Will unnotarized apps continue to run after Feb. 3?

Hi,


I see in Apple's statement that apps that have been notarized before Feb. 3 will continue to work, but I don't see any information about unnotarized apps.

Will they still run or will they be blocked?


Thanks!

Up vote post of hadorco Down vote post of hadorco
1.9k views
Posted by
hadorco
Reply
Add a Comment

Replies

I presume that your question relates to the announcement in Update to Notarization Prerequisites. If so, be aware that this announcement is about the notary service. Specifically, for the past few months the notary service has been operating in treat-errors-as-warnings mode, and we plan to set it back to treat-errors-as-errors mode. This affects what you can notarise, but it has no impact on macOS itself.

You wrote:

Will unnotarized apps continue to run after Feb. 3?

macOS 10.14.5 and later already refused to run unnotarised apps by default. This change has no impact on that.

macOS currently does its notarisation check as part of the Gatekeeper process. If you download an app using standard user-facining tools, like Safari, the download tool will quarantine the app. When the user attempts to open a quarantined app, the system invokes Gatekeeper. Gatekeeper then checks the code signature of the app and, as part of that check, 10.14.5 and later will also check its notarisation state. An unnotarised app will fail that check and thus won’t be launched.

If you’re running a unnotarised app on 10.14.5 or later, it’s probably because the app was never checked by Gatekeeper.

Regardless, my general advice is that you notarise any product you distribute to a wide selection of users. While macOS only checks an app’s notarisation state as part of Gatekeeper right now, it’s not hard to imagine that changing in the future.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thank you very much for the detailed response.


So now, assuming I only use "trusted" sources (that do not add a quarantine attribute) to deliver my app, why bother notarizing in the first place?


I understand that in the future, notarization checks may be invoked by components other than the Gatekeeper. But until then, I understand that my apps will work without notarization at all. Is that correct?


Thank you.

Posted by
hadorco
Up vote reply of hadorco Down vote reply of hadorco
Add a Comment

why bother notarizing in the first place?

There are two parts to this issue, code signing and notarisation. Code signing isn’t optional at this point:

  • Numerous subsystems within macOS expect apps to be signed and behave poorly if they are not.

  • Apple announced at WWDC 2019 that “in a future version of macOS, unsigned code will not run by default anymore”.

On the notarisation front, it’s true that notarisation is currently only checked when the app is quarantined, and we’ve not made any official announcements about changing that. However, it would be a mistake to ignore notarisation. If you look at the last ten years of macOS history, you’ll see that every release has done some sort of security hardening, and I fully expect that to continue in the future.

Moreover, notarising is relatively easy, assuming you have your code signing sorted out. And if you don’t have your code signing sorted out, going through the notarisation / quarantine / Gatekeeper process is a good way to flush out any problems.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Hi Eskimo,


Again, thanks for the response.

Now I understand much more clearly the importance of notarization.


You wrote:

" If you download an app using standard user-facining tools, like Safari, the download tool will quarantine the app..."

Can you please clarify what "standard user-facing tools" are?


Do they include Apple software only? Any 3rd party software?

Do they include MDM tools and SCCM tools like Open Server, JAMF, etc.?


Thanks!

Posted by
hadorco
Up vote reply of hadorco Down vote reply of hadorco
Add a Comment

Do they include Apple software only? Any 3rd party software?

Quarantine is an opt-in process; the app doing the download has to explicitly set the quarantine property (

NSURLQuarantinePropertiesKey
) on the files it downloads. Most user-facing apps, both Apple and third party, do actually opt in. It’s kinda important to maintain overall system security.

Note that the focus here is user-facing apps. There are plenty of ways for advanced users to bypass quarantine. For example, the 

curl
command-line tool does not quarantine things.

Do they include MDM tools … ?

I wouldn’t expect MDM tools to quarantine installed apps because they assume that the system admin isn’t going to install malware. However, you’d have to check with your MDM vendor to get a definitive answer about the behaviour of their product.

Having said that, I wouldn’t use this as an excuse to not notarise your apps. Even if the app is installed in a way that doesn’t quarantine it, it’s still possible for it to get quarantined otherwise. For example, the user might AirDrop the app from one Mac to another.

Also, the notarisation / quarantine / Gatekeeper process is good as revealing code signing problems in your app, and it’s better to fix those sooner rather than later.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment