10.14 Hardened Runtime and App Notarization

  1. ‹ Older
  2. 10 months ago

    Thom M

    1 Nov 2018 Pre-Release Testers Greater Hartford Area, CT

    So based on the instructions provided by @Travis H, I was able to notarize an app today. Signed, sandboxed, notarized... the whole deal. The hardened runtime does not affect the app's ability to run all the way back to 10.10. Probably earlier, that's just the oldest version 2018r3 supports. The most annoying part is authenticating with the tool. I found it easiest to generate an app-specific password and include the password on the command line. Once authentication is worked out, it's barely an extra step on top of signing.

  3. Christian S

    1 Nov 2018 Pre-Release Testers, Xojo Pro, XDC Speakers, Third Party Store Germany

    Great. Could you post the final script somewhere?
    Maybe useful to just copy & paste our path, name and certificate.

    If needed I could help to make an universal script where you just put the details in some variables on top.

  4. Thom M

    1 Nov 2018 Pre-Release Testers Greater Hartford Area, CT

    @ChristianSchmitz Great. Could you post the final script somewhere?
    Maybe useful to just copy & paste our path, name and certificate.

    If needed I could help to make an universal script where you just put the details in some variables on top.

    Honestly, the post above by Travis is it. Because of the embedded credentials, the notarizing part is something I can’t share. If I swap values, I’ll just be reposting what Travis posted.

    The output from each step is wild and I think it’ll be very hard to script. My plan is to just run the commands manually after my normal build script.

  5. Thom M

    1 Nov 2018 Pre-Release Testers Greater Hartford Area, CT

    One tip I can provide the keychain item Travis specified is not always available. It wasn't for me. So I setup a keychain item called "App Notarization" with an Account Name of my Apple ID, and password of my app-specific password. Then I use --password @keychain:"App Notarization" instead. To hide my Apple ID though, I'll probably load that into a variable before running the script. That way I can open source the script without revealing anything critical.

    Still, scripting the notarization process will be a pain. Here's an example response. This is all after the final stapling step.

    Processing: /Users/thommcgrath/Documents/The ZAZ Sources/Beacon/Installers/Mac/Output/Beacon.dmg
    Properties are {
        NSURLIsDirectoryKey = 0;
        NSURLIsPackageKey = 0;
        NSURLIsSymbolicLinkKey = 0;
        NSURLLocalizedTypeDescriptionKey = "Disk Image";
        NSURLTypeIdentifierKey = "com.apple.disk-image-udif";
        "_NSURLIsApplicationKey" = 0;
    }
    Codesign offset 0xa845e1 length: 9429
    Stored Codesign length: 9429 number of blobs: 3
    Total Length: 9429 Found blobs: 3
    Props are {
        cdhash = <4dca04a3 465b9586 6423323d 7f3e1e31 ad3ac0ef>;
        digestAlgorithm = 2;
        flags = 0;
        secureTimestamp = "2018-11-01 21:30:30 +0000";
        signingId = Beacon;
        teamId = E3JM6H56CP;
    }
    JSON Data is {
        records =     (
                    {
                recordName = "2/2/4dca04a3465b95866423323d7f3e1e31ad3ac0ef";
            }
        );
    }
     Headers: {
        "Content-Type" = "application/json";
    }
    Domain is api.apple-cloudkit.com
    Response is <NSHTTPURLResponse: 0x7f9e0b608140> { URL: https://api.apple-cloudkit.com/database/1/com.apple.gk.ticket-delivery/production/public/records/lookup } { Status Code: 200, Headers {
        "Apple-Originating-System" =     (
            UnknownOriginatingSystem
        );
        Connection =     (
            "keep-alive"
        );
        "Content-Encoding" =     (
            gzip
        );
        "Content-Type" =     (
            "application/json; charset=UTF-8"
        );
        Date =     (
            "Thu, 01 Nov 2018 21:50:44 GMT"
        );
        Server =     (
            "AppleHttpServer/2f080fc0"
        );
        "Strict-Transport-Security" =     (
            "max-age=31536000; includeSubDomains;"
        );
        "Transfer-Encoding" =     (
            Identity
        );
        Via =     (
            "xrail:st11p00ic-qugw02260201.me.com:8301:18H66:grp60",
            "icloudedge:da21p00ic-hygw02120901:7401:18RC572:Dallas"
        );
        "X-Apple-CloudKit-Version" =     (
            "1.0"
        );
        "X-Apple-Request-UUID" =     (
            "df01554a-fafb-4619-b1f4-9f1c5abe1aba"
        );
        "X-Responding-Instance" =     (
            "ckdatabasews:16303101:st42p63ic-ztfb09161201:8201:1820B278:f35ea39ef4d"
        );
        "access-control-expose-headers" =     (
            "X-Apple-Request-UUID, X-Responding-Instance",
            Via
        );
        "apple-seq" =     (
            0
        );
        "apple-tk" =     (
            false
        );
    } }
    Size of data is 2922
    JSON Response is: {
        records =     (
                    {
                created =             {
                    deviceID = 2;
                    timestamp = 1541108961982;
                    userRecordName = "_d28c74d190a3782e89496b0a13437fef";
                };
                deleted = 0;
                fields =             {
                    signedTicket =                 {
                        type = BYTES;
                        value = "czhjaAEAAADwBQAA/wAAADCCBewwggL+MIICpKADAgECAggcrXLgBzKYBDAKBggqhkjOPQQDAjByMSYwJAYDVQQDDB1BcHBsZSBTeXN0ZW0gSW50ZWdyYXRpb24gQ0EgNDEmMCQGA1UECwwdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMB4XDTE4MDUwMzA1MjI1N1oXDTE5MDYwMjA1MjI1N1owRDEgMB4GA1UEAwwXU29mdHdhcmUgVGlja2V0IFNpZ25pbmcxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJbqyhMrgDDTnHBoZheGp0mypFXTwAUJKmXKQamgz95BKOEzvSlkeBxp1oI7mMSewrQLbOjztegUxnaB4RAtOAqOCAVAwggFMMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUeke6OIoVJEgiRs2+jxokezQDKmkwQQYIKwYBBQUHAQEENTAzMDEGCCsGAQUFBzABhiVodHRwOi8vb2NzcC5hcHBsZS5jb20vb2NzcDAzLWFzaWNhNDAyMIGWBgNVHSAEgY4wgYswgYgGCSqGSIb3Y2QFATB7MHkGCCsGAQUFBwICMG0Ma1RoaXMgY2VydGlmaWNhdGUgaXMgdG8gYmUgdXNlZCBleGNsdXNpdmVseSBmb3IgZnVuY3Rpb25zIGludGVybmFsIHRvIEFwcGxlIFByb2R1Y3RzIGFuZC9vciBBcHBsZSBwcm9jZXNzZXMuMB0GA1UdDgQWBBSvkaFMaSOwRfsIVbF12z5+m2d5XjAOBgNVHQ8BAf8EBAMCB4AwEAYKKoZIhvdjZAYBHgQCBQAwCgYIKoZIzj0EAwIDSAAwRQIgWUBuPT4qbzW2paWYyyLINmhuQphzZj8ZXnNuflZB5kECIQCZBAp3F09H5C4WdMQdX3RUPL1a6udCdIi7QWtRMsiuOjCCAuYwggJtoAMCAQICCDMN7vi/TGguMAoGCCqGSM49BAMDMGcxGzAZBgNVBAMMEkFwcGxlIFJvb3QgQ0EgLSBHMzEmMCQGA1UECwwdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMB4XDTE3MDIyMjIyMjMyMloXDTMyMDIxODAwMDAwMFowcjEmMCQGA1UEAwwdQXBwbGUgU3lzdGVtIEludGVncmF0aW9uIENBIDQxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAZrpFZvfZ8n0c42jpIbVs1UNmRKyZRomfrJIH7i9VgP3OJq6xlHLy7vO6QBtAETRHxaJq2gnCkliuXmBm9PfFqjgfcwgfQwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBS7sN6hWDOImqSKmd6+veuv2sskqzBGBggrBgEFBQcBAQQ6MDgwNgYIKwYBBQUHMAGGKmh0dHA6Ly9vY3NwLmFwcGxlLmNvbS9vY3NwMDMtYXBwbGVyb290Y2FnMzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3JsLmFwcGxlLmNvbS9hcHBsZXJvb3RjYWczLmNybDAdBgNVHQ4EFgQUeke6OIoVJEgiRs2+jxokezQDKmkwDgYDVR0PAQH/BAQDAgEGMBAGCiqGSIb3Y2QGAhEEAgUAMAoGCCqGSM49BAMDA2cAMGQCMBUMqY7Gr5Zpa6ef3VzUA1lsrlLUYMaLduC3xaLxCXzgmuNrseN8McQneqeOif2rdwIwYTMg8Sn/+YcyrinIZD12e1Gk0gIvdr5gIpHx1Tp13LTixiqW/sYJ3EpP1STw/MqyZzh0awIAFAALAAAAAAAAAOF021sAAAAAAk3KBKNGW5WGZCMyPX8+HjGtOsDvAlDgR63nlb6pEA+hkKhE0q0tT4RQAjOffZ5ht4cOrdIBiX3SixrrdpsKAlUlAxz4ULfGd9TMxRWNHjRrvfJKAjKDMyQKcVLskN7lslJ9Vl898FKaAkA3ZKSK+Z1j8DpYPVCf/lo0/EloAomqveGyGUoCClkGwyDZN75QVqH0Ah3TWXvQ6+MRu2uJj5ox3gLFyCbbAguPF5TMKygcsuMhhi36bua9337yAkx/LZhS933RUvLZ+VBrlY5AxFcdAiXYL/9FfhqeZNILlAFiM6JIl+C+MEQCICk9NpsTvakIYLKv0liP+hEe4qq3mWKO9YbwvOd4JSc5AiAv7gQf3Yi9vzgeSOmnp/CpvPyfGxDozDk6LFYqp4S5NQAA";
                    };
                };
                modified =             {
                    deviceID = 2;
                    timestamp = 1541108961982;
                    userRecordName = "_d28c74d190a3782e89496b0a13437fef";
                };
                pluginFields =             {
                };
                recordChangeTag = jnz4hhh5;
                recordName = "2/2/4dca04a3465b95866423323d7f3e1e31ad3ac0ef";
                recordType = DeveloperIDTicket;
            }
        );
    }
    Downloaded ticket has been stored at file:///var/folders/rm/5lrbl4h12qs4jnw1g6pwbcvc0000gn/T/df01554a-fafb-4619-b1f4-9f1c5abe1aba.ticket.
    Attempting to attach a new ticket to Beacon.dmg. Let's see how that works out.
    Cloned /Users/thommcgrath/Documents/The ZAZ Sources/Beacon/Installers/Mac/Output/Beacon.dmg to /var/folders/rm/5lrbl4h12qs4jnw1g6pwbcvc0000gn/T/TemporaryItems/(A Document Being Saved By stapler)/Beacon.dmg
    Adding 4 blobs to superblob. What about Blob?
    Adding blob of size 294 to offset 44.
    Adding blob of size 168 to offset 338.
    Adding blob of size 8931 to offset 506.
    Length of new ticket blob is 1871
    A copy of the new disk image blobs and headers has been saved to /var/folders/rm/5lrbl4h12qs4jnw1g6pwbcvc0000gn/T/B5B0D4A5-4463-42DD-BCC1-E8D4FF3FCD24-12299-0000276F98C6A557.dmgData. Enjoy.
    Processing: /Users/thommcgrath/Documents/The ZAZ Sources/Beacon/Installers/Mac/Output/Beacon.dmg
    Properties are {
        NSURLIsDirectoryKey = 0;
        NSURLIsPackageKey = 0;
        NSURLIsSymbolicLinkKey = 0;
        NSURLLocalizedTypeDescriptionKey = "Disk Image";
        NSURLTypeIdentifierKey = "com.apple.disk-image-udif";
        "_NSURLIsApplicationKey" = 0;
    }
    Codesign offset 0xa845e1 length: 11308
    Stored Codesign length: 11308 number of blobs: 4
    Total Length: 11308 Found blobs: 4
    Props are {
        cdhash = <4dca04a3 465b9586 6423323d 7f3e1e31 ad3ac0ef>;
        digestAlgorithm = 2;
        flags = 0;
        secureTimestamp = "2018-11-01 21:30:30 +0000";
        signingId = Beacon;
        teamId = E3JM6H56CP;
    }
    The staple and validate action worked!

    Hopefully exit codes will provide me some useful information, because getting bash to recognize anything from that will be a chore.

  6. Thom M

    1 Nov 2018 Pre-Release Testers Greater Hartford Area, CT

    Well I stayed up much too late working on this. Here's my real-world build script that has fully automated notarization starting on line 35: https://github.com/thommcgrath/Beacon/blob/master/Installers/Mac/Build.sh

  7. Paulo V

    4 Nov 2018 Porto Alegre, Brasil
    Edited 10 months ago

    @Krzysztof M Before you start a flame about the evil communist Apple enslaving the sheeple and how dare anyone not bow before the free software and Holy Stallman who is its Prophet…

    The post on Apple site states: "in an upcoming release of macOS, Gatekeeper will require Developer ID–signed software to be notarized by Apple". The app notarizing is going to be the requirement for signed apps. Nothing in the post indicates it will no longer be possible to run unsigned apps, unless you want to make the slippery slope argument that it MAY happen someday. Don't panic, people.

    @Thom M That’s a very good point. It’s so obvious now. What this is saying is if your app is signed with a developer id certificate, you must have it notarized too. The ability to run unsigned software is not going to change.

    I fully agree with the two thoughts I also think that running unsigned applications is basic principle of desktop software I do not believe in any way that Apple would restrict the use of home-made software for example, this would be a suicide to the platform, as I know dozens of cases in which the companies themselves develop software for their internal use and in no way undergo validated by Apple.

  8. Sam R

    4 Nov 2018 Pre-Release Testers, Xojo Pro, Third Party Store Hengchun, Pingtung, Taiwan

    @Paulo V I fully agree with the two thoughts I also think that running unsigned applications is basic principle of desktop software I do not believe in any way that Apple would restrict the use of home-made software for example, this would be a suicide to the platform, as I know dozens of cases in which the companies themselves develop software for their internal use and in no way undergo validated by Apple.

    I would like to agree with you, but my gut is constantly telling me that Apple doesn't care about the longivity of the Mac platform.

  9. Paulo V

    4 Nov 2018 Porto Alegre, Brasil

    @Sam R I would like to agree with you, but my gut is constantly telling me that Apple doesn't care about the longivity of the Mac platform.

    Sam, of course I agree with you that the IOS platform is more important to Apple, but not by far the amount of Macs sold in the world is negligible in terms of values.

    I base my idea on the fact that Macs are used massively in Arts, Design and Development, so Apple will not ruin this corporate market just out of stubbornness, that's my impression.

  10. Jeff T

    4 Nov 2018 Pre-Release Testers Midlands of England, Europe

    Macs are used massively in Arts, Design and Development, so Apple will not ruin this

    Apple isn't a charity.
    The second they feel they aren't going to profit enough from Macs, they will drop them in a heartbeat.
    Look at floppy drives, CD drives, 'Normal' USB ports.. 3.5mm sockets
    Apple tries to look 5 years ahead and do it now..

  11. Sam R

    4 Nov 2018 Pre-Release Testers, Xojo Pro, Third Party Store Hengchun, Pingtung, Taiwan

    @Paulo V I base my idea on the fact that Macs are used massively in Arts, Design and Development, so Apple will not ruin this corporate market just out of stubbornness, that's my impression.

    Apple did have a hold on the Photography industry; then they abandoned it, allowing Adobe to pretty much rule; which worked against Apple as most Adobe products run better on Windows and with Touch screen and pen support on Windows hardware, working with full adobe apps.

    Yosemite cost Apple a TV network here in Taiwan as it caused too many problems, so the production team went with Adobe and Windows.

    I’ve witnessed a iOS games company abandon the Mac as they switched to a 3rd Party dev tool and Windows hardware, allowing them to debug their games on Touch hardware, and add support for Windows and Android.

    I think in order to hold down the fort; Apple needs to double down on providing good quality and reliable hardware, while slowing down the frequency of new macOS versions, so that the new versions have more QA, with features that actually benefit the market.

    I want to believe...

  12. After thirty years on the Mac, in the last couple of years I often find myself musing what keeps me with Apple. If it were not for the few bucks I still get from my Xojo apps, I would not see any reason to "hold the fort". And should returns from selling apps drop under 100 USD/month, then, sorry, good bye Apple: no more reasons to invest in over 1200 USD in hardware in order to do smallish jobs that can be done on a 300 USD Lenovo machine. The only regret would be my forced good bye to Xojo too.

  13. Christoph D

    5 Nov 2018 Pre-Release Testers, Xojo Pro

    Although I agree Apple is taken some odd decisions lately, I still have some good sales compared to Windows.
    I mean, macOS user still have the decency to pay for apps. The first thing Windows users do is search for a cracked version.
    In my experience, with the same app for both platforms, it's 80% sales for macOS en 20% for Windows
    So basically if I leave macOS behind, my sales will plummeting down to 20%

  14. Paulo V

    5 Nov 2018 Porto Alegre, Brasil
    Edited 10 months ago

    @Jeff T Apple isn't a charity.

    Charity ?
    They are millionaire profits with Mac sales, they are the most expensive computers on the market, I do not know what charity this is.
    Of course compared to iphone is much smaller but still is a lot of money !

  15. Paulo V

    5 Nov 2018 Porto Alegre, Brasil

    @Sam R Apple did have a hold on the Photography industry; then they abandoned it, allowing Adobe to pretty much rule; which worked against Apple as most Adobe products run better on Windows and with Touch screen and pen support on Windows hardware, working with full adobe apps.

    Yosemite cost Apple a TV network here in Taiwan as it caused too many problems, so the production team went with Adobe and Windows.

    I’ve witnessed a iOS games company abandon the Mac as they switched to a 3rd Party dev tool and Windows hardware, allowing them to debug their games on Touch hardware, and add support for Windows and Android.

    I think in order to hold down the fort; Apple needs to double down on providing good quality and reliable hardware, while slowing down the frequency of new macOS versions, so that the new versions have more QA, with features that actually benefit the market.

    I want to believe...

    Sam, I agree with most of your comments but I reaffirm that Image Manipulation, Design and Advertising worldwide is dominated by Macs, I do not think they will want to lose this market thread just to satisfy egos within the company.

  16. 8 weeks ago

    Thomas T

    Jul 19 Pre-Release Testers, Xojo Pro Europe (Germany, Munich)
    Edited 8 weeks ago

    The tool "SD Notary", made for AppleScript developers, who are in the same boat as us Xojo decs, is FREE and works even for simple apps (no need to make a dmg first - I can just give it my app and then zip it afterwards). Sadly, the current version 1.1.1 doesn't run as its "expired". But that should be fixed soon again, and I've used it successfully to notarize my FAF2 betas in the past:

    https://latenightsw.com/sd-notary-notarizing-made-easy/

    @Christoph Dnbsp;Vocht OK, I agree. Open Source can have it's advantages. True.

    But free software isn't. Period. :)

    Oh, so my free tools are useless or hurting the market? And the one mentioned above? Note that these tools are offered by professionals, and we know what we're doing. Also, there are the one(s) you once made (well yes, you actually did hurt heavily _my_ market when you released a free clone of my FAF and then didn't want to take it down after I begged you not to do that)? *shaking head in disbelief*

  17. Christoph D

    Jul 19 Pre-Release Testers, Xojo Pro
    Edited 8 weeks ago

    @ThomasTempelmann didn't want to take it down after I begged

    Heu.. FWW .. I did take it down years ago. Especially for you. Remember? I even put a link on my website to recommend your app. ;-)

  18. Thomas T

    Jul 20 Pre-Release Testers, Xojo Pro Europe (Germany, Munich)
    Edited 8 weeks ago

    Yes, but only after you kept it available for still a long time regardless (years, IIRC). I'm not blaming you for it; it's everyone's fair right to make competitive apps, even free ones. Only you so forcefully said above that free apps destroy the market, when you did exactly that yourself. Maybe that's how you came to the conclusion, after I brought this problem up with you? Then that's fine. Still, I don't agree that free apps are bad. In my case, for instance, they add visibility to my other (commercial) products. And since I use them myself, I also have an interest in keeping them functional.

  19. 2 weeks ago

    Jürg O

    Sep 3 Pre-Release Testers, Xojo Pro
    Edited 2 weeks ago

    Ah - Apple has relaxed the rules...: https://developer.apple.com/news/?id=09032019a

    You can now notarize Mac software that:

    • Doesn’t have the Hardened Runtime capability enabled.
    • Has components not signed with your Developer ID.
    • Doesn’t include a secure timestamp with your code-signing signature.
    • Was built with an older SDK.
    • Includes the com.apple.security.get-task-allow entitlement with the value set to any variation of true.
  20. Christoph D

    Sep 4 Pre-Release Testers, Xojo Pro

    Only rescheduled the deadline to January 2020

or Sign Up to reply!