Post not yet marked as solved
Click to stop watching this thread.
You have stopped watching this post. Click to start watching again.
contentPostList.repliesup-voted.tooltip
Replied In
notarization needs for build pipeline
So I want to expand upon why this is critically important, as notarization does far more than simply check for codesigning.It checks the SDK versionIt checks for secure time stampIt checks for malwareIt checks for runtime hardeningAnd yes, it checks for codesigningIt also walks every compressed file, such as jars, and jars within jars, and even jars within jars within jars, to search for any code files.It's not as simple as just signing/hardening my build and running tests, and if everything passed, I just notarize it.As indicated, complex apps use dozens of 3rd party libraries. I could sign/harden everything, run tests and pass, and absolutly fail notarization because of a 3rd party library that doesn't meet one of the requirements above.The simplest way to do that is of course to submit it for notariation. But do I actually want to create a notarization record for that 3rd party using my credentials? Uh, no. Do I want to wait until I'm ready to release before I discover that a 3rd party library I rely upon that I took a security fix is missing codesigning?Or that is has some identified malware?Or they had a regression in their pipeline and it isn't built against the correct SDK?No.As I said, it is really unreasonable if Apple expects every enterprise developer to build an internal system that attempts to do what notarization does.