Important date for Notarization: 3 Feb 2020

[trev]

Just a heads up.

From 3 Feb 2020 Apple has started enforcing all of the prerequisites for successfully notarising applications and disk images. Until that date, notarisation would be successful even if the application was not hardened. No longer.

If notarization fails you can download the log file from Apple and discover the reason, eg:

Code: [Select]

...
"message": "The executable does not have the hardened runtime enabled.",
...

I've updated my Notarisation Wiki article to add the details of how to obtain the log file and to emphasise the full requirements for notarisation from 3 Feb. See: https://wiki.freepascal.org/Notarization_for_macOS_10.14.5+#Notarization_requirements

This also had some consequences for the verification of the code signing of disk images and so my Code Signing Wiki article has also been updated. See: https://wiki.freepascal.org/Code_Signing_for_macOS

[jwdietrich]

Thanks!

[AL]

Is it still possible to distribute an app without Code Sign and Notarization?
I cannot afford to pay $100 per year to distribute a shareware that sell for $20!

[Thaddy]

For corporate solutions there is a mitigation, but I understand your problem.

[trev]

@AL: Yes, but you will either scare or confuse many of your users. See Notarization for macOS 10.14.5+ which gives you examples of the dialogs your user will see and the options they will have unless they know of the workaround which gives them the option to install.

Note: The $US 99  -- $A 152 in the LAN downunder -- may be worth paying once you have finalised your shareware app (is software ever finalised?). Even if you do not renew it after the first year, the app will remain signed and notarised. You do also get two "free" TSIs (Technical Support Incidents) for the money -- response time was around a week, but the response was comprehensive -- as well as the bunch of Apple certificates for signing.

[AL]

OK so, IT IS possible to run unsigned software.  My understanding was that in Catalina the Ctrl-Click was not possible.
You'r right it is probably scaring for a Mac user that is not used to such warning.

[VTwin]

Many thanks.

I write free scientific software. This makes me want to stop supporting Mac, unfortunately not a realistic option. I suppose I will dip into my own pocket and try to figure out code signing.

On the other hand my users are now used to Gatekeeper work arounds, and my software has a good reputation in the scientific community. I'll wait and see for now.

[440bx]

Is it still possible to distribute an app without Code Sign and Notarization?
I cannot afford to pay $100 per year to distribute a shareware that sell for $20!

That makes me think about the concept in Economics of "barriers to entry", many being artificial simply to keep competition away.  Got to love Apple's "concern" for its users by forcing talented programmers to _pay_ for the "privilege" of "competing" with corporation supported mediocre ones. 

You have talent ?... no problem, we're going to make you pay for it.   What a world. <chuckle>

[VTwin]

Back in the day Apple relied on hackers to write cutting edge software. It is a different world.

[trev]

I suppose I will dip into my own pocket and try to figure out code signing.

The figuring out at least has already been done (and recently updated to be current):

* Code Signing for macOS
* Notarization for macOS 10.14.5+.

[VTwin]

The figuring out at least has already been done (and recently updated to be current):

* Code Signing for macOS
* Notarization for macOS 10.14.5+.

Thanks for your work on this.

[ASBzone]

Is it still possible to distribute an app without Code Sign and Notarization?
I cannot afford to pay $100 per year to distribute a shareware that sell for $20!

If you search a bit, you can find options that bring that price down to ~US$50 or US$60 per year.

https://aboutssl.org/cheap-code-signing-certificate-providers/   (one such search)

I do see everyone's concerns about the costs here, but there is a potential security implication for unsigned software.   And not just on the Mac, but on Windows also.

That's why I opted to go the code signing route for my scripting utilities, even though they are FREE.   It's one less concern that users and enterprises have, and one less chance to be mistakenly quarantined by antimalware apps.

But I make the money back in technology consulting, and this won't be true for everyone, so I do understand the concerns...

[trev]

Is it still possible to distribute an app without Code Sign and Notarization?
I cannot afford to pay $100 per year to distribute a shareware that sell for $20!

If you search a bit, you can find options that bring that price down to ~US$50 or US$60 per year.

NO, NO, NO.

Gatekeeper does not accept non-Apple signing certificates. See, for example:

* https://stackoverflow.com/questions/11833481/non-apple-issued-code-signing-certificate-can-it-work-with-mac-os-10-8-gatekeep
* https://stackoverflow.com/questions/33373425/do-third-party-ca-code-signing-certificates-work-on-os-x

Yes, you can code sign using any certificate, but it will not be accepted by Gatekeeper.

[trev]

I wrote a brief Wiki article  recently on the various certificates that come with Apple developer membership and the use of each one.

[MoCityMM]

I don't interface with the Mac side of the house (corporate environment) all too much, it's handled by the Jamf team.

I am assuming that an internal CA resolves these potential issue(s) and this is related to a 'side loading' an application i.e. download from external source?