How to recognise properly-notarized apps with Taccy 1.3

Yesterday, I pointed out that not all notarized apps are equal. Some are fully ‘hardened’ and signed properly in depth, others neither, although all have to pass through Apple’s checks for known malware. Although there are some experts who claim that hardening and deep signing are no more than Security Theatre, Apple has now at two successive WWDCs told developers how these features should significantly improve security in macOS.

That’s assuming, of course, that you can tell whether an app has been notarized in the first place, and whether it meets the stringent requirements, or was merely checked for malware. There’s precious little in macOS that will even reveal whether an app has been notarized, apart from the subtle difference in the dialog that’s displayed when you first run the app after downloading it.

For some considerable time now, my free utility Taccy has informed you whether an app is notarized. But among all the detail which it provides, nowhere does is tell you whether it’s been hardened, for example. This changes in Taccy version 1.3.

taccy34

Drag and drop an app onto Taccy, or Open it using the command in its File menu, and on the second line down you now see new information, informing you of whether that app has been hardened, as well as whether it’s notarized.

A whole new section appears at the end of the text report in the lower view. This might read something like:
codesign check:
Executable=/Applications/Parallels Desktop.app/Contents/MacOS/prl_client_app
Identifier=com.parallels.desktop.console
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20500 size=344169 flags=0x10000(runtime) hashes=10746+5 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=661e809cf1903640f9449a6ff44ab2fa77a8312e
Hash choices=sha256
CDHash=661e809cf1903640f9449a6ff44ab2fa77a8312e
Signature size=8994
Authority=Developer ID Application: Parallels International GmbH (4C6364ACXT)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=1 Aug 2019 at 19:54:17
Info.plist entries=33
TeamIdentifier=4C6364ACXT
Runtime Version=10.14.0
Sealed Resources version=2 rules=13 files=476
Internal requirements count=1 size=192

If you’re interesting in hardening, look at the line
CodeDirectory v=20500 size=344169 flags=0x10000(runtime) hashes=10746+5 location=embedded
in which the value given for flags shows the runtime hardening set, with a value of 0x10000. Apps which haven’t be hardened instead show
flags=0x0(none)

If an app has been notarized and hardened, then you can be fairly certain that it has been put through the stringent version of notarization, and will enjoy whatever security benefits accrue from that. Apps which are notarized but haven’t been hardened can only have been scanned for known malware, and will need to be properly signed and hardened before Apple reverts to strict notarization again in January 2020.

Taccy version 1.3 is now available from here: taccy13
from Downloads above, from its Product Page, and through its auto-update feature. I hope that it helps you separate the wheat from the chaff.