6 Replies
      Latest reply on May 17, 2019 3:08 PM by eskimo
      bjb Level 1 Level 1 (0 points)

        I think I understand notarization:

        • It sends binary to Apple
        • Apple performs automatic verification
        • If verification succeeds, (and perhaps this is the wrong terminology) a Notarization Ticket is stored on Apple's servers
        • When an end user goes to use the Notarized Binary, macOS requests a Notarization Ticket for the binary, and if this succeeds, then all is good. This, of course, requires a network connection on the end user's machine when the binary is (first?, always?) accessed. It seems pretty clear from the staple tool that the ticket is cached locally, so while it may be verified every time, it only needs to be downloaded once.
        • Stapling is a post-process step that downloads the Notarization Ticket and attaches it to the binary (before distribution) so that the end user's machine can verify the Notarization without a network connection back to Apple being available at all.

         

        As of 10.14.5, kexts MUST be notarized in order to be loaded. Again, it is not clear if this verification is on every load, or only the first load.

         

        Now, you can staple binaries, and you can also staple the flat .pkg that is used to distribute them.

         

        The question that I am unclear on is:

         

        If I package my kext in a flat installer .pkg, and then submit the .pkg for Notarization, the Notarization service notarizes both the .pkg and the kext.

         

        If I staple the .pkg, does the Notarization Ticket that is stapled to the .pkg include the Notarization Ticket for the kext, or does the kext need to be stapled seperately?

        If it does need to be stapled seperately, then I would need to rebuild the .pkg after stapling, which would invalidate the Notarization ticket for the .pkg. So that would imply that I would have to re-notarize the pkg, and then staple the pkg.

         

        TLDR:

         

        Is the process (option 1):

         

        1. Create kext
        2. Create pkg
        3. Notarize pkg
        4. Staple pkg

         

        or does it have to be (option 2):

         

        1. Create kext
        2. Notarize kext
        3. Staple kext
        4. Create pkg
        5. Notarize pkg
        6. Staple pkg

         

        Obviously, option 1 is more appealing if it works.

        • Re: Stapling a flat pkg that installs a kext
          eskimo Apple Staff Apple Staff (11,265 points)

          TLDR:

          Assuming that you’re distributing your KEXT solely via that .pkg, option 1 is fine.

          That’s not right; see my clarification below.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: Stapling a flat pkg that installs a kext
              bjb Level 1 Level 1 (0 points)

              Ok - thank you for the confirmation; that definitely simplifies the deployment process.

              • Re: Stapling a flat pkg that installs a kext
                tartempion Level 1 Level 1 (10 points)

                According to the release notes for Beta 5, this does not work because of problem ID: 50205533

                 

                The description is a bit opaque in the release notes:

                 

                "The system fails to register tickets stapled to installer packages not scanned by Gatekeeper, which causes newly installed kernel extensions to fail to load if Internet access isn’t available. This can occur if a user launches installation from a local folder or an enterprise uses automated tools to deploy an installer. This issue doesn’t affect stapled disk images, apps, or kext bundles."

                 

                - What difference is there between a kext extension and a kext bundle?

                 

                - Is there an official documentation that states that you only need to notarize and staple a package (flat or distribution) to propagate the notatization to the components inside the payload(s)?

                  • Re: Stapling a flat pkg that installs a kext
                    eskimo Apple Staff Apple Staff (11,265 points)

                    According to the release notes for Beta 5, this does not work …

                    Indeed.  Option 1 is the way things are supposed to work, and it works for most items, but not for KEXTs )-:  For a KEXT, for the moment, you can use option 2.  Sorry about the misinformation.

                    Note that you don’t have to notarise everything inside your package, just the KEXT and then the package itself.

                    What difference is there between a kext extension and a kext bundle?

                    I don’t think there is one.  KEXTs use a bundle format, and thus it’s not uncommon to refer to them as a KEXT bundle.

                    Is there an official documentation that states that you only need to notarize and staple a package (flat or distribution) to propagate the notatization to the components inside the payload(s)?

                    No, but please do file a bug against the documentation requesting that it cover this point.

                    Share and Enjoy

                    Quinn “The Eskimo!”
                    Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                    let myEmail = "eskimo" + "1" + "@apple.com"

                    • Re: Stapling a flat pkg that installs a kext
                      tartempion Level 1 Level 1 (10 points)

                      Suggestion filed via bugreporter.