6 Replies
      Latest reply on Jun 15, 2018 5:06 PM by john daniel
      tartempion Level 1 Level 1 (10 points)

        Not sure to understand the interest of notarizations from some perspectives:

         

        - from an end-user perspective: if the "Dummy is an application downloaded from the Internet. Are you sure you want to open it?" dialog is still displayed, what's the point? Because this is the dialog itself that is annoying for 2 reasons:

         

        . the dialog is displayed even though the applications are codesigned.

        . the dialog steals the focus from the window hierarchy and never returns it correctly. Every single time.

         

        - from a security perspective: if the check is still only performed for downloads that have the quarantine flag set, then what kind of additional security is this adding? If I download a binary using curl, will Gatekeeper see anything?

        • Re: Notarization, what's the point?
          NoMAD-Dev Level 1 Level 1 (20 points)

          The additional security comes from the fact that an additional certificate is stapled to the DevID certificate and is periodically validated along with a "software ticket". This is sorta similar to what iOS does with PPQ when validating that apps are still valid.

           

          By using this system, in addition to your DevID, there is now granular control over what specific builds of the app can run. Think about the times when a specific build of an app has been compromised. (HandBrake and Transmission come to mind.) With a Notarized app there is the ability to revoke the one specific build that was compromised rather than everything signed with the DevID application certiicate.

          • Re: Notarization, what's the point?
            john daniel Level 3 Level 3 (270 points)

            I think it is mainly marketing. Customers don't really understand Gatekeeper or Developer ID. They will download and install anything from anyone, handing over their admin passwords whenever asked. Then, they'll take your binary and upload it to virus total, where a handful of those junk antivirus engines will flag it malware. Then your new "security researcher" will follow you around the internet telling people that your app is malware.

             

            This new Notarization feature is a welcome surprise. I will be able to tell people my app is "Notarized by Apple" and they will understand that better than "signed with my Apple Developer ID".

              • Re: Notarization, what's the point?
                NoMAD-Dev Level 1 Level 1 (20 points)

                Well, it’s an additional signing on the app on a per build basis. I can post more details when I get to the office and have a notarized app in front of me. Developer ID proves that you are an approved developer. App Notarization proves that this is an approved build of an app that Apple has validated as not containing malware. The only real indication to the user is that the Gatekeeper dialog has your actual app icon in it rather than the security icon.

                  • Re: Notarization, what's the point?
                    john daniel Level 3 Level 3 (270 points)

                    Yes, I know.

                     

                    But you are slipping up a bit there. Developer ID does not prove that you are an "approved" developer. There is no "approval" process. A Developer ID only means that you have given Apple USD $99 and haven't yet had your certificates revoked and your account closed.

                     

                    You are right about the Notarized app. It just means that Apple has scanned it for malware - nothing more. But that still has value.

                     

                    Personally, I am going to try to get the next version of my app in the Mac App Store. Then, in addition to a guarantee that I gave Apple USD $99 within the past year, haven't yet had my certificates revoked and my account closed, and that Apple didn't find any malware, customers can be assured that it is pretty likely that someone at Apple launched my app once, it didn't crash right away, and I wasn't obviously trying to scam Apple out of its 30% cut. End users, however, have a much different view of what the Mac App Store guarantees. I could try to explain it, but I would just confuse most of them and feed the conspiracy theories of the rest. I'll just sell software and take my 70%.