[You’ve already seen most of these answers but I’m happy to post them here for the benefit of others.]
1. Will binaries that have been previously allowed to run via the workaround (going into security and privacy and allowing the app to run) continue to run past January 2020, or will they just cease to work?
I presume your concern regarding “January 2020” is related to the Notarizing Your Mac Software for macOS Catalina developer news article.
If so, I think you have the wrong end of the stick here. That article is about a temporary change to the notary service (it’s currently running in ‘treat errors as warnings’ mode) and we expect to undo that change in Jan 2020 (that is, revert it back to treating errors as errors). This only affects the notary service; it has no impact on macOS itself.
2. During our tests on the latest version of Catalina, only unsigned/unnotarized software downloaded directly via web browsers result in the gatekeeper error. If we download the software using
curl
or
wget
, we have no trouble running it and see no gatekeeper errors.
This is because command-line tools like
curl
do not quarantine what they download, and thus Gatekeeper is not invoked when you run the tool.
If we download via a web browser and then use
unzip
via the cmd line, we also see no gatekeeper error.
Right. The
unzip
command-line tool is like
curl
. It knows nothing about quarantine.
If you unzip by double clicking the zip archive in the Finder, you’ll find that the Archive Utility acts like a quarantine pass through:
If the archive is quarantined, unpacking the archive will result in quarantined items.
If the archive is not quarantined, unpacking the archive will result in non-quarantined items.
As
curl
creates a non-quarantined archive, unpacking that archive results in a non-quarantined tool, at which point running the tool does not invoke Gatekeeper.
Will this behavior continue after January 2020?
As I mentioned above, the change scheduled for Jan 2020 relates to the notary service and has nothing to do with macOS.
As to whether this will ever change, I can’t give you a guarantee on that front. Currently macOS does not require notarisation for non-quarantined executables, but it’s not hard to imagine it requiring that at some point in the future. However, we’ve not announced any specific plans along those lines.
3. Some of our signed/notarized software (go binaries) downloads and invokes other software (also go binaries). Do these need to be signed/notarized too?
That depends on whether they are quarantined, as I’ve discussed above.
4. Is there a preview version of OSX that we can try out that contains everything that will be released in January 2020?
This question doesn’t make any sense given my explanation above.
In general, you can get beta releases of macOS from the developer downloads page, and I encourage you to test your product with all such beta releases. Indeed, we just started seeding 10.15.3 beta.
I want to close out with this comment by john daniel:
Have you considered just notarizing your code? Wouldn't that take away all the January 2020 guesswork?
Exactly. Rather than worrying about all of these details, the best way forward here is to:
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"
ps DTS is closed 21 Dec through 1 Jan.
