hoakley February 17, 2023 Macs, Technology

Should apps and command tools be notarized?

This summer it will be five years since Apple introduced notarization, and four since it started to be enforced. Yet there’s still a lot of confusion and some misinformation about notarization and how it can and should be used. This article tries to clarify.

Approval and disapproval

There are three preferred ways to provide software to other users, regardless of whether you’re a commercial or hobby developer:

the App Store, which has its own requirements for code review and certification;
pre-built executable binaries, which should be provided notarized even if they’re free;
open source code, supplied as source code for the end-user to build.

These ensure that someone independent of the developer approves that code as being non-malicious. Inevitably, that isn’t perfect, and some malicious products have ended up in the App Store or being notarized. In those cases, it’s less about approval than disapproval: should any signed and notarized product be found to be malicious, Apple quickly revokes its certificate and notarization, and every copy of macOS will then automatically block that code from running.

No matter how careful and well-intentioned, a supplier who tries to mix the second and third ways doesn’t have the same powers of revocation. In the event that a pre-built binary without an Apple signing certificate and notarization turns out to be malicious, it can’t be blocked from running on macOS, and could therefore spread uncontrolled. That’s the real power of signing and notarization, in the consequences of disapproval.

Requirements

Apple details these here. In short, they require that the app or executable:

is fully signed using an appropriate Developer ID certificate,
includes a secure timestamp with its signature,
has the Hardened Runtime enabled for apps and command tools,
is linked against the macOS 10.9 SDK or later,
mustn’t claim a com.apple.security.get-task-allow entitlement,
if it has entitlements, they’re correctly encoded and formatted,
to be submitted to Apple for checking and approval.

Items submitted for notarization can be disk images, installer packages, or Zip archives.

Checking notarization

Successful notarization results in the issue of a ticket, which can be ‘stapled’ into an app or other bundle. However, that ticket isn’t necessary for macOS checks on notarization to succeed. When Gatekeeper checks code for notarization, it doesn’t need to find that ticket present, as that will be checked with Apple anyway. If there’s no ticket present, as there won’t be in the case of a command tool, Apple will confirm if that file or bundle has been notarized, and whether that remains valid, or has been revoked.

Tickets can be stapled to app and other bundles, disk images, or flat installer packages, but not Zip archives or Mach-O binaries.

Notarizing command tools

I notarized a command tool for the first time in June 2019, and since then have notarized all the command tools that I offer here. In those days, the procedure started with adding the code signature into the binary, incorporating the built binary into a flat Installer package signed with a Developer Installer certificate, then submitting that package for notarization using the altool tool, as detailed here.

Although an embedded Info.plist isn’t necessary, it can be worthwhile. That and other improvements are explained here. A later account for Universal binaries is here. Most recently, Apple has replaced altool with notarytool, and its current instructions are here. Note that altool will be going away later this year: if you still use it, now is the time to switch to notarytool.

Third-party notarisation

Apple has long made it clear that the developer submitting software for notarization can be different from that signing the original code, provided that all the other requirements are met. This is perhaps most useful in enterprise and similar environments, where it may be important to deploy a command tool or app that hasn’t been notarized by its developer.

This has a strange effect, in that once notarized by one developer, all other identical copies of that software are also recognised as being notarized. This used to happen in Apple’s early campaign for notarization of legacy products, when users noticed that an old app which couldn’t have been notarized at the time of release was reported as being notarized later. At first this appeared sinister, but turned out to be valuable to everyone using that product.

The extra effort of notarization is well worthwhile even for command tools. Users can still ignore any installer package if they prefer, as notarized command tools don’t need their tickets to be present for macOS to recognise and accept their notarization. And you and your users can have confidence in the effects of disapproval should the need ever arise.

22Comments

Add yours

1

Gideon on February 17, 2023 at 11:07 am

When a new macOS version is made available I tend to download it via Terminal e. g. softwareupdate –fetch-full-installer –full-installer-version 13.2.1
I then copy this macOS Installer “Install macOS Ventura.app” to a folder on the Mac Desktop. Next I create a disk image from this folder with Disk Utility and store it away for later use on same or another Mac. Most times I attempt to use such a macOS Installer, I am prompted with an error. Basically I understand that macOS cannot verify security for the file and suggests to hold off from installing and advises to thrash the Installer instead. To my knowledge I have been able to convince the Installer to proceed via right-click open, then accepting the notice of potential risk.
The situation makes it seem as though Apple has not applied all the security measures to their Installer app correctly.
Can you explain why Apple’s own macOS Installer app that was downloaded directly from Apple’s servers would behave like this?

LikeLiked by 1 person
- 2
  
  hoakley on February 17, 2023 at 12:03 pm
  
  Thank you.
  I keep a library of old macOS installer apps, and IPSW images, which I use to create bootable external disks and VMs. The only time I have experienced the problem you have described is when trying to run an older installer on a newer one, e.g. Monterey 12.2 on Ventura 13.2. That isn’t a signature problem, but a block imposed by macOS, which prevents you from running those older installers. As I have explained elsewhere, the workaround is to create an external bootable installer from that old installer, and use that to install the older macOS.
  Apple doesn’t notarize its own software, but uses its own certificates, which are accepted by Gatekeeper. But this is a separate security mechanism that only applies to older macOS installers.
  Thankfully it doesn’t apply to IPSW images for VMs.
  Howard.
  
  LikeLike
3

Gideon on February 17, 2023 at 12:46 pm

Thanks Howard for your response
I responded via email but got following error:
There was an error processing your recent comment reply by email
Howdy!

We ran into a problem with your recent comment reply by email. Specifically, we weren’t able to find your comment in the email.

We’ll do our best to get this fixed up. In the meantime, you may want to comment directly on the post:

Could this be due to the fact that I included two screenshots of the Alerts in the email?

LikeLiked by 1 person
- 4
  
  hoakley on February 17, 2023 at 1:47 pm
  
  I’m sorry about that, but it’s beyond my control, as it’s part of WordPress.
  Howard.
  
  LikeLike
5

Gideon on February 17, 2023 at 12:50 pm

Thank you Howard for your response

I include two screenshots of the Alert windows I mentioned.

The first one is what I get on first launch (right-click Open).
I can only cancel out of this one.

The second one is what I get on second launch launch (right-click Open).
Here I can accept the risk and continue.

I’m always installing a newer supported version of macOS and
it will always successfully install the macOS this way.

If the Mac is not connected to the Internet I’ve seen another
Alert, that if I remember correctly, would not permit installation.

I create an installer drive if I need to wipe and reinstall fresh,
booting the system from this volume.

Where do you download IPSW images from. I’m assuming they
are for macOS VMs and not iOS related?

LikeLiked by 1 person
- 6
  
  hoakley on February 17, 2023 at 1:47 pm
  
  Ah – thanks for the screenshots. They tell a different tale.
  You’re seeing those dialogs because you’re trying to run the installer from an unsigned disk image, which I suspect may have a quarantine flag set. How have your transferred that disk image? Using AirDrop, perhaps, or another method that attaches a quarantine flag?
  If so, that’s Gatekeeper kicking in. As Apple’s installers aren’t designed to be run with quarantine flags attached, when Gatekeeper checks the disk image, as it’s unsigned, it’s refusing to run the app.
  When I move installers around, particularly using AirDrop, I use my own compression app Cormorant, designed for this purpose. Although the compression isn’t of any benefit (as the bulk of the installer is already compressed), it turns the app into a single file and strips any quarantine flag. So I can move the compressed installer around without such problems.
  Howard.
  
  LikeLike
7

Gideon on February 17, 2023 at 2:25 pm

The disk images are created with Disk Utility on the Mac that I downloaded the installers with. The download is usually done from a standard user account but occasionally also from an admin account. The disk image however is always created in an admin account from a copy of the Installer app inside a folder on the Desktop, as described above.
The images are transferred directly via USB, Thunderbolt or network AFP and SMB.
I usually copy the Installer from the disk image into the Applications folder on the target Mac in an admin account, and launch it from there with the disk image unmounted. I’ve tested and seen no difference whether I launch the Installer app straight from the disk image or not. I’ve seen same behaviour also if I zip compress the macOS Installer app in the Finder, but this was a while back. I stopped archiving the Installers this way because certain versions of macOS could no longer decompress the files. That’s why I moved to storing them in disk images.

LikeLiked by 1 person
- 8
  
  hoakley on February 17, 2023 at 3:13 pm
  
  I’m sorry, but on the information that you provided that is my best opinion. Both the screenshots you provided refer explicitly to the disk image. Are you telling me that you see identical error messages when the installer has been copied to /Applications, because if you do it’s extraordinary that they should refer to a disk image that’s no longer there.
  I suggest that you contact Apple Support.
  Howard.
  
  LikeLike
9

Gideon on February 17, 2023 at 3:24 pm

The error message will likely correspond to the context. But the procedure is the very same. I’ll have to investigate further. It works but just quite annoying and I’m surprised for the kind of Alert message (false positive?) I seem to be provoking.

LikeLiked by 1 person
- 10
  
  hoakley on February 17, 2023 at 5:10 pm
  
  “The error message will likely correspond to the context”
  Er, although they don’t always, the error message should help identify where the error is occurring. In the case you showed, it was occurring when running the installer from an unsigned disk image, and specifically identified that as a problem, the sort of thing that is checked by Gatekeeper.
  Howard.
  
  LikeLike
- 11
  
  hoakley on February 17, 2023 at 5:29 pm
  
  In an attempt to reproduce the problem you have described, I just followed my usual actions with the 13.2 installer app in 13.2.1. I first compressed the app with Cormorant, then copied it across from my iMac Pro to my Mac Studio using AirDrop. On my Studio, I moved the compressed file to ~/Documents, where I decompressed it using Cormorant. I then dragged the installer app into /Applications, and double-clicked it in the Finder. After its normal long period of self-verification, the installer opened without errors or warnings and was ready to install macOS 13.2.
  So I don’t understand what you are doing that is breaking that, but there’s nothing wrong with the installer app.
  Howard.
  
  LikeLike
12

Gideon on February 17, 2023 at 8:19 pm

Here the two screenshots of the Alert windows when the macOS Installer app is launched from the Applications folder.

(The disk image of the 12.6.3 Installer app was created on the 24th of January 2023)

LikeLiked by 1 person
- 13
  
  hoakley on February 17, 2023 at 8:25 pm
  
  Sorry, but Dropbox says those images were deleted.
  Which version of macOS are you trying to run that on?
  Howard
  
  LikeLike
14

Gideon on February 17, 2023 at 8:25 pm

Sorry, I had to redo the links to the screenshots.

The not identifiable developer is Apple!?

LikeLiked by 1 person
15

Gideon on February 17, 2023 at 8:27 pm

MacBook Pro 13″ M1 running macOS 12.6.3

LikeLiked by 1 person
- 16
  
  hoakley on February 17, 2023 at 8:28 pm
  
  Does it have a clear internet connection without any firewall?
  Howard
  
  LikeLike
17

Gideon on February 17, 2023 at 8:34 pm

Yes, sure.
It has always installed without a problem. Just have to get past those strange Alerts.
If I download without making a disk image, then these Alerts are never present.
I have Content Caching on one of the Macs on the network running macOS 12.6.3 (Intel).

LikeLiked by 1 person
- 18
  
  hoakley on February 17, 2023 at 9:26 pm
  
  “If I download without making a disk image, then these Alerts are never present.”
  I’m sorry, I thought you said that you always got the alerts, even without the disk image. Anyway, to take out all the possible glitches that could occur, this is what I suggest you try:
  – download my free Cormorant and install it in the main Applications folder of each Mac
  – locate an installer you want to try on Mr Macintosh’s site, and download it from there
  – install that on your Mac, to reconstitute it into the full installer app
  – drag and drop that app onto Cormorant’s window to compress it into a .aar file
  – copy that .aar file to a target Mac already running the same base version of macOS
  – drag and drop that .aar file there onto Cormorant’s window to turn it back into the installer app
  – move that app into its main /Application folder
  – double-click that installer app, wait a couple of minutes for it to self-verify, then the Installer should open normally.
  Let me know if you encounter any problems with that.
  If you want to try this with a direct download of the installer using softwareupdate, you might consider temporarily disabling your Content Caching server, as there is a bug in that, although I’ve never seen it affect macOS installers.
  I wish you success.
  Howard.
  
  LikeLike
19

Gideon on February 20, 2023 at 8:48 am

Thanks Howard for your suggestions, this is what I found.

Downloaded macOS 13.0.1 Installer from Mr Macintosh on Intel Mac with macOS 12.6.3 and followed my normal procedure with Disk Utility and file copy over wired network. No changes to Network or macOS Content Caching etc. Copied macOS Installer to Applications from disk image on target M2 Pro Mac with macOS 13.0 and launched the app without any alerts. Repeated the same steps replacing disk image creation with your Cormorant app; same result.
I then completed the above tests with same macOS Installer version downloaded through Terminal via softwareupdate command. Again no alerts at launch of the macOS Installer on target Mac.
Next I repeated the tests again with another target M2 Mac with macOS 12.5. This time downloading macOS Installer 12.6.3 via Terminal on the Intel Mac and creating disk image the usual way, transferring over network etc. No alerts on launch of the macOS Installer.
In order to double-check I copied the macOS Installer 12.6.3 from my January disk image to the Applications folder on the M2 Mac. On launching, the alerts appeared again.
Apart from the date and time when the download and disk image creation took place,
I can only see a possible change in macOS and Disk Utility versions used on my Intel Mac, that I have used to create the images (Big Sur/ Monterey). The recent testing involved only Apple Silicon target Macs, however in the past I do not remember seeing this to have mattered regarding the alerts. Perhaps there was a bug that Apple has since removed. I had mentioned, that on some occasions in the past I did not get the alerts. This could have been because on an odd instance I might have created the disk image on a target Mac with newer macOS version, rather than others normally done on my main Intel Mac.

LikeLiked by 1 person
- 20
  
  hoakley on February 20, 2023 at 4:37 pm
  
  It sounds like you have solved your problem, then?
  Howard.
  
  LikeLike
21

Gideon on February 20, 2023 at 5:17 pm

Not really for my existing archives – but as it looks, newer archives seem to work. Time will tell.
By the way, your app Cormorant is amazingly efficient!

LikeLiked by 1 person
- 22
  
  hoakley on February 20, 2023 at 5:35 pm
  
  Thank you.
  Cormorant simply uses Apple’s example code for using the AppleArchive API in macOS – nothing clever on my part.
  Howard.
  
  LikeLike