What is Notarization?
Identify and block malicious software before distribution.
Developer ID program extension
Developers control the process of sending apps through the Notarization process.
Notarization is _not_ app review.
It's an automated set of security scans.
Notarization benefits:
Apps with hardened runtimes are more secure by default
Help prevent apps from shipping with malicious dependencies
App requirements:
Previously signed software can be submitted for notarization as-is.
Apps submitted after June 1st 2019
- Must be correctly signed with Developer ID Application certificate
- Must have hardened runtimes
Installers must be signed with Developer ID Installer certificate
Hardened runtime does not allow an app to have a debugger attached. The "com.apple.security.get-task-allow" entitlement allows a debugger to work with a hardened runtime.
Protected resource access
App needs to declare its intent to access protected resources (protected resources are those covered by User Privacy Protections.)
Only take the required entitlements you need to successfully notarize your app. Least privileged approach is the best approach.
Stapling:
You can staple an installer package and disk image directly
If notarization used a zip file, the app bundle needs to be unzipped and then the app bundle can be stapled.
Summary:
Sign your software properly
Don't take hardened runtime entitlements which you don't need.
Sign and notarize all your apps so that they'll work properly on macOS Catalina.
