Apple Gatekeeper notarised distributables


#1

Hi

Apple looks to be furthering gatekeeper protection with additional checks on distributed binaries, we can see some details about it here: https://developer.apple.com/developer-id/ and a little more from Ars here: https://arstechnica.com/features/2018/09/macos-10-14-mojave-the-ars-technica-review/10/#h3

It seems Apple wants to perform some kind of basic review of signed binaries and to then act as a notary on the developer’s signature, vouching for it not containing malware etc, so they can be less dramatic when warning people about the dangers of using programs they’ve downloaded. It’s optional at the moment, but Apple says: “in an upcoming release of macOS, Gatekeeper will require Developer ID signed software to be notarized by Apple.”

Feels a bit like typical Apple nannying/over-reach, but I can see the benefit to consumers and the platform as a whole, so I’ll just go along with this without too much resistance.

I’m wondering if anybody has any experience of this with audio plug-ins, maybe somebody has tried it if they knew about it a while ago, and/or knows what the future implications for audio plug-ins is likely to be when it becomes mandatory.

Thanks
Matt


#2

Feels a bit like making non-app store deployment more of a hassle to me.


#3

Yes, it will be, but that’s the most likely place for people to unwittingly download a security problem into their Mac so Apple wants to tie it down and I think that’s a fair thing to do as long as we’re not overly inconvenienced as devs (which is what I’m trying to establish).


#4

i guess it depends what the process is and how long it takes? my immediate concern is it adding time to beta releases for testers, but from what I can see it’s an automated process rather than requiring human intervention, so that shouldn’t be bad hopefully.


#5

Does anybody have success with notarisation via command line tools (xcrun altool) ? (For distribution outside the App Store)


#6

Yes xcrun altool worked fine here to notarize installer packages. Make sure your binaries inside (vst, au, aax etc.) are all signed otherwise it will be rejected.


#7

Is this an automated process with a fast verified vs rejected response?