Apple Temporarily Relaxes Notarization Requirements in macOS Catalina for Non Mac App Store Apps

MacRumors

macrumors bot
Apr 12, 2001
7,183
8,361
0
19
www.macrumors.com



Apple this afternoon reminded developers about upcoming notarization requirements for Mac apps created outside of the Mac App Store.

Apps that are distributed outside of the Mac App Store must be notarized by Apple in order to run on the macOS Catalina operating system set to be released this fall.


Apple says that to make the transition easier on both developers and Mac users, notarization prerequisites have been adjusted until January 2020.

Developers can now have apps notarized that do not meet certain previous requirements, such as an app that uses an older SDK or the inclusion of components not signed by a developer ID.

Apple has a full list of allowances on its developer website:
You can now notarize Mac software that:
- Doesn't have the Hardened Runtime capability enabled.
- Has components not signed with your Developer ID.
- Doesn't include a secure timestamp with your code-signing signature.
- Was built with an older SDK.
- Includes the com.apple.security.get-task-allow entitlement with the value set to any variation of true.
Apple has been requiring new software distributed with a Developer ID outside of the Mac App Store to be notarized in order to run since macOS Mojave 10.14.5.

Apple introduced notarization in macOS Mojave as a way to further protect Mac users from malicious and harmful apps.

For the notarization process, Apple provides trusted non Mac App Store developers with Developer IDs that are required to allow the Gatekeeper function on macOS to install non Mac App Store apps.

Notarization is not required for apps that are distributed through the Mac App Store. More information on notarization can be found on Apple's developer site.

Article Link: Apple Temporarily Relaxes Notarization Requirements in macOS Catalina for Non Mac App Store Apps
 

RumorConsumer

macrumors 6502a
Jun 16, 2016
827
482
0
I’m not a fan. Maybe the world has changed but as a kid running some random program from the web was a rare pleasure. Yeah as I’m thinking about it there is a ton of crap out there. I’m sure they thought about it. We’ll see the effects. What about apps that aren’t being developed anymore?
 

casperes1996

macrumors 68040
Jan 26, 2014
3,900
1,882
0
Horsens, Denmark
I assume we'll be able to disable this since it's a Mac?
I’m not a fan. Maybe the world has changed but as a kid running some random program from the web was a rare pleasure. Yeah as I’m thinking about it there is a ton of crap out there. I’m sure they thought about it. We’ll see the effects. What about apps that aren’t being developed anymore?
Is there a way to turn this off in Catalina?

Like SIP there are times when this is not desired and to not be able to turn it off is a major reason not to use Apple hardware.
If there isn’t an option to disable this bs that’s the ultimate rubicon for any real desktop OS.
Hey. I am a software developer, with a Catalina install.

"Disabling it" is a phrasing that I'd have to say, no you cannot to.
But you can ignore it. "Run anyway" so to speak. It's not that it blocks you, it just warns you and makes it more steps to run potentially harmful software. Anything executed from command line will execute like normal, and I believe also if you alt-click and select open.
Furthermore, it's not an app review process. To get notarised doesn't mean Apple needs to approve of what you do. It's an automated process that just checks for security, not content. And it only affects signed software; Thought I'd say software should be signed if intended for release these days.
 

JoeCassara

macrumors member
Aug 16, 2018
44
169
0
>Apps that are distributed outside of the Mac App Store must be notarized by Apple
>in order to run on the macOS Catalina operating system set to be released this fall.

That's not true.

The situation is nuanced. Apple has stated that you will always be able to run any software of your choosing on macOS -- though you'll encounter some friction in Catalina and, speculatively, in future releases of the OS, requiring you to be explicit in your intentions. Notarization is required for apps signed with a Developer ID certificate, and there are caveats to this requirement depending on several cases.

Without getting mired in developer-speak: relax. This is not Apple cordoning off all unsigned, non-notarized software from macOS.

For the curious, check out these resources:
 

im_to_hyper

macrumors 65816
Aug 25, 2004
1,091
203
0
Pasadena, California, USA
So for those of us who just use a Mac and want to run old software (64-bit, clearly) we can?

For those of us considered “users” all this means is we just click “allow” to allow something to run, as is the case in previous versions?

The overall wording makes it seem like Apple is only allowing “officially approved software” and that anything you bought in the past will not run.

>Apps that are distributed outside of the Mac App Store must be notarized by Apple
>in order to run on the macOS Catalina operating system set to be released this fall.

That's not true.

The situation is nuanced. Apple has stated that you will always be able to run any software of your choosing on macOS -- though you'll encounter some friction in Catalina and, speculatively, in future releases of the OS, requiring you to be explicit in your intentions. Notarization is required for apps signed with a Developer ID certificate, and there are caveats to this requirement depending on several cases.

Without getting mired in developer-speak: relax. This is not Apple cordoning off all unsigned, non-notarized software from macOS.

For the curious, check out these resources:
 
  • Like
Reactions: nerdherdster

xbjllb

macrumors 65816
Jan 4, 2008
1,123
55
0
One day, not so far off, Mac Users are going to have their "Network" moment, and it won't be quiet.
 

Appleman3546

macrumors member
May 13, 2019
37
64
0
It is no coincidence that Apple is implementing this with the ability to port iOS apps to the Mac App Store. It used to be that Apple would allow downloads of Apps from browsers without Apple oversight in order to compete with Windows, but it appears that allowing Mac browser downloads of apps without some sort of Apple control was contrary to Apple’s valuable iPhone App Store monopoly excuse of security concerns. My my how valuable that App Store monopoly has become that Apple is willing to give Windows an easy dunk
 

casperes1996

macrumors 68040
Jan 26, 2014
3,900
1,882
0
Horsens, Denmark
So for those of us who just use a Mac and want to run old software (64-bit, clearly) we can?

For those of us considered “users” all this means is we just click “allow” to allow something to run, as is the case in previous versions?

The overall wording makes it seem like Apple is only allowing “officially approved software” and that anything you bought in the past will not run.

You can run anything you want to. Old software won't even give you the increased friction. Signed software is timestamped with when it was signed, and the extra warnings and steps to run un-notarized software only apply to software signed past a certain date. Old software will work the same as it always has.
 

casperes1996

macrumors 68040
Jan 26, 2014
3,900
1,882
0
Horsens, Denmark
I guess you haven't run into the Catalina message "App can't be opened because Apple cannot check it for malicious software."

Not even an old app. It was installed Aug 19.

For one of the tech talks at WWDC when notarisation was announced, Apple explicitly said that before a certain date of signing notarisation wouldn't be necessary, but only apps signed after that threshold, at which point they knew to sign it and get it notarised. If you run software that hasn't been updated for years, it won't show that message, but it hasn't been notarised, obviously since it's years old. The software you're referring to must clearly be new enough that they had the chance to get it notarised. But you can still get around this by using the Open menu, opening through Terminal, or maybe through System Preferences.
 

jonblatho

macrumors 65816
Jan 20, 2014
1,258
3,005
0
Missouri
www.jonblatho.com
I assume we'll be able to disable this since it's a Mac?
Is there a way to turn this off in Catalina?

Like SIP there are times when this is not desired and to not be able to turn it off is a major reason not to use Apple hardware.
You can bypass it using the same method used for unsigned apps (right click > Open), which presents the same prompt but with a button that allows you to open the app. It’s not perfect, though, and it’s probably why Apple’s temporarily delayed this change.

An example: Firefox was completely broken on macOS Catalina because it was unable to launch the separate Firefox Software Update app at launch and the user could not launch it themselves, not even with the workaround. Had to reinstall Firefox from another browser to fix it. This definitely needs more time when it’s a showstopper bug for a major browser and God knows what else.
 

casperes1996

macrumors 68040
Jan 26, 2014
3,900
1,882
0
Horsens, Denmark
And the average user isn't going to know that.

They'll only know that their Mac isn't working right.
If you don't know how to open a non-notarised app, you probably shouldn't open it. A car that won't start if you don't wear your seatbelt, may have legit reasons for wanting to unbuckle your seatbelt after you've started it, but the average driver really shouldn't. All apps you'll need should be notarised by release of macOS Catalina
 

ignatius345

macrumors 68020
Aug 20, 2015
2,267
3,011
0
Signed software *must* be notarised. Unsigned software runs just like before.

Reading comprehension fails a bit too much in this thread.
Don’t get huffy at readers. The article says

Apps that are distributed outside of the Mac App Store must be notarized by Apple in order to run on the macOS Catalina operating system set to be released this fall.
which is apparently a bit misleading, or at least incomplete.
 

Jerry Fritschle

macrumors member
Mar 30, 2004
60
39
0
Where in the article does it mention unsigned software not needing to be notarized?
Apple’s wording may be vague, but unsigned software may run as before by the normal method. “Signed” software (which itself is a prerequisite for notarization) must additionally be notarized.