Is it required to notarize the package being installed by an installer on a dmg?

I have an app for which I use bitrock to generate an installer and then I put that into a disk image for distribution.


I do not upload my app for notarization before building the installer but I do notarize the disk image. This appears to be OK and the gatekeeper recognizes the installer and my app is installed.


Running 'spctl -a -vv' on the installed app indicates that everything is OK and if I start the app it starts without a problem, but I would have thought that since the app was not notarized that spctl would have reported a problem and gatekeeper would have complained when it was started.


Is my process OK or, dispite what spctl reports, I do in fact need to notarize the app be fore it is packaged by bitrock.



Barry

Answered by DTS Engineer in 405948022

OK. In that case things are probably not fine. Here’s what I recommend you do:

  1. Note down all the code in your product. If the code is in a bundle, use the root of the bundle, not bundle’s main executable.

  2. Get the cdhash for each of chunk of code:

    % codesign -d -vvv /path/to/your/code

    .

  3. Now package up your app with that third-party installer and notarise it as you described in your first post.

  4. Once notarisation is done, use

    --notarization-info
    to get a list of all the cdhashes that are included in your ticket. See my 23 Apr 2019 post on this thread for instructions.
  5. Now check that all the cdhashes from step 1 are included in the notarisation ticket you got in step 4. If they are, you’ll all good. If they’re not, you have a problem.

If it turns out you do have a problem, you’ll need to switch to two-stage notarisation. See the note about third-party installers in Customizing the Notarization Workflow.

Or just drop the third-party installer (-:

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Does bitrock create an Apple installer package? Or does it create use a custom installer format?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

It is a custom installer format.

Accepted Answer

OK. In that case things are probably not fine. Here’s what I recommend you do:

  1. Note down all the code in your product. If the code is in a bundle, use the root of the bundle, not bundle’s main executable.

  2. Get the cdhash for each of chunk of code:

    % codesign -d -vvv /path/to/your/code

    .

  3. Now package up your app with that third-party installer and notarise it as you described in your first post.

  4. Once notarisation is done, use

    --notarization-info
    to get a list of all the cdhashes that are included in your ticket. See my 23 Apr 2019 post on this thread for instructions.
  5. Now check that all the cdhashes from step 1 are included in the notarisation ticket you got in step 4. If they are, you’ll all good. If they’re not, you have a problem.

If it turns out you do have a problem, you’ll need to switch to two-stage notarisation. See the note about third-party installers in Customizing the Notarization Workflow.

Or just drop the third-party installer (-:

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks for the reply,


What you suggest is what I thought I may need to do which requires our automated build process to upload 2 separate packages to Apple and wait on each of them to be notarized before completing the build. Depending on how fast the network is and how long the notarization takes it will add a significant amount of time to the build process. Our build process builds a lot of different apps so this is painful.


We may consider using a standard installer.


The thing that still puzzles me is why the gatekeeper doesn't complain about the un notarized app when it starts. Any ideas as to why that may be?

why … gatekeeper doesn't complain about the un notarized app when it starts

This is probably an artefact of your installation process. You notarise the disk image, which creates a ticket for the disk image itself and the custom installer app, but not the contents of the custom installer app. So the user can mount the disk image and run the custom installer app. When the customer installer app writes its contents to disk, it doesn’t put it in quarantine, and thus Gatekeeper never looks at it. And no Gatekeeper (currently) means no notarisation check.

Try doing this: Install your app and then use AirDrop to share it with another Mac. This will quarantine the app, at which point Gatekeeper will be invoked and it’ll do the notarisation check, which will fail.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks for the explanation.


Doesn't that mean that so long as the user installs our app using the notarized installer then the app itself doesn't need to be notarized since it will not be marked as quarantined? (Assuming they do not try to distribute the unpacked app itself over the network.)


This kind of points to a hole in the security provided by notarization and the gatekeeper. An evil person can wrap their virus infected app in an installer which hides the virus and have the installer notarized so that the actual virus is installed undetected.


The only way to protect against this would be to mark anything created by a quarantined app as quarantined.

This has been a known security flaw of Gatekeeper since the beginning. It relied on the quarantine flag. So if you downloaded an archive or binary with curl, Gatekeeper did not see it.


But… at WWDC 2019, IIRC, it was said that the checks would be performed even if the quarantine flag is not set and that checks could be performed after the first launch of the application.


Check Session 701. If checking the Slides, check pages 23 and later.

Thanks for the reply,


Yes that would make the hole in the security smaller but it still wouldn't prevent an installer from placing an infected file onto the machine that would do something nasty when opened by a trusted app.


Making something secure while allowing it to still be usable is not easy. 🙂

Doesn't that mean that so long as the user installs our app using the notarized installer then the app itself doesn't need to be notarized since it will not be marked as quarantined?

Yes, as things currently stand. Let me be frank… Relying on that would be a mistake. While Apple has not made any specific announcements in this regards, our guidance is very clear: All the code you ship should be covered by a notarisation ticket.

This kind of points to a hole in the security provided by notarization and the gatekeeper.

I’m not going to comment on this particular thought experiment but I agree that, in general, macOS needs further hardening. Hence my comment above.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"
Is it required to notarize the package being installed by an installer on a dmg?
 
 
Q