Apple will enforce app notarization for macOS Catalina in February

Posted:
in Mac Software edited February 2020
Apple has warned developers it will be reinstating the app notarization requirements it set out for macOS Catalina, with the transition period affecting macOS software distributed outside the Mac App Store ending at the start of February 2020.




New app notarization policies meant for macOS Catalina was announced in June at the Worldwide Developers Conference, with an intention to ensure the security of end users. To ensure the rollout of macOS Catalina was smooth, the full enforcement of the requirements was delayed, but an announcement by Apple reveals that time will end in early 2020.

In a post to the Apple Developer site, Apple confirms "all submitted software must meet the original notarization prerequisites" starting from February 3, 2020.

The new policies require developers to submit their apps to Apple to go through a notarizing security process, or they won't run in macOS Catalina. An extension to the existing Gatekeeper process that previously allowed notarization as an option, the requirement is designed to ensure downloaded software is from the source users believe it is from.

Notarized apps are scanned automatically by Apple for security issues and malicious code. While the Mac App Store apps undergo stringent checks before being made available, Notarization aims to provide a similar level of safety and security to users downloading apps from third-party servers, such as those owned and managed by an app's developer.

Under interim terms that commenced in September, Apple notarizes apps that do not have the Hardened Runtime capability enabled, include components not signed by a Developer ID, do not include a secure timestamp with a developer's code-signing signature, was built using an older SDK, or include a "get-task-allow" security entitlement.

The period allowed developers to complete the notarization process, as well as protecting users using older versions of third-party software on Catalina.

Apple warns developers who have yet to upload their software to the notary service to do so and to review developer log warnings. The warnings will become errors from February 3, and will need to be fixed in order for the software to become notarized.
«1

Comments

  • Reply 1 of 31
    razorpitrazorpit Posts: 1,796member
    So does that mean this will no longer work?
    sudo xattr -r -d com.apple.quarantine /Applications/[name_of_application_bundle_here].app


  • Reply 2 of 31
    dysamoriadysamoria Posts: 3,430member
    Will we the users still be able to run anything we like, so long as we go into System Preferences and choose “open anyway”?
    cornchipsuperkloton
  • Reply 3 of 31
    tjwolftjwolf Posts: 424member
    WTF?  What does this mean for all the open-source stuff developers depend on?  E.g. apache projects?  Will Apache go through through this signing process?  What about stuff installed via 'brew'?  Java VMs, etc., etc.....


    larryjwWarrenBuffduckhelijahgrussw
  • Reply 4 of 31
    tjwolf said:
    WTF?  What does this mean for all the open-source stuff developers depend on?  E.g. apache projects?  Will Apache go through through this signing process?  What about stuff installed via 'brew'?  Java VMs, etc., etc.....
    Not every binary, as I understand. Apache is a service already included in macOS distribution. Apple mentions apps, Plug-ins, installer packages and kernel extensions as to be notarized. This is nothing more than an Xcode bureaucracy, not a big deal that will cause you to hold your breath. 
    edited December 2019 watto_cobra
  • Reply 5 of 31
    Unless I misunderstand this, notarization is an automated, real-time process - correct? It is just one extra step before the developer distributes. I don't see the issue for either developers or end-users - this won't stop side-loading of apps on the Mac.
    MacQcmdriftmeyersuperklotonwatto_cobra
  • Reply 6 of 31
    sflocalsflocal Posts: 6,110member
    As much as I hate it... I wonder how Java will fit into this.  We have development tools that require Java.  Right now, everything runs fine on Catalina, yet the first upgrade a few days ago to one of our IBM tools failed to work due to some funky security issue with Catalina requiring me to revert back to the original binaries that were working fine in Catalina.

    Security is always a good thing.  I'm think I'm just seeing the tip of a very big iceberg approaching.
    razorpitAndy.Hardwakewatto_cobra
  • Reply 7 of 31
    My biggest concern is: what does this all mean for in-house developed apps?
    Our company's operation depends on in-house software.
    ElCapitanwatto_cobra
  • Reply 8 of 31
    dysamoria said:
    Will we the users still be able to run anything we like, so long as we go into System Preferences and choose “open anyway”?
    I’d like to know the answer to this too!
  • Reply 9 of 31
    Would anyone with actual knowledge of how this limitation will effect our control of what we can run on our Macs please post. Sounds like a step too far towards iOS... I hope we can turn this off?
    elijahgrazorpit
  • Reply 10 of 31
    tjwolf said:
    WTF?  What does this mean for all the open-source stuff developers depend on?  E.g. apache projects?  Will Apache go through through this signing process?  What about stuff installed via 'brew'?  Java VMs, etc., etc.....


    Nothing has changed. No version of Catalina shipped without requiring, by default, the notarization of all software created after June 1st, 2019.

    the server-side rules have changed, absolutely nothing on the client side is changing.
    watto_cobradewmechasm
  • Reply 11 of 31
    razorpit said:
    So does that mean this will no longer work?
    sudo xattr -r -d com.apple.quarantine /Applications/[name_of_application_bundle_here].app


    This 100%. 

    The team which designed the entire quarantine process must have been high on crack. The design is miserably broken if you do anything more than write live poems on Word/Pages.

    I so dislike the implementation.

    I hope the above still works.
    razorpit
  • Reply 12 of 31
    elijahgelijahg Posts: 2,789member
    Things like this that're seen as overly draconian will just result in guides on the internet saying "to permanently turn off this annoying "do you really want to open this" dialog, run this sudo terminal command", which is much more dangerous and ultimately reduces security - conditioning users that it's ok to run a terminal command from a random blog -  than just allowing anything as long as it isn't flagged by Gatekeeper.

    These dialogs are annoying enough as they are now let alone with more in Catalina - I want Gatekeeper to be silent unless it detects a malicious binary; not pestering me each time I run something unsigned that's new or updated. The commonality of the "do you give permission to open" dialogs is such that they're probably at a level that people automatically click OK every time they see them anyway without considering their message. I fear these dialogs will end up similarly meaningless to the Windows Vista (and 7 to some extent) UAC authentication dialogs.
    edited December 2019 muthuk_vanalingam
  • Reply 13 of 31
    slurpyslurpy Posts: 5,385member
    steven n. said:
    razorpit said:
    So does that mean this will no longer work?
    sudo xattr -r -d com.apple.quarantine /Applications/[name_of_application_bundle_here].app


    This 100%. 

    The team which designed the entire quarantine process must have been high on crack. The design is miserably broken if you do anything more than write live poems on Word/Pages.

    I so dislike the implementation.

    I hope the above still works.

    Really? I use maybe 30 pro apps for design/development, and haven't seen anything "miserably broken" in Catalina. 

    But maybe I'm actually imagining all that, and in reality I'm writing poems in pages. 


    Andy.HardwakeStrangeDaysfastasleepcornchipdewme
  • Reply 14 of 31
    steven n.steven n. Posts: 1,229member
    slurpy said:
    steven n. said:
    razorpit said:
    So does that mean this will no longer work?
    sudo xattr -r -d com.apple.quarantine /Applications/[name_of_application_bundle_here].app


    This 100%. 

    The team which designed the entire quarantine process must have been high on crack. The design is miserably broken if you do anything more than write live poems on Word/Pages.

    I so dislike the implementation.

    I hope the above still works.

    Really? I use maybe 30 pro apps for design/development, and haven't seen anything "miserably broken" in Catalina. 

    But maybe I'm actually imagining all that, and in reality I'm writing poems in pages. 


    If you have tools which auto generate test scripts, trust me, it is miserably broken beyond belief. The team was high on crack or their own self importance. 
    razorpitmuthuk_vanalingam
  • Reply 15 of 31
    GeorgeBMacGeorgeBMac Posts: 11,421member
    My biggest concern is: what does this all mean for in-house developed apps?
    Our company's operation depends on in-house software.

    Yeh, that's a legitimate concern -- and it echos the ongoing battle between control versus free-wheeling that has been ongoing in the computer industry since the 90's:

    I was a developer (among other duties) mostly involved with financial applications running on IBM mainframes for Fortune 500 corporations.  The requirements there were in order of importance:
    1)  Absolute, total integrity of the application (both software and data)
    2a)  Functionality
    2b)  Cost to develop and maintain
    3)  Ease of use

    On the flip side of that were hot-shot power users with a PC who's claim to fame was being able to develop an "Application" in days or weeks rather than months and years and at a small fraction of the cost -- and they could!  They weren't lying.

    But, the part they missed was the #1 requirement for mainframe based systems:   Absolute, uncompromising integrity of both software and data.  And that meant it was always 100% accurate and never, ever failed.  (Can you imagine telling 4,000 steel workers that they wouldn't get paid because the computer had died?  Or, the programmer/operator was sick with the flu?).  As such, the mainframe systems incorporated multiple, expensive and complex layers to insure that they never failed.   Ever.

    So, to an extent, this thing with home grown systems and Apple sign-off of is an extension of that:   Apple wants to insure the integrity of their systems and some users simply say "Forget that, I need this App!".
    ....  What makes it really tough is that they both have a legitimate point.  Both are right and neither is wrong.
    appleinsideruserelijahgcanukstormcgWerksmuthuk_vanalingamcornchipdewme
  • Reply 16 of 31
    auxioauxio Posts: 2,746member
    steven n. said:
    slurpy said:
    steven n. said:
    razorpit said:
    So does that mean this will no longer work?
    sudo xattr -r -d com.apple.quarantine /Applications/[name_of_application_bundle_here].app


    This 100%. 

    The team which designed the entire quarantine process must have been high on crack. The design is miserably broken if you do anything more than write live poems on Word/Pages.

    I so dislike the implementation.

    I hope the above still works.

    Really? I use maybe 30 pro apps for design/development, and haven't seen anything "miserably broken" in Catalina. 

    But maybe I'm actually imagining all that, and in reality I'm writing poems in pages. 


    If you have tools which auto generate test scripts, trust me, it is miserably broken beyond belief. The team was high on crack or their own self importance. 
    It's funny, I hear some of the same complaints from people at my company.  And yet, every time I take the time to really dig into their complaints, I somehow always seem to find a different way of solving the problem which, in their blind rage against Apple, they didn't bother to investigate.  Sometimes people would rather just stew in their anger than do things a different way.

    I do plenty of automated testing on the software I write, and it all works fine in Catalina.
    StrangeDaysfastasleepcornchipjdb8167
  • Reply 17 of 31
    ylonylon Posts: 50member
    This kind of behavior from Apple is precisely why we haven't "upgraded" our 20 Macs to Catalina at our software dev firm. Clearly we won't be upgrading now until we can see more clearly Apple's roadmap and if we need to take other precautions. We will *NOT* allow ourselves to be controlled like this by an operating system that feels like it has some duty to enforce these kinds of "protections" for its users. It is not what we nor anyone we know wants.

    Shame be upon you Apple for losing your way under this guise or facade you've set forth. Mojave might be our OS of choice for the next 5 years or so until we figure out another option.
    edited December 2019 elijahg
  • Reply 18 of 31
    My biggest concern is: what does this all mean for in-house developed apps?
    Our company's operation depends on in-house software.

    Yeh, that's a legitimate concern -- and it echos the ongoing battle between control versus free-wheeling that has been ongoing in the computer industry since the 90's:

    I was a developer (among other duties) mostly involved with financial applications running on IBM mainframes for Fortune 500 corporations.  The requirements there were in order of importance:
    1)  Absolute, total integrity of the application (both software and data)
    2a)  Functionality
    2b)  Cost to develop and maintain
    3)  Ease of use

    On the flip side of that were hot-shot power users with a PC who's claim to fame was being able to develop an "Application" in days or weeks rather than months and years and at a small fraction of the cost -- and they could!  They weren't lying.

    But, the part they missed was the #1 requirement for mainframe based systems:   Absolute, uncompromising integrity of both software and data.  And that meant it was always 100% accurate and never, ever failed.  (Can you imagine telling 4,000 steel workers that they wouldn't get paid because the computer had died?  Or, the programmer/operator was sick with the flu?).  As such, the mainframe systems incorporated multiple, expensive and complex layers to insure that they never failed.   Ever.

    So, to an extent, this thing with home grown systems and Apple sign-off of is an extension of that:   Apple wants to insure the integrity of their systems and some users simply say "Forget that, I need this App!".
    ....  What makes it really tough is that they both have a legitimate point.  Both are right and neither is wrong.
    So what should Apple do to strike a balance?
    dewme
  • Reply 19 of 31
    macguimacgui Posts: 2,389member
    This is only a concern if Apple stops allowing you to go to System Preferences > Security & Privacy > Allow apps downloaded from > and then unlock and click Open anyway or whatever.

    They won't stop that. Ninnies are running around screaming 'The sky is falling! for no fucking reason. It's one thing to ponder possibilities, but being little wussies about it is just silly at best. 

    Get a grip. Run the sudo if you want. I won't, and Apple would be smart to block it. They have three hurdles you can jump at your own peril. If you want to side load an app that bad, it's on you, and that's ok. They know there's good software outside of the garden walls their users need and they won't deny that.
    fastasleepcornchip
  • Reply 20 of 31
    ylon said:
    This kind of behavior from Apple is precisely why we haven't "upgraded" our 20 Macs to Catalina at our software dev firm. Clearly we won't be upgrading now until we can see more clearly Apple's roadmap and if we need to take other precautions. We will *NOT* allow ourselves to be controlled like this by an operating system that feels like it has some duty to enforce these kinds of "protections" for its users. It is not what we nor anyone we know wants.

    Shame be upon you Apple for losing your way under this guise or facade you've set forth. Mojave might be our OS of choice for the next 5 years or so until we figure out another option.
    Dude , chill. I use Catalina with all sorts of dev tools with no issues. I have way more trouble with our corporate IT trying to lock down/neuter our Windows 10 machines because they don’t get what developers actually do.
    cornchipjdb8167dewme
Sign In or Register to comment.