Is it required to notarize the package being installed by an installer on a dmg?

I have an app for which I use bitrock to generate an installer and then I put that into a disk image for distribution.


I do not upload my app for notarization before building the installer but I do notarize the disk image. This appears to be OK and the gatekeeper recognizes the installer and my app is installed.


Running 'spctl -a -vv' on the installed app indicates that everything is OK and if I start the app it starts without a problem, but I would have thought that since the app was not notarized that spctl would have reported a problem and gatekeeper would have complained when it was started.


Is my process OK or, dispite what spctl reports, I do in fact need to notarize the app be fore it is packaged by bitrock.



Barry

Up vote post of BarryL Down vote post of BarryL
1.3k views
Posted by
BarryL
Reply
Add a Comment

Accepted Reply

OK. In that case things are probably not fine. Here’s what I recommend you do:

  1. Note down all the code in your product. If the code is in a bundle, use the root of the bundle, not bundle’s main executable.

  2. Get the cdhash for each of chunk of code:

    % codesign -d -vvv /path/to/your/code

    .

  3. Now package up your app with that third-party installer and notarise it as you described in your first post.

  4. Once notarisation is done, use 

    --notarization-info
    to get a list of all the cdhashes that are included in your ticket. See my 23 Apr 2019 post on this thread for instructions.

  5. Now check that all the cdhashes from step 1 are included in the notarisation ticket you got in step 4. If they are, you’ll all good. If they’re not, you have a problem.

If it turns out you do have a problem, you’ll need to switch to two-stage notarisation. See the note about third-party installers in Customizing the Notarization Workflow.

Or just drop the third-party installer (-:

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

Does bitrock create an Apple installer package? Or does it create use a custom installer format?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

It is a custom installer format.

Posted by
BarryL
Up vote reply of BarryL Down vote reply of BarryL
Add a Comment

OK. In that case things are probably not fine. Here’s what I recommend you do:

  1. Note down all the code in your product. If the code is in a bundle, use the root of the bundle, not bundle’s main executable.

  2. Get the cdhash for each of chunk of code:

    % codesign -d -vvv /path/to/your/code

    .

  3. Now package up your app with that third-party installer and notarise it as you described in your first post.

  4. Once notarisation is done, use 

    --notarization-info
    to get a list of all the cdhashes that are included in your ticket. See my 23 Apr 2019 post on this thread for instructions.

  5. Now check that all the cdhashes from step 1 are included in the notarisation ticket you got in step 4. If they are, you’ll all good. If they’re not, you have a problem.

If it turns out you do have a problem, you’ll need to switch to two-stage notarisation. See the note about third-party installers in Customizing the Notarization Workflow.

Or just drop the third-party installer (-:

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Thanks for the reply,


What you suggest is what I thought I may need to do which requires our automated build process to upload 2 separate packages to Apple and wait on each of them to be notarized before completing the build. Depending on how fast the network is and how long the notarization takes it will add a significant amount of time to the build process. Our build process builds a lot of different apps so this is painful.


We may consider using a standard installer.


The thing that still puzzles me is why the gatekeeper doesn't complain about the un notarized app when it starts. Any ideas as to why that may be?

Posted by
BarryL
Up vote reply of BarryL Down vote reply of BarryL
Add a Comment

why … gatekeeper doesn't complain about the un notarized app when it starts

This is probably an artefact of your installation process. You notarise the disk image, which creates a ticket for the disk image itself and the custom installer app, but not the contents of the custom installer app. So the user can mount the disk image and run the custom installer app. When the customer installer app writes its contents to disk, it doesn’t put it in quarantine, and thus Gatekeeper never looks at it. And no Gatekeeper (currently) means no notarisation check.

Try doing this: Install your app and then use AirDrop to share it with another Mac. This will quarantine the app, at which point Gatekeeper will be invoked and it’ll do the notarisation check, which will fail.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thanks for the explanation.


Doesn't that mean that so long as the user installs our app using the notarized installer then the app itself doesn't need to be notarized since it will not be marked as quarantined? (Assuming they do not try to distribute the unpacked app itself over the network.)


This kind of points to a hole in the security provided by notarization and the gatekeeper. An evil person can wrap their virus infected app in an installer which hides the virus and have the installer notarized so that the actual virus is installed undetected.


The only way to protect against this would be to mark anything created by a quarantined app as quarantined.

Posted by
BarryL
Up vote reply of BarryL Down vote reply of BarryL
Add a Comment

This has been a known security flaw of Gatekeeper since the beginning. It relied on the quarantine flag. So if you downloaded an archive or binary with curl, Gatekeeper did not see it.


But… at WWDC 2019, IIRC, it was said that the checks would be performed even if the quarantine flag is not set and that checks could be performed after the first launch of the application.


Check Session 701. If checking the Slides, check pages 23 and later.

Posted by
tartempion
Up vote reply of tartempion Down vote reply of tartempion
Add a Comment

Thanks for the reply,


Yes that would make the hole in the security smaller but it still wouldn't prevent an installer from placing an infected file onto the machine that would do something nasty when opened by a trusted app.


Making something secure while allowing it to still be usable is not easy. 🙂

Posted by
BarryL
Up vote reply of BarryL Down vote reply of BarryL
Add a Comment

Doesn't that mean that so long as the user installs our app using the notarized installer then the app itself doesn't need to be notarized since it will not be marked as quarantined?

Yes, as things currently stand. Let me be frank… Relying on that would be a mistake. While Apple has not made any specific announcements in this regards, our guidance is very clear: All the code you ship should be covered by a notarisation ticket.

This kind of points to a hole in the security provided by notarization and the gatekeeper.

I’m not going to comment on this particular thought experiment but I agree that, in general, macOS needs further hardening. Hence my comment above.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment