Apple Requiring Notarization for Non Mac App Store Apps Starting February 2020

[cmaier]

You can spin it any way you want, but I'm not going to continue spending $2-3k on Apple hardware when they are clearly trying to get MacOS as close to a walled garden as possible. And who is to say they won't completely lock it down? They are already making developers pay for it which seems like a bad faith practice.

you need a paid developer account or an enterprise account. $100 a year is not a big deal. It seems fair, since apple has to provide the notarization service on its servers.

And, again, you can just not sign your apps, same as before, instead. But if you sign your app, notarization is a way for users to know that you haven’t done anything malicious.

 

[Enlightened Doggo]

you need a paid developer account or an enterprise account. $100 a year is not a big deal. It seems fair, since apple has to provide the notarization service on its servers.

And, again, you can just not sign your apps, same as before, instead. But if you sign your app, notarization is a way for users to know that you haven’t done anything malicious.

It's $100/year for what used to be free! Developers didn't ask for this. It's not fair, you're just complacent with getting ripped off.

 

[cmaier]

It's $100/year for what used to be free! Developers didn't ask for this. It's not fair, you're just complacent with getting ripped off.

It was never free. You used to be able to distribute signed malware. Now you cannot. Developers didn’t ask for it but customers did.

And I happily pay the $100 a year because apple gives developers a heck of a lot for that money.

And if you don’t want to pay the $100 a year, don’t sign your apps. Problem solved.

 

[bogdanw]

You used to be able to distribute signed malware

Yes, signed by Apple: "I can be Apple, and so can you" https://www.okta.com/security-blog/2018/06/issues-around-third-party-apple-code-signing-checks/

A bypass found in third party developers’ interpretation of code signing API allowed for unsigned malicious code to appear to be signed by Apple.

 

[steve333]

I hope it doesn't affect Onyx

 

[firewood]

And, again, you can just not sign your apps, same as before, instead.

Or, if you don't want to sign or notarize your apps or pay Apple $100/annum, you can just distribute an Xcode project with full source code on GitHub.

 

[LarryNyquil]

I know everyone wants to be upset about this but really, this is great for the absolute idiots that constantly fall for the YOUR WINDOWS IS IN DANGER ads plastered all over the web, despite using macOS.

People like devs and powerusers are in the minority even if you don't think so. The mere fact that GeekSquad is profitable proves that. People suck with computers and it's only going to get worse.

 

[cmaier]

I know everyone wants to be upset about this but really, this is great for the absolute idiots that constantly fall for the YOUR WINDOWS IS IN DANGER ads plastered all over the web, despite using macOS.

People like devs and powerusers are in the minority even if you don't think so. The mere fact that GeekSquad is profitable proves that. People suck with computers and it's only going to get worse.

Not to mention that software you intentionally download because you trust the source might not actually be safe. Anyone remember the Transmission hack? If a developer’s distribution site is hacked, you can easily get screwed. Notarization helps prevent that.

 

[bogdanw]

Not to mention that software you intentionally download because you trust the source might not actually be safe. Anyone remember the Transmission hack? If a developer’s distribution site is hacked, you can easily get screwed. Notarization helps prevent that.

From Jeff Johnson https://lapcatsoftware.com/articles/notarization.html

The ability of Mac apps to update themselves shows that the notarization malware scan is security theater. Apple's notarization service scans for malware, but malware authors don't need to submit malware to Apple! They can submit a perfectly innocent app for notarization, get the app notarized, and then flip a switch on their own server to download a malware software update when the victim opens the "innocent" notarized app. The downloaded malware update doesn't need to be notarized, because the software updater will delete the quarantine attribute, thus bypassing Gatekeeper.

 

[Ritsuka]

That's not true anymore. macOS will rescan even apps without the quarantine flag. Check the WWDC talk about the new gatekeeper changes.

 

[zaphon]

How about Apple focus on fixing things, and making things better, vs trying to be big brother! If I wanted a locked ecosystem device, I'd buy an iPad or iPhone. I swear Apple is determined to ensure that once my 2015 MacBook Pro dies, I never buy another Apple device again (I've been holding out as I don't want that stupid TOUCH BAR, I keep hoping they'll make a NORMAL KEYBOARD an option again).

 

[Stoomkracht]

Notarization just is a way for Apple to make more money and control over each and every big and tiny developer. They say they do not block your app YET and just check for behavior (what's correct behavior anyway according to Apple? Following strict guide lines?). How long before some app that tingles Apple's toe makes them deny notarization? Now they get control over apps in and outside the store. Not what you want as platform user if you ask me. Also to even get that check you need to pay Apple 99 euro yearly... If Apple wants it that bad, they should offer this automated service for free...

I would say, push the right click and blame Apple for it 😇

Even with payed certificate and notarization macOS still warns the user if they really? really? want to open the app, so what's the difference to the user... It only desensitises them to all these warning dialogs on Catalina now. Just click OK and go on with it. Which is the real danger now.

 

[cmaier]

Notarization just is a way for Apple to make more money and control over each and every big and tiny developer.

False. Notarization checks for malicious behavior and signing problems. So it can’t be “just” to make money.

Apple charges $100 a year, no matter how many apps you notarize and what other benefits you derive from the developer problem. They probably lose money on notarization.

They say they do not block your app YET and just check for behavior (what's correct behavior anyway according to Apple? Following strict guide lines?).

False. They do not block anything. They do not say “we don’t block your app YET.”

How long before some app that tingles Apple's toe makes them deny notarization?

Forever? App notarization does not involve any sort of review like that.

 

[Alan Wynn]

How about Apple focus on fixing things, and making things better, vs trying to be big brother!

They are focused on making things better for the vast majority of users. Notarization does two things, it checks that there is no known malware and verifies that the app the company releases is the app people are downloading. Hardly “Big Brother”, especially as Apple does not deliver advertising to the OS, so has no reason to track your usage (and with things like tracking prevention actively does the opposite). Here is a link to George Orwell’s 1984, so you can understand what Big Brother actually references (think Google tracking your every move in their environments).

If I wanted a locked ecosystem device, I'd buy an iPad or iPhone.

If you do not want this protection, you are perfectly welcome to turn it off. There is no requirement that you enable it. Second, given that one gets a development environment for this system for free, and that one compile anything one wants for it, I am not sure how you consider this a locked ecosystem.

I swear Apple is determined to ensure that once my 2015 MacBook Pro dies, I never buy another Apple device again (I've been holding out as I don't want that stupid TOUCH BAR, I keep hoping they'll make a NORMAL KEYBOARD an option again).

The current keyboard is likely to be as “normal” as it gets. A physical escape key and the Touch Bar instead of hard function keys that almost no one uses. If having hard function keys is that important to you, I suggest that you start planning your move to some other environment, rather than waiting until your four year old laptop dies and you have to move much too quickly.

 

[Solomani]

Before people start to panic, remember this only affects being able to double-click an app to open it by default. You can still go out of your way to run a non-notarized app by right-clicking and clicking open. That then whitelists the app to run in the future normally.

This is more about stopping users from accidentally executing malicious code than a strongarmed attempt to lock down the platform.

Remember that MacOS is a development operating system; they can't lock it down like iOS without crippling the ability to develop software on it.

C'mon man. You and I know that despite the ease of bypassing the authentication process, so many panties will still get bunched up and they'll come back here to bitch at how Apple crippled all their 3rd-party software!

 

[bogdanw]

"IINA is now notarized so that no warning will show when you try to install it on Catalina."

Releases · iina/iina

The modern video player for macOS. Contribute to iina/iina development by creating an account on GitHub.

github.com

The silly message still shows up in 10.15.2 (19C57)

 

[Dentity2]

I know this channel has been quiet for a bit... but I just read this article. macOS 10.15: Slow by Design.

Apple has introduced notarization, setting aside the inconvenience this brings to us developers, it also results in a degraded user experience, as the first time a user runs a new executable, Apple delays execution while waiting for a reply from their server. This check for me takes close to a second.

This is not just for files downloaded from the internet, nor is it only when you launch them via Finder, this is everything. So even if you write a one line shell script and run it in a terminal, you will get a delay!
https://sigpipe.macromates.com/2020/macos-catalina-slow-by-design/

https://sigpipe.macromates.com/2020/macos-catalina-slow-by-design/

 

[MauiPa]

I know this channel has been quiet for a bit... but I just read this article. macOS 10.15: Slow by Design. https://sigpipe.macromates.com/2020/macos-catalina-slow-by-design/

I think the author did something funny on his machine(s). I run his complaint script through terminal and get .01 and .004 seconds. No delay there, which seems consistent with the comments posted to his piece. Why blame yourself when there is anyone else around?