The Gates to Hell: Apple’s Notarizing

Notarization has been a nightmare of a solution to a problem that isn&#x27;t effective. You can get practically as much security by pushing malware signatures to the client without the massive privacy overreach of having Apple archive each and every bit of code that you generate for distribution.<p>This is just Apple&#x27;s overreach extended to the desktop. Excessive control that makes developer&#x27;s lives hell while adding barely any security on top.

I wrote a little sh script to notarize HandBrake two (or maybe three) years ago, and that&#x27;s was it. It&#x27;s not rocket science. But like every new thing, it required a bit of time to read the documentation and to understand what&#x27;s going on.<p>The plugin issue described in the article is probably related to the hardened runtime, so it&#x27;s unrelated to the actual notarisation process.

The initial setup is a bit of a pain (and the documentation is a bit lacking - though much better than most Apple documentation - particularly for edge cases like mine, distributing a screensaver), but to Apple&#x27;s credit the process is pretty solid and is now consistently quick. I&#x27;ve notarized dozens of builds of Aerial since the requirement was announced and I think only once did I have to wait to release because their service was stuck.<p>Minor tip: Stapling, while optional, should be recommended (and might as well be mandatory) to everyone that notarize (you staple a certificate signed from Apple that avoids the call home when the user tries to open your software).<p>The only thing that slightly irks me is the contract situation, if you have a &quot;paid&quot; developer account, you absolutely need to sign any update to the &quot;paid app&quot; contract from the App Store even when you want to notarize an &quot;out of store&quot;, open source app.<p>Plus it breaks my script every time...

And, not mentioned in the article... you have to have an Apple Developer ID which costs £79&#x2F;year ($99). Presumably if your subscription lapses any previously released software will stop working?<p>That is the part I find most offensive, if it was just difficult and buggy I would suck it up and work around it. But having to pay for the privilege is too painful, particularly if you&#x27;re offering free software.<p>For my case (non GUI app) I can at least distribute via Homebrew and have the user build from source in a more or less automated way.<p>Another notarization helper tool is here <a href="https:&#x2F;&#x2F;github.com&#x2F;mitchellh&#x2F;gon" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;mitchellh&#x2F;gon</a>

I don&#x27;t get the whole panic around notarization. I maintain a big open source project, and is quite complex. It is a game engine with downloadable plugins and lots of system integration. Notarization was easy. I didn&#x27;t use Xcode GUI for it, because it has one line command to do it, which is more comfortable for me: <a href="https:&#x2F;&#x2F;github.com&#x2F;coronalabs&#x2F;corona&#x2F;blob&#x2F;53eeb3e31ac09f7a46c20c84c5edaf75f514ff7e&#x2F;.github&#x2F;workflows&#x2F;build.yml#L338" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;coronalabs&#x2F;corona&#x2F;blob&#x2F;53eeb3e31ac09f7a46...</a> Not a biggie.

Could we get a year added to the headline?<p>The blog post talks about waiting to upgrade to macOS 10.15, but the current macOS is version 11, so I&#x27;m thinking this is fairly old. Because at first I thought this might have been related to a recent info.plist vulnerability. [0]<p>[0] <a href="https:&#x2F;&#x2F;www.wired.com&#x2F;story&#x2F;macos-malware-shlayer-gatekeeper-notarization&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.wired.com&#x2F;story&#x2F;macos-malware-shlayer-gatekeeper...</a>

I&#x27;ve just barely got my app working with code signing (using desperate amount of self-checks and fixups for when Xcode messes up the build or signing decides to use xattrs, which doesn&#x27;t survive in normal archive formats).<p>Now I&#x27;m battling with Notarization which is exactly this hell that either pretends to work and doesn&#x27;t, or spits inscrutable errors and sends me in circles between multiple tools and services.<p>And these days all the documentation that Apple produces is in form of brief mentions in WWDC videos. Aaaarrggh!<p>I&#x27;m seriously considering switching to WASM or just abandoning my apps.

From personal experience, notarization hasn&#x27;t really caused any friction in my dev process for Mimestream. The upload + server response usually only takes about a minute. Yeah, it&#x27;s another thing to learn, but the process is pretty well-integrated into Xcode, and if you&#x27;re building via script then it seems well-supported?<p>On the other hand, code signing is perennially confusing, and I wish the documentation was better.

The notarization process is super painful, no doubt. I had originally written shell scripts to automate the process for my company, but recently switched to the excellent command line tool &#x27;xcnotary&#x27; (<a href="https:&#x2F;&#x2F;github.com&#x2F;akeru-inc&#x2F;xcnotary" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;akeru-inc&#x2F;xcnotary</a>). it&#x27;s available through Homebrew.

I wrote a little thing about signing and notarization recently. I don&#x27;t harp on the details of the actual platform processes, because the argument is that even if the process was smooth, it&#x27;s completely unacceptable.<p><a href="https:&#x2F;&#x2F;nixpulvis.com&#x2F;ramblings&#x2F;2021-02-02-signing-and-notarizing" rel="nofollow">https:&#x2F;&#x2F;nixpulvis.com&#x2F;ramblings&#x2F;2021-02-02-signing-and-notar...</a><p>There <i>are</i> issues with the way we develop and distribute applications and software in general, but none of the major platforms are doing anything but extracting $$$ for themselves and tricking users into a false sense of security.

The administration around code signing and notarization for both Apple and Windows was huge (1.5 developer months from start to kinks-worked-out for an electron app). Startup lessons learned: don&#x27;t build desktop apps.

What a fantastic write up. So many of us are familiar with the &quot;quirky&quot; parts of the apple development ecosystem and the self-gaslighting effect of trying to solve problems that are non-existent and yet persistent.<p>This really captured the constant &quot;wtf&quot; of building against the sloppy moving target.<p>But... its still better than a lot of toolchains&#x2F;ecosystems, and when it all does work, for 1 month a year lol, it&#x27;s great!

Maybe Apple should hire Steve Ballmer, I hear he&#x27;s available: <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=OHVhiybBb1U" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=OHVhiybBb1U</a>

10.15 was released 18 months ago so I assume this article is from 2020.<p>The process has improved since then so not sure how much of this still applies.

All this code signing stuff is an admission of defeat. &quot;Our OSes are insecure and we can&#x27;t secure them, so fuck it.&quot;<p>Unix and VMS&#x2F;NT, the two most popular kernel lineages, were both designed when computers were either isolated or connected to an Internet that was effectively an academic&#x2F;government walled garden. They absolutely were not designed to deal with the present information war zone where everything is trying to spy&#x2F;hack&#x2F;ransomware you and every piece of code is guilty until proven innocent.<p>Since the Internet went mainstream we&#x27;ve been constantly stuffing wads of chewing gum into their many cracks, adding hack after hack to try to secure that which is not secure. Address layout randomization, pointer authentication hacks, stack canaries, clunky system call whitelisting solutions, trying to shoehorn BPF into a system call filtering role, leaky containers and sandboxes, and so on.<p>Code signing is an admission that none of those measures have worked.<p>A secure OS would be built from the ground up with security as a primary concern. It would be written in a safe language like Rust or perhaps even in a system that permits strong proofs of correctness. Every process would run with minimal required permissions. Everything everywhere would be authenticated. The user would have visibility into all this and would be able (if they desired) to control it, or they could rely on sets of sane defaults.<p>There&#x27;d be no need for code signing on such an OS. You could safely run anything and know it would not be able to access things you didn&#x27;t grant it permission to access. The web JavaScript sandbox is the closest thing we have to that but it&#x27;s extremely limited. By providing a Turing-complete sandbox that can be generally trusted to run code from anywhere, it does show that such a thing is possible.<p>(Mobile OSes look like they&#x27;ve kind of done this, but they haven&#x27;t. They&#x27;ve just stuffed more chewing gum into the cracks in Unix and put a UI on top that hides it. They also &quot;solve&quot; the problem by nerfing everything.)

Anyone think that users will eventually become desensitized to the &quot;malicious software&quot; popup? If the process is this complex and buggy I imagine a lot of developers simply won&#x27;t bother with notarization. Eventually if enough legitimate apps don&#x27;t bother the popup will become common, and users may be annoyed more by Apple than any particular app. Like how the &quot;run as admin&quot; prompt just became an extra automatic click to many users in Windows.<p>It&#x27;s not like the big development shops that do take the time to get the notarization process working get a special green checkmark by their app. After the app has been launched the first time, it&#x27;s back to an even playing field with the apps that didn&#x27;t notarize.

If you&#x27;re going to rant about details, it helps to actually get the details right.<p>For example, showing a screenshot that doesn&#x27;t contain the word &quot;malware&quot; and then saying:<p>&gt; Using my application name and the word &quot;malware&quot; in one sentence is suggestive and extremely offensive by Apple.<p>Does not fill me with much hope that the author is detail-oriented. I&#x27;ll keep reading, and I know already that the notarizing process isn&#x27;t smooth, but my &quot;snowflake meter&quot; is already in the yellow zone, and I&#x27;ve yet to reach the part of the essay labeled &quot;Part 1&quot;

Yep. This focuses on the command line’s terrible error messages but the Xcode UI is bad too. Clicking through multiple steps, and for some reason non-standard “transparent buttons in list items” are used to reveal the “Export App” action you need to finally obtain a local notarized copy. Except those buttons will <i>not</i> appear after it is “done”; you have to switch to another target and then switch back to get the buttons to be clickable. I mean the whole process just screams “does anyone at Apple ever have to use this?”.

Ha! Even though Notarizing was released in 2018, it&#x27;s still too soon to discuss for me....<p>Try packaging a python interpreter with a ton of .so&#x27;s and .dylibs with your .app and see how much hair you have left!

My advice from years of notarizing my apps is to make sure you do it at least once per day for each of your apps. If you only notarize once every release (say, every month or so), you are almost guaranteed to encounter some new cryptic error that you&#x27;ve never seen before, either due to some glitch in signing your app or frameworks, or else some server-side error such as new terms &amp; conditions that you are being &quot;encouraged&quot; to agree to. It will take you hours to research and resolve them if they aren&#x27;t spotted right away.<p>As others pointed out, <a href="https:&#x2F;&#x2F;github.com&#x2F;mitchellh&#x2F;gon" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;mitchellh&#x2F;gon</a> is a great tool for doing this on your local machine (e.g., with a cron job). In addition, if you are building your app using a GitHub action (which I highly recommend if it is open-source), you can use my <a href="https:&#x2F;&#x2F;github.com&#x2F;hubomatic&#x2F;hubomat" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;hubomatic&#x2F;hubomat</a> action to package, notarize, and staple a release build in one shot. The sample&#x2F;template app does this automatically on every commit as well as once per day: <a href="https:&#x2F;&#x2F;github.com&#x2F;hubomatic&#x2F;MicroVector&#x2F;actions" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;hubomatic&#x2F;MicroVector&#x2F;actions</a>.<p>So when this fails from a scheduled job, you at least know that something has changed on the Apple side and can investigate that right away. And if it fails as a result of a commit, then at least you can start looking at what changes you may have made to your entitlements or code signing settings or embedded frameworks or any of the other million things that can cause it to fail.

I agree about notarisation, I think it&#x27;s the wrong solution. It gives Apple too much insight in what applications are used on Macs. This is my business and mine alone. I don&#x27;t wany my Mac calling home with everything I open. Despite there being a way to turn it off.<p>I think simply spreading signatures of known malware for a local check would be a much better option.<p>However as a Mac enterprise admin I don&#x27;t think the process is particularly difficult. When it came in I scripted it all once and that worked fine. Only issue is that sometimes it doesn&#x27;t like if I make a PKG with a package from another supplier embedded in it. The problem is that I have to do that because some solutions have several packages that need to be installed in a particular order, and my MDM (MS Intune) does not provide a means by which to specify installation order. It just blasts all packages in a random order at the machines. So I re-package those. But anyway even that is not all that tough to get around.

For our small software company, notarization took at least 40 hours of additional work, and slows down releases.<p>Anyone knows if &quot;stapling&quot; the distributed bundles files (.app .pkg executable files etc.) is useful in any way ?

Notarization is nothing except Apple making sure they have visibility into the tail end of their ecosystem.<p>Remember the days of Windows 95 when you could make an application, sell it to a person in your own town and nobody in the world knew?! Not anymore!<p>Now Apple <i>has</i> to know that <i>you</i> made an app and <i>get an exact copy</i> of it, just for safe-keeping.

FYI: The original title of the post is &quot;The Gates to Hell: Apples Notarizing&quot; evidencing the frustration involved with the notarization process and which now was relativised to just &quot;Apple’s Notarizing&quot;.

Apple devices are becoming increasingly unusable for developers.<p>Fantastic opportunity for Linux apps to gain more dev resources, as anyone with a bit of foresight sees little future in macOS, iOS, Windows, or Android as development platforms.

Is Apple hostile towards developers?<p>Probably not, but it sometimes feels like it.<p>This is weird.

I&#x27;m polishing up a macOS app for the store.<p>How much time should I expect to budget for the initial signing&#x2F;notarizing&#x2F;submission process?

It does so because it can. Never understood the fans who never get fed up.

The more tight grip the state has , the more bureaucracy it produces