Does Apple really want to take the time to notarize these?
If someone swaps out a hard drive will I have to wait a few days afer changing the script to get it back from the notarization bureau?
These questions make me think that you’re confusing notarisation and App Review. Notarisation is an entirely mechanical process. If it takes “a few days” then something has gone horribly wrong at our end. In my experience, notarising a small app takes a few minutes.
Share and Enjoy
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"
For OP’s benefit:
developer [dot] apple [dot] com/documentation/security/notarizing_your_app_before_distribution
App Notarization is akin to the customs inspector asking you to confirm you packed your own luggage before performing a cursory search.
I don’t imagine AN can prevent apps burying malicious code under encryption/obfuscation, or freely downloading and executing it at runtime. But at least it provides a direct paper trail back to the original developer that should allow Apple to revoke that developer’s ID and update Gatekeeper to block all their apps from running once that malfeasance is publicly noticed and reported.
How did you notarize your app?
I have not been able to successfully complete the notarization process because stapling the notariztion always fails.
That is to say, following instructions on DerFlounder for automator apps I:
- successully code signed the app
- successfully notarized the app and received the email form Apple that I could begin distributing
However, when I try to staple the valid notariztion to the app I get an error 65:
xcrun stapler staple “/Volumes/HardDrive/MyApp.app”
CloudKit query for MyApp.app (2/936578f9cf6dff6314bdebeba427cac9dab3f7e8) failed due to “record not found”.
Could not find base64 encoded ticket in response for 2/936578f9cf6dff6314bdebeba427cac9dab3f7e8
The staple and validate action failed! Error 65.
I filed a bug report with Apple a few days ago but haven't heard anything back as yet.
To answer my own question:
Instead of submitting a .zip to get notarized it is necessary to upload a signed .dmg
(doesn't have to be a hardened signing).
Then you can staple the successfuly notarized DMG.
I am guessing this is becuase you are notarizing the delivery method and signing the actual app.
If you were making these changes directly on the customer's machine, then you should be able to continue to do that. The changes coming for 10.14.5 only apply to publicly distributed apps that are downloaded from the internet. If you create an app on a customers machine, then you will not be setting the quarantine flags, and Gatekeeper will ignore it. Therefore, you do not have to notarize or even sign these apps.