Gatekeeper Issues

Hi,

I’m trying to use App Wrapper to code sign my simple free demo app so that uses don’t get the “unknown developer” warning when trying to launch it. I have a Developer ID Application and Developer ID Installer certificate in Keychain Access. App Wrapper states that my code signature for Web distribution is “good”. for App Store submission is says that both certs are missing (don’t care - not putting the demo on the App Store).

When I tell App Wrapper to wrap the application I get the following failure message:

Any idea what I’m doing wrong? I have spent hours trying to debug this. It’s such a PITA as all I want to do is put this demo app on my own website.

Garry; You’re the second person I know of that’s run into this issue. From what I understand, you need to “Notarize” your application before your Developer ID account has been confirmed.

First please make sure that you’re using 3.9.1 Beta 6 (307), it can be downloaded from https://www.ohanaware.com/appwrapper/appWrapper3update391Beta.dmg

I’ve added some code which should help with part of the process.

So when you get to this point again; then click on the “Notarize” button. If you haven’t already you’ll have to go through the hassle of entering your Apple developer e-mail address and creating an App-Specific-Password (there is some documentation on how to do this in the dialog).

In theory; once Apple have approved your Notarized application, your account should be unlocked and usable. However I must warn you, the other developer who faced this said his submission to Apple was rejected because it’s from an Unnotarized Developer ID. I’ve yet to receive any offcial confirmation from Apple regarding what to do next.

Sorry for the delay in replying Sam - I had non-coding work I had to get done after I posted.

In short - it works! I used the beta, created an app-specific password and followed your steps and GateKeeper is now at peace with my app.

Thanks a lot mate.

I’m third, I guess… ?
That probably explains why Google search doesn’t show much help…

I thought notarizing was the step after signing…
So, the error I get means my account has already been confirmed while I haven’t notarized anything? How do I un-confirm it?

[quote=444764:@Sam Rowlands]So when you get to this point again; then click on the “Notarize” button. If you haven’t already you’ll have to go through the hassle of entering your Apple developer e-mail address and creating an App-Specific-Password (there is some documentation on how to do this in the dialog).
Notarizing means submitting the app to Apple so they check what it does, right? What if I just want to sign it?

So I could, in theory, submit whichever app I want (even a “hello world”) to Apple and they unlock my account?
Why did they lock my account in the first place? I’ve actually been able to sign an app two weeks ago…

Yup it is.

Yup.

I honestly don’t know. Probably something something Security something something and something Privacy something.

Just to confirm this is getting the error “Unnotiarized developer ID” when wrapping the application.

Edit, who knows maybe they just wanna look at your source code?

Then what’s the point of needing to notarise when I just want to sign my app?

[quote=469682:@Sam Rowlands]I honestly don’t know. Probably something something Security something something and something Privacy something.

Just to confirm this is getting the error “Unnotiarized developer ID” when wrapping the application.[/quote]
Is Apple’s goal to ultimately make everyone finds their policies are ridiculous?
I just want to sign my apps; they are always in “beta” stage, always changing (utilities used only by myself or friends). They don’t need to be notarised, just signed (and I frankly don’t want Apple to review my apps, which are “customised” for my needs).
Notarising should be done on “final stages”, not for apps that are “left uncompleted”. And yet, I would have to notarise something to unlock my account just to later sign my apps (i.e. one step backward), without knowing if my account will get blocked again nor if all my apps will be allowed to be signed… That’s a terrible mess…

Notarising is about that, way more than just signing…

Thanks for your answer.

FWIW, we (Xojo) have to notarize all of our builds for them to work on Catalina as well, whether for internal use or external distribution.

Indeed… I haven’t dealt that much with Catalina (no pun intended…).

Ok, so it looks like notarising is just required… So, in Catalina (and latest versions of Mojave), the only proper way to give an application (even a freeware) to a friend (or simply to another computer) is to let Apple know what the app does?! Privacy is gone, my dear…

Thanks Greg; your answer has put my thoughts in order.

I just want to add that in the last few days, my mailbox has become flooded with many developers suddenly facing the same issue, makes me think something’s gone wrong, so I’ve reached out to Apple (through a contact I’ve made in the “Security” team).

Starting February 3rd, Catalina will require all apps to be notarized, it won’t let them run if they aren’t. So yes, you’ll need to sign and notarize apps you give to friends. And BTW, Apple doesn’t know what your app does, it just scans the code to look for suspicious/malicious code.

I’m using App Wrapper to sign and notarize and it’s pretty painless. One of my apps is huge and the whole process takes maybe 20 minutes, the rest get done in a minute or so. No big problem for me. So far…:slight_smile:

Ok, so I presume you’ll update this loved App Wrapper app if there’s anything you can do.

Ok, I’ll take the habit to do that.

How can they without actually testing the app?
I mean, say an app is half malware (it does its intended work but also deletes all the files in the user’s home folder in the background). All would an automated tool see is a call to delete and perhaps a loop or recursion (and the legit code).
A regular app is allowed (and for good reasons) to delete a file (e.g. a temporary file), so how could Apple determine whether an app is a malware or not just by seeing used APIs?

Ok… Good to know.
I know at least one of my apps won’t be notarisable (uses QuickTime a lot); I also expect it won’t be the only one in this case.

I’ve actually notarised an app 2 days ago, almost for testing; when I received the confirmation from Apple, I double-checked the app (yes, too late) and realised I hadn’t put an icon for it (BTW: creating an icon is really a pain, to me at least). And I thought: “could I just add an icon and re-notarise the app 5 minutes later?”.
Like other times where I’m thinking into adding a little thing to my app just after “validating” it, what’s the policy about notarising several times the same app? Must I wait several minutes/days between notarising two versions (with or without huge differences) and must the version field be different each time (do they check that)?
May one notarise a dozen of apps at the same time?

Thanks for your answer.

What will come in February is for the likes of Adobe and Microsoft. It doesn’t change anything for us. If an app isn’t notarized you will get the confusing “it’s not possible to check your app for malicious code”. And you will still be able to open the app.

What will come in February applies to anyone who’s been relying on some of the lightened security. I was concerned about ExeWrapper so I asked Sam, and he said that AppWrapper would pass the warnings to me if there were any. So if you’re using AppWrapper you should be aware of whether or not you’re going to run into an issue.

And of course, any end-user who wants their system as it were before these security implementations is able to disable SIP and live their lives.

Firstly; if anyone is getting the error message “Unnotarized Developer ID” after they’ve submitted an App to the Notarization service, please use Apple’s Feedback and file a Feedback report, then give me the report ID. My contact at Apple is not aware of any changes that happened in the last few weeks, and if this is what we think it is, the team he works on needs as much information as possible.

Of course.

Just be alert that I’m aware of at least one false positive where Apple didn’t like the name of a function (through another developer); they were very heavy handed with the customer to start with, threatening to shut down his developer account. I don’t recall exactly what he did, but he managed to get this overruled (I think he had to change the name of his function).

AFAIK most anti-virus software uses pattern recognition, so if you are using those API in a certain way, it will flag.

I would imagine that it will be allowed to be Notarized, AFAIK, it’s only the App Store that blocks certain API.

Not that I am aware of, I have notarized the same app multiple times a day, with only minor changes in between.

Yes.

I had this exact same thing happen. In order to re-notarize, you’ll need to increase the version number (or at least the build number) on the app, so that Apple knows it’s not the same.

This looks like being a severe issue…
Well, I’ve had this error once for now (I’ve not yet played a lot with this either). Even if the error re-appears, what would I report more than the actual error message?

Staying objective with someone we dislike (or more) is hard, even for Apple… Then, we would find anything that goes beyond standards and use it as an argument to discredit the person…
And I guess Apple has no list of forbidden function names in the first place; they just invent them when they want…

Anti-virus softwares use hashes from already-known binaries, right? It’s when a new virus is discovered that AV companies add the signature to their known list.

Here, Apple doesn’t know in advance what our code does. Given back my previous example, if my brand-new app deletes all the files in the users folder (and, in a side effect, also does something useful to fool the user into thinking all is working as expected), Apple will know the app is not legit only after some users have already lost their files; the developer certificate will certainly be cancelled, after the fact.
Deleting files, per se, is not using an odd or prevented API; not sure how Apple’s notarisation would prevent several ways to damage computers…

Good to know. Maybe most of my apps will be notarisable… I’m excited to find out!
The one using QuickTime is not worth being notarised (used only strictly by me and QuickTime is unsupported at all in Catalina…).

Wonderful!

Thank you.

Ah, ok, good to know.
Just out of curiosity, if you keep the same version number, what happens? Do you get a rejection or Apple just responds “Your <1.0> software is already notarised” and nothing else happens?

Thank you.

If you try to notarise the same dmg again you will get an error “already notarised” as you expected.

Thank you.
Which reminds me: if I notarise an app, put it in a dmg and send the dmg, it won’t work as the dmg is not notarised (right?); if I then notarise the dmg (containing the already-notarised app), will Apple check the app twice?