Apple's macOS Catalina is first to require app notarization by default

Posted:
in General Discussion edited June 4
Apps that have not passed through Apple's software security process will be prevented from running on macOS Catalina by an updated version of Gatekeeper.




Developers intending to support the forthcoming macOS Catalina must submit their apps to Apple's notarizing security process or they will not run.

The new measure is an extension to the existing Gatekeeper process which optionally allowed developers to submit their apps. Apple says the requirement is designed to ensure downloaded software is from the source users believe it is.

"Mac apps, installer packages, and kernel extensions that are signed with Developer ID must also be notarized by Apple in order to run on macOS Catalina," said the company in a new developer page. "This will help give users more confidence that the software they download and run, no matter where they get it from, is not malware by showing a more streamlined Gatekeeper interface."

The process involves a registered developer sending Apple their software, which is automatically scanned to look for malicious code and other potential security issues. It's intended for developers who distribute their apps outside of the Mac App Store. Apps within the store already go through similar security procedures.

The Notarized Apps feature was first announced as an option at 2018's WWDC, but Apple has been working to make it mandatory.

The new macOS Catalina was announced at the 2019 WWDC and beta versions of the software have already been made available to developers.
«1

Comments

  • Reply 1 of 34
    pigybankpigybank Posts: 164member
    I hope there’s a way to manually override it.  I don’t want Apple deciding what I can or cannot run on my Mac. 
    netroxtyler82davgregmonstrositykestralmichelb76razorpitminicoffeeelijahg
  • Reply 2 of 34
    eightzeroeightzero Posts: 2,448member
    Court filings in 3...2...1...
  • Reply 3 of 34
    netroxnetrox Posts: 759member
    Hopefully there's a way for us power users to override it as we can with current one.
    razorpit
  • Reply 4 of 34
    eightzero said:
    Court filings in 3...2...1...

    Apple doesn't force you to run MacOS on their hardware, nor do they prevent you from running alternatives.

    They also don't force you to run only the newest version of macOS either

    Plus, the whole notarization process is more like a cloud-based antivirus than App Store approval

    https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution
    edited June 3 racerhomie3lolliverkrreagan2ravnorodomwatto_cobrajony0
  • Reply 5 of 34
    yuck9yuck9 Posts: 74member
    Beginning in macOS 10.14.5, all new or updated kernel extensions and all software from developers new to distributing with Developer ID must be notarized in order to run. Beginning in macOS 10.15, notarization is required by default for all software.
    watto_cobra
  • Reply 6 of 34
    davgregdavgreg Posts: 431member
    Although I know this will break some older SW that I have it seems like the prudent thing to do.
    lolliverlostkiwijony0
  • Reply 7 of 34
    pigybank said:
    I hope there’s a way to manually override it.  I don’t want Apple deciding what I can or cannot run on my Mac. 
    The article explains that notarization means that if developer X makes an app that you want to install, that your Mac will verify that the app you are installing is indeed from developer X..

    So, your reaction to that is 'I hope I can override it'... i.o.w. you want to be able to install an app that pretends it is from developer X but in fact isn't?  Yeah, I can definitely see how that would be useful..

    ¯\_(ツ)_/¯ 
    lowededwookielollivertmayracerhomie3lostkiwiwatto_cobrajony0
  • Reply 8 of 34
    eightzeroeightzero Posts: 2,448member
    eightzero said:
    Court filings in 3...2...1...

    Apple doesn't force you to run MacOS on their hardware, nor do they prevent you from running alternatives.

    They also don't force you to run only the newest version of macOS either

    Plus, the whole notarization process is more like a cloud-based antivirus than App Store approval

    https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution
    I expect just this in the responsive pleading. 
  • Reply 9 of 34
    I think it is pretty clear that software that is signed with a developer ID (which is most of the software out there really) has to be notarized as well. I think that is fairly reasonable as the developer are going through the trouble with the ID anway and it does add an extra layer of protection I guess.

    The real question in my opinion is if software without the signature with a developer ID can still run on macOS by bypassing gatekeeper (right click, open). If that is closed down we have a problem a and there will be a very low adoption rate.
    elijahg
  • Reply 10 of 34
    javacowboyjavacowboy Posts: 820member
    How will this impact open source software, homebrew, etc?
    razorpit
  • Reply 11 of 34
    sirozhasirozha Posts: 579member
    pigybank said:
    I hope there’s a way to manually override it.  I don’t want Apple deciding what I can or cannot run on my Mac. 
    The article explains that notarization means that if developer X makes an app that you want to install, that your Mac will verify that the app you are installing is indeed from developer X..

    So, your reaction to that is 'I hope I can override it'... i.o.w. you want to be able to install an app that pretends it is from developer X but in fact isn't?  Yeah, I can definitely see how that would be useful..

    ¯\_(ツ)_/¯ 
    If you don’t understand how this would be useful you are not a power user. I use software written by so many entities, and some of them no longer update the software. The new macOS would make my life a complete hell trying to chase every developer to see if they would release a new version authenticated by Apple. A percentage of the software will not be able to run on the new macOS at all. You know what that means? For the first time in my life I will not be upgrading to the new macOS. 
    edited June 3 razorpitdysamoriaelijahg
  • Reply 12 of 34
    If we can't load an app without Apple's approval then this is terrible news and a reason for people to not upgrade. Here are three reasons.

    1. We already have a working precedent.
    Some may argue that a decade long precedent with iOS (and later WatchOS devices) means that this is normal and acceptable.

    However, we shouldn’t forget how controversial the ‘Walled Garden’ approach established with iOS was at the time. We were told it was justified because iOS and WatchOS devices need extra protection so that they can perform at all times - especially in critical moments. We were also told that kids needed protection when they used phones. We trusted Apple on the first argument but the second argument was always specious because mobile devices have unfettered access to the internet. 

    But the first argument doesn't apply to our laptops and desktops. The real precedent is that we we’ve already learned to use these devices over many decades. In a world where malicious actors phish and send trojan code, Apple's 'right click' override was an acceptable compromise. This approach balanced the freedoms we need in a dangerous digital world.

    2. Apple shouldn't have this power.
    We shouldn't be in a position where people all over the world have to trust a single CEO of a single company located in single country of the world with what we load onto our computers. I’m not a US citizen. Why should I trust a foreign national to determine my computing needs? It’s entirely unacceptable! And Apple has already shown a willingness to ban apps for ideological reasons. See here


    There were wrong to do this in the past and we shouldn't trust them or any other company with this extraordinary power. And it is extraordinary. Let no one say otherwise. There is growing pressure on free speech all around the world and it's coming from both the extreme left and the extreme right. Each side wants to shut down the opportunity to hear ideas they don't like. Truly pluralistic and tolerant cultures allow people to say things that not everyone likes. 

    3. It's impractical
    As has already been noted by @Sirozha, no computer user should be in a situation where they need to wait for Apple to approve of an application they want to use. It doesn't need much imagination to think of all kinds of scenarios where this could be much more than annoying. It could be mission critical - the very argument Apple made with iOS for needing their walled garden.
    ElCapitanJosephAUrazorpitgatorguy
  • Reply 13 of 34
    michelb76michelb76 Posts: 96member
    How will this impact open source software, homebrew, etc?
    Homebrew and other unix utilities are not 'Mac apps, installer packages, and kernel extensions' so they should work just fine.
    watto_cobra
  • Reply 14 of 34
    SoliSoli Posts: 9,208member
    Not unexpected, but that's a lot of whining over something small. If you don't want to have your app notarized then don't sign it.

    watto_cobra
  • Reply 15 of 34
    ouy97778ouy97778 Posts: 2member
    Soli said:
    Not unexpected, but that's a lot of whining over something small. If you don't want to have your app notarized then don't sign it.

    Do you know for a fact that unsigned apps do not need to be notarized? It seems like it but I haven't seen any confirmation of this.

    Also there is a lot of applications that are signed out there that will not work unless the developer decides to get it notarized and publish a new release.

    I hope there is some kind of defaults override for users who know what they are doing.
    razorpit
  • Reply 16 of 34
    sirozha said:
    If you don’t understand how this would be useful you are not a power user. I use software written by so many entities, and some of them no longer update the software. The new macOS would make my life a complete hell trying to chase every developer to see if they would release a new version authenticated by Apple. A percentage of the software will not be able to run on the new macOS at all. You know what that means? For the first time in my life I will not be upgrading to the new macOS. 

    If you have the app installed already you will not be affected obviously and the developers will only bring out a new version when they comply, and if they no longer support the app it is not even an issue, so your routine does not have to change..  

    Only thing prevented is that you install an app that tries to trick you into believing it is from a trusted developer even though it isn't..
  • Reply 17 of 34
    knowitallknowitall Posts: 1,425member
    pigybank said:
    I hope there’s a way to manually override it.  I don’t want Apple deciding what I can or cannot run on my Mac. 
    The article explains that notarization means that if developer X makes an app that you want to install, that your Mac will verify that the app you are installing is indeed from developer X..

    So, your reaction to that is 'I hope I can override it'... i.o.w. you want to be able to install an app that pretends it is from developer X but in fact isn't?  Yeah, I can definitely see how that would be useful..

    ¯\_(ツ)_/¯ 
    Your logic if failing: not signing doesn't exclude kosher apps.
    razorpit
  • Reply 18 of 34
    majorslmajorsl Posts: 119unconfirmed, member
    michelb76 said:
    How will this impact open source software, homebrew, etc?
    Homebrew and other unix utilities are not 'Mac apps, installer packages, and kernel extensions' so they should work just fine.
    There are plenty of Open Source Software examples that are indeed Apps and some use Installer Packages.  Many in the hard sciences are not commercial products, but are release by researchers, universities and the community at large.  That's just an example of one segment.
    razorpitdysamoriacharlesatlasgatorguyelijahg
  • Reply 19 of 34
    razorpitrazorpit Posts: 961member
    Apple doesn't force you to run MacOS on their hardware....
    No but they sure as hell nag the sh*t out of you until you do.
  • Reply 20 of 34
    razorpitrazorpit Posts: 961member
    So what happens to apps like MakeMKV? I can't imagine Apple issuing the creators of that software a certificate. What happens when Plex becomes too much of a competitor? What happens when Apple decides DiskWarrior is no longer needed and could cause more harm than good? 
    elijahg
Sign In or Register to comment.