signing requirements, and more. This creates a third class:

software which doesn’t conform to the original rules for notarization, but which has been checked by Apple for malicious code.

In one announcement, Apple blew away previous claims as to the importance of satisfying the requirements which had been giving so many developers so much trouble over the last year or more. And those requirements aren’t going to be re-imposed on new notarizations until January of next year. I’m sure that the many developers who have struggled to ensure that the entire contents of their app bundle have been correctly signed using their developer ID and have been hardened are delighted to know that, had they waited until the last minute, they wouldn’t have needed to bother.

Short of abandoning the requirement for notarization altogether, at the last minute Apple has signalled that its only real value is in its own malware checks. Maybe all the rest, the advantages of the hardened runtime, of deep code signing, were nothing more than security theatre as some have claimed?

So why this sudden about face?

The most likely answer must be in non-compliance. Imagine if Apple were to know that, of the many (hundreds/tens of) thousands of third-party apps for macOS which aren’t distributed through its App Store, only a small proportion had been notarized? Or, even more importantly, if some major developers weren’t going to be ready to notarize key products until well after the release of Catalina?

For those of us who now realise that we’ve been suckered for the last year, this doesn’t build confidence. I take no comfort in knowing that, come January next year, my apps will be well-prepared for notarization becoming serious again. And we all know now that installing a notarized app means precious little, other than the fact that Apple has checked it for malware and didn’t find any. Does that alone really mean much in terms of security?

Despite this, I remain committed to notarizing all my apps which you might want to run on Mojave or Catalina. I will also help you distinguish between those apps which are properly hardened and notarized under the original strict rules, and those which have been notarized only by virtue of not being known malware.

It’s only appropriate that January is the traditional season for pantomime. I think by then we’ll have earned our places in the front row of the Security Theatre.

25Comments

Add yours

1

artiste212 on September 8, 2019 at 1:09 pm

Given all the hard work and worry for developers, I can understand your displeasure or anger at how Apple has handled this.

As a user, however, I can imagine the chaos if on day 1 of having upgraded to Catalina, a number of my major programs would it run. Multiply that by millions of users, and Catalina would seem like a failure.

Please take heart from the fact that all that has been announced is a three month delay. Your work has not been for naught. Rather, think of this as delayed gratification.

As always, I can’t comment without a word of thank for your incredibly useful software.

LikeLiked by 1 person
- 2
  
  hoakley on September 8, 2019 at 1:16 pm
  
  Thank you.
  As a user though I’m now left in doubt. Was all this performance with notarization and claims of its security benefits actually genuine? If so, why is this being postponed further, giving another three or more months of exploits? Or maybe Apple had overstated its benefits, in which case how is Catalina going to improve security, other than with its read-only system volume?
  If hardening and strict notarization do bring significant security benefits, why doesn’t macOS let me know which apps are well-prepared, and which are not?
  Howard.
  
  LikeLike
  - 3
    
    artiste212 on September 8, 2019 at 3:14 pm
    
    I share your concerns and also your thoughts that Apple hasn’t made things sufficiently clear for us. But since your last sentence posed a question, I’ve tried to think of an answer. If we put aside, for a moment, the possibility that Apple is so poorly managed they can’t understand this situation with any clarity, what is most likely is that some lawyers don’t want them to do this. I could see the problem that might result if developers found their programs were labeled “Inadequately secure or not well enough prepared” — especially if these programs fall into one of the categories you mentioned where it may not be possible to jump through all off Apple’s hoops.
    
    LikeLiked by 1 person
    - 4
      
      hoakley on September 8, 2019 at 3:21 pm
      
      Thank you – that’s a very cogent suggestion.
      Howard.
      
      LikeLiked by 1 person
5

Gordon on September 8, 2019 at 2:13 pm

> I will also help you distinguish between those apps which are properly hardened and notarized under the original strict rules, and those which have been notarized only by virtue of not being known malware.

I don’t understand – how?

LikeLiked by 1 person
- 6
  
  hoakley on September 8, 2019 at 3:16 pm
  
  Well, one giveaway in most cases is whether an app has been hardened. Under the strict form of notarization, that was one of the requirements which Apple claimed brought significant improvements in security.
  At present, it is very hard to discover whether an app is notarized or hardened. My free tool Taccy will tell you whether it is notarized, but can’t distinguish strict from relaxed rules. There isn’t any difference in the notarization, as Apple sees them as being of the same ‘value’.
  Coming later tonight, and detailed here in the morning, is a new version of Taccy which will also tell you whether an app is hardened. So if Taccy says that the app is both hardened and notarized, it’s extremely likely that it has been notarized under the strict rules, and – should Apple’s claims be accurate – should have markedly improved security.
  Howard.
  
  LikeLiked by 1 person
7

Matt B on September 8, 2019 at 3:44 pm

It’s been a crazy path for me as you know about notarization.

I don’t have a problem with what they were doing, for the most part. But the tooling was just up to stuff. It caused all sorts of headaches, there was little good documentation on how to do it right, and there was zero support from Apple on fixing issues.

Hopefully the three month delay will let them fix this.

LikeLiked by 1 person
- 8
  
  hoakley on September 8, 2019 at 3:52 pm
  
  Thanks.
  The snag is that developers still have to notarize for their apps to pass first run in Catalina – that requirement hasn’t changed at all.
  For most developers, relaxing the rules doesn’t solve the problems with the tools. You’ve still got the same choice of Xcode or the command line. There’s no sign, or mention, of Apple providing tools which are easier to use or work any better. And by January 2020, you’ve got to get all your apps notarized under the strict rules anyway.
  Oh – and Apple admits that some apps which have been successfully notarized under the new relaxed rules may fail to open at first run in Catalina because Gatekeeper won’t let them. Notarization is no guarantee that an app will clear Gatekeeper.
  I’m not sure what Apple is going to fix here.
  Howard.
  
  LikeLike
9

Valdo on September 8, 2019 at 4:23 pm

Apple achieved the status moloch.
The right hand has no idea what the left is doing and the head is attending on supés….

LikeLiked by 1 person
10

Lloyd Chambers on September 8, 2019 at 11:32 pm

Haven’t even started the process, but what does Apple require for a jar file (Java) invoked by a shell script?

LikeLiked by 1 person
- 11
  
  hoakley on September 9, 2019 at 5:07 am
  
  I don’t develop in Java, but here are some links which should help:
  an overview of the process involved
  an account of some problems
  using OpenJDK as an example.
  I wish you success.
  Howard.
  
  LikeLike
12

rogparish on September 9, 2019 at 3:09 am

How does one compile an app without the “benefit” of Xcode? Just go “old school” and run make? I’m not a developer, so please excuse my ignorance.

LikeLiked by 1 person
- 13
  
  hoakley on September 9, 2019 at 5:10 am
  
  Thanks.
  There are many other SDKs and development environments supporting other languages, and yes, there’s always command line make too.
  Howard.
  
  LikeLike
14

Michael Tsai - Blog - Notarization Requirements Relaxed on September 9, 2019 at 5:48 pm

[…] Howard Oakley: […]

LikeLike
15

macOS Notarization: Security Hardening or Security Theater? on September 11, 2019 at 5:21 pm

[…] explained in Howard Oakley’s post “Notarization devalued?“, Apple later decided to encourage developers to have all their […]

LikeLike
16

macOS Notarization: Security Hardening or Security Theater? - Strategic Focus on September 11, 2019 at 6:12 pm

[…] explained in Howard Oakley’s post “Notarization devalued?“, Apple later decided to encourage developers to have all their […]

LikeLike
17

Paul on September 12, 2019 at 9:11 am

Interesting post from security firm Sentinel One on similar lines which might be of interest… https://www.sentinelone.com/blog/maco-notarization-security-hardening-or-security-theater/

LikeLiked by 1 person
- 18
  
  hoakley on September 12, 2019 at 9:24 am
  
  Thanks – yes, well worth a read.
  However, the big unknown is how Catalina treats hardened and unhardened apps, which is much tougher to explore at present. Apple has stated that some of these checks, XProtect in particular, are going to happen after first run as well, and may also be different in the future. Unfortunately, we’re not really going to know now until Apple restores the requirement for hardening next year.
  Howard.
  
  LikeLike
19

Paul on September 12, 2019 at 9:15 am

And I should have added… you get a nod Howard 🙂

LikeLiked by 1 person
20

Why is it required on October 1, 2019 at 3:16 pm

This is INSANE!!! I have apps I trust and use that are no longer maintained and will never get notarized. This is nuts and could be the first time I’m thinking about windows, because I will no longer have a choice… I don’t care about apple made software, I don’t use iMessage or FaceTime, or Safari or AppleMail etc… So if I can’t use my apps anymore …end of the road :((

LikeLiked by 1 person
- 21
  
  hoakley on October 1, 2019 at 3:20 pm
  
  Thank you.
  I think that you need to re-read this more carefully. Notarisation doesn’t affect apps which you have already run for the first time after installing them. Once an app has undergone that first run check, it doesn’t get checked for notarisation again. Legacy apps run fine in Catalina. Indeed, if a user wants to, they can run apps which are completely unsigned, or signed but not notarized at all.
  So Apple isn’t saying anything of the kind – you can carry on using your apps without them ever being signed, let alone notarized.
  Howard.
  
  LikeLike
22

Why is it required on October 2, 2019 at 7:14 am

Mr. Hoakley, I am confused! I will buy a new macbook next year that ships with Catalina. I have an app in a .zip on my NAS that I will copy to my new mac. Will it run or not if it is not hardened/notarised ? I understand not!?

LikeLiked by 1 person
- 23
  
  hoakley on October 2, 2019 at 8:07 am
  
  The first question is whether that Zip archive has the quarantine flag set. If it doesn’t, then the app should run fine so long as it’s compatible with Catalina (64-bit, etc.).
  If it does have the quarantine flag set, then it will undergo first run checks. In those, Gatekeeper will inspect its signatures. If those are from before 1 June 2019, then it won’t expect it to be hardened or notarized, so it should run fine.
  Even if Gatekeeper says that it expects it to be notarized but it isn’t, you’ll be able to use the Finder Open command to run it anyway. Once it is through its first run checks, it won’t go through them again.
  Does that make it any clearer?
  Howard.
  
  LikeLike
24

Why is it required on October 2, 2019 at 8:34 am

Yes, this is entirely something else if true! Everywhere I read this is not specified! I have apps downloaded and saved in my “kits” dir. and from there I copy and use them on every new mac I get (so for Gatekeeper the app is new).
And for example, Oracle VirtualBox was not able to run on Catalina due to notarization!
https://forums.virtualbox.org/viewtopic.php?f=8&t=93151

I was using your tools, and from say 50aps, 30 are not notarized and some not even properly signed eg. tools from Synology.
Thank you for your time!

LikeLiked by 1 person
- 25
  
  hoakley on October 2, 2019 at 8:41 am
  
  VirtualBox is different as it requires the installation of kernel extensions – and those operate under different rules which came into force in April.
  I will post a more detailed explanation here on Friday morning.
  Howard.
  
  LikeLike