Skip to content

Instantly share code, notes, and snippets.

@rsms

rsms/macos-notarization-woes.md Secret

Created Mar 30, 2021
Embed
What would you like to do?

Notarization is this centralized service run by Apple and used over the Internet where the crypto signature of an app or bundle is recorded and "notarized" as "safe and approved by Apple." This is a secondary step and level on top of the cryptographically-proven signature.

Cryptographic signature uses regular crypto signature chain: Apple has a root cert, you pay them money, sign a legally binding contract and give them personal information and they give you a derivative (link in a chain) cert signed with their root cert. Now, you can use your cert to sign any number of things which will—for anyone else on an Apple device—be provable as "genuine". I.e. anyone can prove that "this specific file comes from a person who has a liability with Apple so in case it erases my hard drive I have some insurance."

When you sign an executable file you can provide a number of "entitlements" which is really just a list of names that each have meaning. For example "com.apple.security.cs.allow-jit" means "allow this executable to write to executable memory pages".

Now here comes the crux: you can add any entitlements you want during signature. No problem. However, macOS may not give your executable these "entitlements" at runtime! That's where the notarization service comes in — macOS will phone to Apple's servers and ask "hey, tell me which entitlements this app [crypto signature] are allowed".

Some entitlements are only allowed for "special partners" with Apple and not just for anyone. For me with Playbit this means that I can't ship a macOS app that uses macOS's vmnet services, used for providing networking in virtual machines, but if I am VMWare (I'm guessing) I can. Or I guess if I pay Apple a ton of money.

Anyhow, this is pretty much the anti-definition of an open platform and I have an issue with that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment