0 Replies
      Latest reply on Jun 4, 2019 3:44 PM by rtrouton
      rtrouton Level 1 Level 1 (0 points)

        What is Notarization?



        Identify and block malicious software before distribution.

        Developer ID program extension

        Developers control the process of sending apps through the Notarization process.



        Notarization is _not_ app review.

        It's an automated set of security scans.



        Notarization benefits:


        Apps with hardened runtimes are more secure by default

        Help prevent apps from shipping with malicious dependencies



        App requirements:


        Previously signed software can be submitted for notarization as-is.

        Apps submitted after June 1st 2019

        - Must be correctly signed with Developer ID Application certificate

        - Must have hardened runtimes


        Installers must be signed with Developer ID Installer certificate



        Hardened runtime does not allow an app to have a debugger attached. The "com.apple.security.get-task-allow" entitlement allows a debugger to work with a hardened runtime.



        Protected resource access


        App needs to declare its intent to access protected resources (protected resources are those covered by User Privacy Protections.)


        Only take the required entitlements you need to successfully notarize your app. Least privileged approach is the best approach.





        You can staple an installer package and disk image directly

        If notarization used a zip file, the app bundle needs to be unzipped and then the app bundle can be stapled.






        Sign your software properly

        Don't take hardened runtime entitlements which you don't need.

        Sign and notarize all your apps so that they'll work properly on macOS Catalina.