Is it required to notarize the package being installed by an installer on a dmg?

Does bitrock create an Apple installer package? Or does it create use a custom installer format?

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

It is a custom installer format.

OK. In that case things are probably not fine. Here’s what I recommend you do:

1. Note down all the code in your product. If the code is in a bundle, use the root of the bundle, not bundle’s main executable.

2. Get the cdhash for each of chunk of code:

   % codesign -d -vvv /path/to/your/code

   .

3. Now package up your app with that third-party installer and notarise it as you described in your first post.

4. Once notarisation is done, use

   --notarization-info

   to get a list of all the cdhashes that are included in your ticket. See my 23 Apr 2019 post on this thread for instructions.

5. Now check that all the cdhashes from step 1 are included in the notarisation ticket you got in step 4. If they are, you’ll all good. If they’re not, you have a problem.

If it turns out you do have a problem, you’ll need to switch to two-stage notarisation. See the note about third-party installers in Customizing the Notarization Workflow.

Or just drop the third-party installer (-:

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks for the reply,

What you suggest is what I thought I may need to do which requires our automated build process to upload 2 separate packages to Apple and wait on each of them to be notarized before completing the build. Depending on how fast the network is and how long the notarization takes it will add a significant amount of time to the build process. Our build process builds a lot of different apps so this is painful.

We may consider using a standard installer.

The thing that still puzzles me is why the gatekeeper doesn't complain about the un notarized app when it starts. Any ideas as to why that may be?

why … gatekeeper doesn't complain about the un notarized app when it starts

This is probably an artefact of your installation process. You notarise the disk image, which creates a ticket for the disk image itself and the custom installer app, but not the contents of the custom installer app. So the user can mount the disk image and run the custom installer app. When the customer installer app writes its contents to disk, it doesn’t put it in quarantine, and thus Gatekeeper never looks at it. And no Gatekeeper (currently) means no notarisation check.

Try doing this: Install your app and then use AirDrop to share it with another Mac. This will quarantine the app, at which point Gatekeeper will be invoked and it’ll do the notarisation check, which will fail.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks for the explanation.

Doesn't that mean that so long as the user installs our app using the notarized installer then the app itself doesn't need to be notarized since it will not be marked as quarantined? (Assuming they do not try to distribute the unpacked app itself over the network.)

This kind of points to a hole in the security provided by notarization and the gatekeeper. An evil person can wrap their virus infected app in an installer which hides the virus and have the installer notarized so that the actual virus is installed undetected.

The only way to protect against this would be to mark anything created by a quarantined app as quarantined.

This has been a known security flaw of Gatekeeper since the beginning. It relied on the quarantine flag. So if you downloaded an archive or binary with curl, Gatekeeper did not see it.

But… at WWDC 2019, IIRC, it was said that the checks would be performed even if the quarantine flag is not set and that checks could be performed after the first launch of the application.

Check Session 701. If checking the Slides, check pages 23 and later.

Thanks for the reply,

Yes that would make the hole in the security smaller but it still wouldn't prevent an installer from placing an infected file onto the machine that would do something nasty when opened by a trusted app.

Making something secure while allowing it to still be usable is not easy. 🙂

Doesn't that mean that so long as the user installs our app using the notarized installer then the app itself doesn't need to be notarized since it will not be marked as quarantined?

Yes, as things currently stand. Let me be frank… Relying on that would be a mistake. While Apple has not made any specific announcements in this regards, our guidance is very clear: All the code you ship should be covered by a notarisation ticket.

This kind of points to a hole in the security provided by notarization and the gatekeeper.

I’m not going to comment on this particular thought experiment but I agree that, in general, macOS needs further hardening. Hence my comment above.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"