9 Replies
      Latest reply on Feb 14, 2020 3:19 AM by eskimo
      BarryL Level 1 Level 1 (0 points)

        I have an app for which I use bitrock to generate an installer and then I put that into a disk image for distribution.

         

        I do not upload my app for notarization before building the installer but I do notarize the disk image. This appears to be OK and the gatekeeper recognizes the installer and my app is installed.

         

        Running 'spctl -a -vv' on the installed app indicates that everything is OK and if I start the app it starts without a problem, but I would have thought that since the app was not notarized that spctl would have reported a problem and gatekeeper would have complained when it was started.

         

        Is my process OK or, dispite what spctl reports, I do in fact need to notarize the app be fore it is packaged by bitrock.

         

         

        Barry

        • Re: Is it required to notarize the package being installed by an installer on a dmg?
          eskimo Apple Staff Apple Staff (13,125 points)

          Does bitrock create an Apple installer package?  Or does it create use a custom installer format?

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: Is it required to notarize the package being installed by an installer on a dmg?
              BarryL Level 1 Level 1 (0 points)

              It is a custom installer format.

                • Re: Is it required to notarize the package being installed by an installer on a dmg?
                  eskimo Apple Staff Apple Staff (13,125 points)

                  OK.  In that case things are probably not fine.  Here’s what I recommend you do:

                  1. Note down all the code in your product.  If the code is in a bundle, use the root of the bundle, not bundle’s main executable.

                  2. Get the cdhash for each of chunk of code:

                    % codesign -d -vvv /path/to/your/code

                    .

                  3. Now package up your app with that third-party installer and notarise it as you described in your first post.

                  4. Once notarisation is done, use --notarization-info to get a list of all the cdhashes that are included in your ticket.  See my 23 Apr 2019 post on this thread for instructions.

                  5. Now check that all the cdhashes from step 1 are included in the notarisation ticket you got in step 4.  If they are, you’ll all good.  If they’re not, you have a problem.


                  If it turns out you do have a problem, you’ll need to switch to two-stage notarisation.  See the note about third-party installers in Customizing the Notarization Workflow.

                  Or just drop the third-party installer (-:

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"

                    • Re: Is it required to notarize the package being installed by an installer on a dmg?
                      BarryL Level 1 Level 1 (0 points)

                      Thanks for the reply,

                       

                      What you suggest is what I thought I may need to do which requires our automated build process to upload 2 separate packages to Apple and wait on each of them to be notarized before completing the build.  Depending on how fast the network is and how long the notarization takes it will add a significant amount of time to the build process. Our build process builds a lot of different apps so this is painful.

                       

                      We may consider using a standard installer.

                       

                      The thing that still puzzles me is why the gatekeeper doesn't complain about the un notarized app when it starts. Any ideas as to why that may be?

                        • Re: Is it required to notarize the package being installed by an installer on a dmg?
                          eskimo Apple Staff Apple Staff (13,125 points)

                          why … gatekeeper doesn't complain about the un notarized app when it starts

                          This is probably an artefact of your installation process.  You notarise the disk image, which creates a ticket for the disk image itself and the custom installer app, but not the contents of the custom installer app.  So the user can mount the disk image and run the custom installer app.  When the customer installer app writes its contents to disk, it doesn’t put it in quarantine, and thus Gatekeeper never looks at it.  And no Gatekeeper (currently) means no notarisation check.

                          Try doing this: Install your app and then use AirDrop to share it with another Mac.  This will quarantine the app, at which point Gatekeeper will be invoked and it’ll do the notarisation check, which will fail.

                          Share and Enjoy

                          Quinn “The Eskimo!”
                          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                          let myEmail = "eskimo" + "1" + "@apple.com"

                            • Re: Is it required to notarize the package being installed by an installer on a dmg?
                              BarryL Level 1 Level 1 (0 points)

                              Thanks for the explanation.

                               

                              Doesn't that mean that so long as the user installs our app using the notarized installer then the app itself doesn't need to be notarized since it will not be marked as quarantined? (Assuming they do not try to distribute the unpacked app itself over the network.)

                               

                              This kind of points to a hole in the  security provided by notarization and the gatekeeper. An evil person can wrap their virus infected app in an installer which hides the virus and have the installer notarized so that the actual virus is installed undetected.

                               

                              The only way to protect against this would be to mark anything created by a quarantined app as quarantined.

                                • Re: Is it required to notarize the package being installed by an installer on a dmg?
                                  tartempion Level 1 Level 1 (10 points)

                                  This has been a known security flaw of Gatekeeper since the beginning. It relied on the quarantine flag. So if you downloaded an archive or binary with curl, Gatekeeper did not see it.

                                   

                                  But… at WWDC 2019, IIRC, it was said that the checks would be performed even if the quarantine flag is not set and that checks could be performed after the first launch of the application.

                                   

                                  Check Session 701. If checking the Slides, check pages 23 and later.

                                  • Re: Is it required to notarize the package being installed by an installer on a dmg?
                                    eskimo Apple Staff Apple Staff (13,125 points)

                                    Doesn't that mean that so long as the user installs our app using the notarized installer then the app itself doesn't need to be notarized since it will not be marked as quarantined?

                                    Yes, as things currently stand.  Let me be frank… Relying on that would be a mistake.  While Apple has not made any specific announcements in this regards, our guidance is very clear: All the code you ship should be covered by a notarisation ticket.

                                    This kind of points to a hole in the security provided by notarization and the gatekeeper.

                                    I’m not going to comment on this particular thought experiment but I agree that, in general, macOS needs further hardening.  Hence my comment above.

                                    Share and Enjoy

                                    Quinn “The Eskimo!”
                                    Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                    let myEmail = "eskimo" + "1" + "@apple.com"