"Notarized" Mac Apps

If any of you have been digging deeply into WWDC developer sessions, you may have heard that Apple is moving to “notarized” apps in the future. As I understand it, some future edition of Mac OS will only run an app if Apple has “notarized” it for your use, no matter from where the app was obtained. To be clear, even an app downloaded from the developer’s site has to be blessed by Apple to even run on your Mac. I’m sure this idea is for your “own good.”

If I’m understanding this correctly (chime in if I’m misinformed) this idea is unacceptable. Suppose you dig out your old camera and go to download the four year old driver for it. You can be sure it won’t be updated in order to be “notarized.” Your camera is now useless.

My question is: is M/S moving to this concept as well? I hope not. I need to be able to move to an OS I can actually use.

Conversation 4 comments

  • pderosa

    12 June, 2018 - 11:16 am

    <p>I am not 100% certain that I am correct in what I am about to state, but I am very confident. Also even if I'm correct this could change between now and that future version of macOS.</p><p><br></p><p>So there are "developer ID" apps and "non-developer ID" apps. If an app is developer ID it will have to be notarized in a future version of OS X to run UNLESS gatekeeper is entirely disabled. If it is disabled you can do what you want. This also isn't going to impact stuff you compile on your own machine (It can't because it has to be compiled before it is notarized, and if it had to be notarized to run everybody would be sending Apple 6 debug builds an hour and that just isn't happening).</p><p><br></p><p>So basically this is only going to bite you if you have gatekeeper enabled and you want to sideload a developer-ID app that has not been notarized. When exactly is that realistically going to happen? I do a lot of unusual stuff with my computer and the only time I can see this causing me trouble is if I want to download a pre-compiled cross compiler from a third party. And I do that at most twice a year…so I don't think this is going to be a big deal.</p><p><br></p><p>In your example the camera user may just have to choose between discarding some security and using the older camera software. Although macs have pretty good built in support for cameras.</p>

    • jimchamplin

      Premium Member
      12 June, 2018 - 12:33 pm

      <blockquote><a href="#283326"><em>In reply to pderosa:</em></a></blockquote><p>This will not affect *nix software that runs on the console, so that compiler won't need anything if you run it from the command line. Console software is unable to access macOS Services and because of UNIX security, can't harm the system. </p>

  • jimchamplin

    Premium Member
    12 June, 2018 - 11:18 am

    <p>It's really no different than the "Authorized Developer" program currently in place. I've encountered maybe one or two applications that wouldn't run without me making a Gatekeeper exception. </p><p><br></p><p>Of course, nothing will stop you from compiling MacPorts from source and installing things that way.</p>

  • curtisspendlove

    12 June, 2018 - 12:28 pm

    <p>There isn’t enough information yet to know what “notarized” means yet. Apple’s example is basically this is to checksum and malware scan apps (for instance, to prevent a few problems that happened in the last few years where someone was able to compromise download servers and inject binaries to infect popular apps). </p><p><br></p><p>If those users had checksum verified the downloaded binaries before installing, they would have found they shouldn’t have installed the binaries. But hardly anyone does that. </p><p><br></p><p>These are steps to protect the majority of people. </p><p><br></p><p>I expect (And hope) Apple don’t make this mandatory, that there is a level of Gatekeeper that allows one to install anyway. But we don’t currently have information about what changes in Gatekeeper accompany this feature. </p><p><br></p><p>I see see this as part of a larger whole. I think there will be some fairly significant changes to the Xcode / App Store tooling to facilitate all of this fairly cleanly. </p><p><br></p><p>I’m also guessing we'll have to wait for next year’s WWDC to hear much about it. I would imagine they’ll have narrative around this, “Marzipan”, and any other related changes. </p><p><br></p><p>Edit: I’m an idiot. Missed the part that this is coming to Mojave. Haven’t had a chance to get it on a MacBook yet so I haven’t been able to play with it. </p><p><br></p><p>They did say “eventually” when locking it down to notarized apps though, so I’m hoping we get some lead time. </p><p><br></p><p>That said, the camera app concern mentioned above is “probably” okay. I would imagine they will somehow take that into account. </p><p><br></p><p>I don’t see them fully locking down a Mac without the ability to reverse it. Even System Integrity Protection can be turned off. </p>

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2024 Thurrott LLC