Get Your Mac Software Notarized


#1

In the recent News and Updates from Apple Developer

Get Your Mac Software Notarized
October 19, 2018

macOS Mojave is here. Give Mac users even more confidence in your software distributed outside the Mac App Store by submitting it to Apple to be notarized. When users on macOS Mojave first open a notarized app, installer package, or disk image, they’ll see a more streamlined Gatekeeper dialog and have confidence that it is not known malware.

Download Xcode 10 and submit your software today. In an upcoming release of macOS, Gatekeeper will require Developer ID–signed software to be notarized by Apple.

Learn about getting your software notarized

so let make a small review of all the differences between signed and non-signed apps, on the Mac App Store or not, notarized or not, Gatekeeper etc.


So, the good news is if you already bought into the Apple Developer Program
to get an iOS certificate to publish on mobile, you got at the same time certificates for macOS apps and Safari extensions.

The little trick with the macOS certificates is by default you got a Mac App Distribution and Mac Installer Distribution to publish your app on the Mac App Store, but you need to go into the online account to then generate other kinds of certificates: Developer ID Application and Developer ID Installer.

And those are useful if you want to sign and publish outside of the Mac App Store and also sign/publish command-line apps.

If you do a small test on the command-line you can see if you have those installed or not
$ security find-identity -p codesigning

for example mine are

3rd Party Mac Developer Application: Zwetan Kjukov (4AT3SFJR6C)
3rd Party Mac Developer Installer: Zwetan Kjukov (4AT3SFJR6C)

you will use command-lines tools

  • codesign to sign an app
    with 3rd Party Mac Developer Application: Zwetan Kjukov (4AT3SFJR6C)
  • pkgbuild to sign an installer
    with 3rd Party Mac Developer Installer: Zwetan Kjukov (4AT3SFJR6C)

see Apple Developer Certificates and Signing Under Mac OS X for more details and howto.


If you do plan to distribute a desktop app on macOS, you will have to deal with Gatekeeper…

Apple introduced Gatekeeper in OS X 10.8 Mountain Lion

eg.

Gatekeeper is a feature introduced in OS X Mountain Lion that helps
protect users from downloading and installing malicious software.
Signing your applications, plug-ins, and installer packages with a
Developer ID certificate lets Gatekeeper verify that they are not
known malware and have not been tampered with.

And since then, even if you can still build and distribute apps that are not signed, it became more and more complicated to install a non-signed app (see for ex VLC, FileZilla, etc.).

Also, for command-line apps, since macOS 10.13 High Sierra, Gatekeeper prevent you to install binaries in the /usr path, you have to install them in /usr/local.

And now, I assume in the macOS coming after macOS 10.14 Mojave, so that would be macOS 10.15 not only you will have to sign an application but you will also have to notarize it

eg.

Download Xcode 10 and submit your software today. In an upcoming release of macOS, Gatekeeper will require Developer ID–signed software to be notarized by Apple.

note the change of attitude from Apple about malware

In early 2011, Mac OS X experienced a large increase in malware attacks, and malware such as Mac Defender, MacProtector, and MacGuard were seen as an increasing problem for Mac users. At first, the malware installer required the user to enter the administrative password, but later versions were able to install without user input. Initially, Apple support staff were instructed not to assist in the removal of the malware or admit the existence of the malware issue, but as the malware spread, a support document was issued.

So my advice would be to try out and test this notarized thingy while it is not required yet, because it is prety much sure it will be required later on.


From what can be read on the official page Signing Your Apps for Gatekeeper

Get Your Software Notarized

Give users even more confidence in your software by submitting it to Apple to be notarized. The service automatically scans your Developer ID-signed software and performs security checks. When it’s ready to export for distribution, a ticket is attached to your software to let Gatekeeper know it’s been notarized.

For step by step details on uploading your Mac software to be notarized, see the Xcode Help Guide.

Submitting with Xcode

Unpublished Software. It’s easy to get unpublished software notarized with the Export process or xcodebuild. Custom build workflows are supported by the xcrun altool command line tool for uploading, and you can use xcrun stapler to attach the ticket to the package.

Published Software. To submit software you’ve already published, upload it using the xcrun altool command line tool. Several file types are supported, including .zip, .pkg, and .dmg, so you can upload the same package you already distribute to users.

Viewing Upload Logs

In addition to checking for malicious software, the notary service catches common code signing problems that can prevent your software from installing properly. If notarization fails for your upload, check the status log for details.

So I did not try yet, but it seems you don’t have to notarize your software every time you publish, it looks like it is a one time process where you get “ticket” and then you can use xcrun stapler to attach this ticket to an installer.

It is a bit strange, the whole idea of having a signing certificate is to associate an identity to a software so if the identity publish malware you can just ban them which in turns revoke whatever software that identity published in the past with that associated certificate.

But there it seems Apple want to “manually” review the app itself hence that notarized ticket, kind of the equivalent of code review for mobile.