How come someone notarized my app?

Notarization is now much simpler than it was earlier, but can still play strange tricks on you. Take the example of an old app, Patrick Wardle’s KextViewr, which was last built in April 2016, four years ago. Patrick, its developer, was most surprised the other day to discover that it’s now notarized.

notarization2

Notarization wasn’t introduced until June 2018, with the first beta-release of Mojave at WWDC. Patrick hasn’t submitted it for notarization, so how come it now shows up as having been checked by Apple for malicious software and opens fine in Catalina? Has Apple been busy notarizing old apps without informing their developers?

None of us knows who has been notarizing such old apps, but someone has definitely done so, and this isn’t the first time I’ve heard the same from a developer. But this wasn’t notarization as we now know it.

Use any tool, such as my free Taccy, which checks signing and notarization, and you’ll see that this app is properly notarized, and was signed correctly using Patrick’s developer certificate. However, as the top row of checkboxes shows, it isn’t hardened, or even built using a version of the SDK which is capable of notarization.

notarization3

Look inside the app, though, and there’s no sign of the tell-tale CodeResources file which gets inserted when the notarization ticket is stapled to the app.

notarization4

What has happened here is that someone has had this app notarized under legacy rules, or during the amnesty period which applied from the release of Catalina until February of this year. It’s a genuine notarization, but a bit different.

Despite developers being given advance notice of more than a year before Catalina made it a requirement, Apple seemed to have problems with compliance. The first scheme it offered to ease the transition allowed developers to submit existing apps and software for notarization under legacy rules. This was intended to ensure that there was an easy route to notarizing your current and recent products without having to bring them to full compliance with the strict rules, rebuild and submit them for checking.

When Catalina shipped in October 2019, a lot of major developers had still failed to ship properly notarized versions of their apps. Without warning, Apple suddenly relaxed the requirements for notarization, allowing newly notarized software to not comply with its strict rules. For example, it was no longer necessary for an app to be hardened at all: so long as it was submitted to Apple’s Notary Service and passed its tests for malware, it was awarded notarization. Those of us who had dutifully been notarizing everything under the previous strict rules were unimpressed that other developers suddenly had a free pass.

In February 2020, the rules reverted to require full conformance with the original rules which had been announced in June 2018, at last, and as far as I’m aware that’s the way they have remained ever since.

Patrick’s KextViewr app was notarized on 31 August 2019, and doesn’t comply with the strict rules, as it isn’t even hardened, so must have been submitted under the original legacy rules. So while it has been checked by Apple for malware, it doesn’t benefit from the protection afforded by hardening. But how come someone other than its developer got it notarized?

Anyone with a Developer ID can apparently get any app which satisfies current rules notarized. There isn’t, and never has been, any requirement that only the developer who signs the app can get it notarized. Indeed, Apple has commended this ‘feature’ to enterprise and other large-scale users. If they depend on an app which hasn’t been notarized, and need to install it on multiple Catalina systems, they’re perfectly entitled to submit it to Apple’s Notary Service. When that happens, the notification and email confirming that notarization has been successful are sent not to the original developer, but to the developer who submits the software for notarization. So the original developer will probably be completely unaware that this has happened.

The tell-tale here is the fact that whoever had Patrick’s app notarized didn’t staple the notarization ticket to the app. That’s why you can’t see it inside. Instead, when Catalina puts it through a full Gatekeeper check, it checks with Apple whether the app has been notarized but has no stapled ticket. In this case, Apple’s security servers responded that the app did have a notarization ticket, and Catalina was therefore perfectly happy to open it.

Although strange, I’ve been unable to think of any good security reason why this system shouldn’t be fine. Can you?

5Comments

Add yours

1

Jonathan Deutsch on May 22, 2020 at 7:54 am

> Has Apple been busy notarizing old apps without informing their developers?

Yes, they have. Not just apps, but also installer packages, too.

My app has some optional add-on Python-based Scripting Additions, so I setup installers to place the .py files in the correct ~/Library/ spot. As they don’t have binaries, I wasn’t sure from reading the documentation if notarization for the installer packages was necessary. In testing, they presented the correct Gatekeeper dialog, so I figured I was in the clear and took no action. Fast-forward to the stricter requirements and I got a user report that one of the six installer packages did not have the right Gatekeeper warning. It took me quite a while to figure out that this was behaving “correctly” the “problem” was that the others had been notarized behind my back, by Apple. So then I had to scramble to setup notarization automation for them.

It is still a mystery to me while their crawler missed one of the packages, given they are all on the same page and there was nothing different about its naming. It is also a mystery why Apple did not inform developers.

Like you, I don’t see any security problems with it as long as the notarization takes into account the code signature.

LikeLike
- 2
  
  hoakley on May 22, 2020 at 8:25 am
  
  Thank you. I still don’t understand why people are concluding this must be Apple. There are a great many other people out there with Developer IDs and motives where they need software to be notarized – any sysadmin managing a network running Catalina, for a start. On the other hand, I don’t understand why Apple would want to devote effort to doing this, as that’s what developers are for, isn’t it?
  Not that it really matters anyway.
  Howard.
  
  LikeLike
3

Valdo on May 22, 2020 at 8:59 pm

Are the notarized versions absolutely identical with the original releases?

LikeLiked by 1 person
- 4
  
  hoakley on May 22, 2020 at 9:21 pm
  
  There aren’t different versions.
  What happens is that, when you download and install the original from the Objective-See website, it gets a quarantine flag. When you first run that quarantined app, Gatekeeper checks whether it’s notarized. In doing so, as it doesn’t have the ticket stapled to it, Gatekeeper checks with Apple’s security servers. They return that it has been notarized, so Gatekeeper approves it as a quarantined app, even though the developer never got it notarized.
  Howard.
  
  LikeLike
5

Javier Gallardo on May 22, 2020 at 10:15 pm

I don’t see a problem here, but it gives a clearer notion of what “notarizing” exactly is.
I suspect car-industry could work in a similar way when homologating a part or accessory.
You have the right to ask the authority to homologate your use of a part in a self-designed car; car aficionados do this. It takes a careful engineering exam, but Apple makes that for free with apps, if you ask them.

LikeLiked by 1 person

Share this:

Related