Apple’s Notarizing

The Gates to Hell: Apples Notarizing

At WWDC 2018, Apple presented a new “safety” feature to macOS called Notarizing.

This announcement did topic and puzzle me plenty. Did no longer we already contain the tidy actual and improbable “codesigning”, which modified into as soon as stuffed down our throats with Mac OS X 10.7? This codesigning modified into as soon as alleged to forestall unhealthy code of unknown origin from being achieved to your Mac.

But the introduction of codesigning by Apple modified into as soon as a total fiasco, riddled with bugs, failing developer instruments, missing integrations, no documentation at all, and plenty of different issues, and it took Apple four fat years to catch it to work extra most often than no longer.

And depart, that route of modified into as soon as called codesigning hell, and for excellent causes.

And now Notarizing.

It appears to be like that the hyped codesigning did NOT prevent execrable issues from occurring, and so now Apple forces builders to add their purposes to Apple, so as that they’ll bear inexplicable issues to the code, and as soon as they mediate all would be ravishing, they offer you with a definite label of approval.

If you commence an non-notarized application in macOS 10.15, you catch this dangerously worded dread dialog:

thank you, crApple

Truthfully, I hang fat offense on the wording of this. The usage of my application title and the discover “malware” in a single sentence is suggestive and intensely offensive by Apple.

In my eyes, the text of that dialog window have to read: “macOS does no longer desire to commence this application because it is no longer notarized. Please contact Apple in tell that they’ll fix your total bugs in Xcode and the notarizing route of.”

Why? Protect reading!

The Gates of Hell, Segment 1

Apple claims you may well presumably spend their major developer plan

Xcode to notarize your macOS application with just a few simple clicks.

Truth is, that does no longer seem to be the case. For our NeoFinder accomplishing, as an illustration, Xcode does no longer even screen the alternatives to notarize the catch and archived product. And depart, now we contain filed a computer virus file about this 16 months within the past, and Apple talked about that a technique or the opposite Xcode may well presumably no longer genuinely glimpse that NeoFinder modified into as soon as of route genuinely an application, so it doubtlessly presumably did no longer genuinely work. And that modified into as soon as all. No help from Apple at all beyond that level.

What a humorous myth. And depart, that modified into as soon as no longer advisable, Apple. To this level, they haven’t been in a location to figure that out, and there may be no longer this form of thing as a documentation in any appreciate why this could perhaps presumably fail.

As a change of using Xcode, you may well presumably spend a series of partly documented and tidy appealing present line instruments with hundreds of complicated parameters to catch the job achieved, but frankly, even supposing I spend Terminal on Unix methods for 30 years now, that modified into as soon as too much for me.

Fortunately, the improbable folks that ship you Script Debugger developed a mighty user interface to those whacky present line instruments, called “

SD Notary

With that intellectual plan, I modified into as soon as in a location to at the least inaugurate up the notarizing route of.

And how simple it is, thanks to Apple. 😉

1. First, you login to https://appleid.apple.com and produce an App-Utter Password. It is probably going you’ll perhaps presumably presumably also salvage that within the Generate Password phase of your legend data.

2. Open Apples Keychain Receive entry to.app within the Utilities folder of your Applications folder. Take the “login” keychain within the left list, and spend “Contemporary password item” within the File menu. enter the title of your app-particular password as the Keychain Item Title, enter your Apple ID for the Legend Title, and enter the accurate app-particular password within the Password self-discipline.

That modified into as soon as completely simple, apt? Stunning just a few simple clicks.

Yes, that modified into as soon as a humorous myth. This route of is rarely any longer simple nor transparent at all.

Fortunately, the improbable folks of LateNightSoftware wrote a terribly excellent tutorial about that, one thing that Apple must contain achieved within the first save.

sd notary

The Gates of Hell, Segment 2

Anyhow, I purchased SD Notary field up, and pressed “Post App…”

But wait, what’s that? An error message?

12: 32: 26.473: Error 105553142767344 signing ‘/Users/*/Library/Developer/Xcode/DerivedData/NeoFinder-dodvyesmmrunrbftbfffzezljcjz/Fabricate/Merchandise/Debug64/NeoFinder – Working/NeoFinder.app/Contents/Frameworks/ZXingObjC.framework/Variations/A’: Developer ID Application: NORBERT DOERNER (XXXYYYZZZ): ambiguous (matches “Developer ID Application: NORBERT DOERNER (XXXYYYZZZ)” and “Developer ID Application: NORBERT DOERNER (XXXYYYZZZ)” in /Users/*/Library/Keychains/login.keychain-db)

What the heck does that even imply? Is that no doubt among the in moderation worded and advisable error messages that we builders are alleged to fabricate when one thing goes unfriendly? No.

Successfully, it appears to be like we glimpse TWO Apple bugs right here straight away.

1. /usr/bin/codesign is unable to properly flee if multiple accurate “Developer ID Application” certificates from Apple are most contemporary within the local keychain.

2. Who put these certificates there? Stunning, it modified into as soon as Xcode, and no, that computer virus hasn’t been mounted yet.

Because of of the ever advisable

Stackoverflow, I modified into as soon as of route in a location to figure that one out. The arcane error message of Apples codesign plan modified into as soon as NOT advisable at all.

Both bugs are of route well identified to Apple, had been reported multiple instances already, and you’ve got guessed it, no longer being mounted. One more day wasted.

The Gates of Hell, Segment 3

Now that the codesigning bugs had been mounted, SD Notary modified into as soon as in a location to codesign and add the application to Apples Linux notarisation servers.

But one other error seemed fast:

13: 03: 42.855: Consequence for /usr/bin/xcrun altool –notarize-app -f /Users/ndoerner2/Library/Developer/Xcode/DerivedData/NeoFinder-dodvyesmmrunrbftbfffzezljcjz/Fabricate/Merchandise/Debug64/NeoFinder – Working/NeoFinder.zip –major-bundle-identification de.wfs-apps.neofinder -u xxxxx -p @keychain:NeoFinder Notarize –output-format xml

Termination jam: 24

product-errors

code

1048

message

It may perhaps presumably be wanted to first mark the related contracts on-line. (1048)

userInfo

NSLocalizedDescription



NSLocalizedFailureReason

It may perhaps presumably be wanted to first mark the related contracts on-line. (1048)

NSLocalizedRecoverySuggestion

It may perhaps presumably be wanted to first mark the related contracts on-line. (1048)

StandardError: (null)

13: 03: 42.935: Error 105553142691904 in xcrun altool –notarize-app.



What modified into as soon as that now? Our developer legend with Apple modified into as soon as difficult and dealing, so this seemed queer. But alas, after logging into itunesconnect, there modified into as soon as indeed the deserve to comply with a couple odd changes made to the agreements by Apple.

And as continuously with Apples net products and services, that possibility modified into as soon as well hidden in some deep levels of the accept home, and there had been of route TWO texts for spend as button hyperlinks apt next to each and every other, one for constructing legend contacts, and the opposite one to comply with a couple agreement changes. It modified into as soon as impossible to admire these had been two separate buttons, so it took us some time to admire what they of route wished from us.

It seemed that these changes within the contract had been important as soon as the first notarizing rely on of modified into as soon as obtained by Apple. Apples developer boards are fat of oldsters that contain the an analogous predicament, but had been unable to resolve them.

With that out of the manner, we had been hopeful to catch the notarizing achieved rapidly.

The Gates of Hell, Segment 3

But

rapidly is a genuinely flexible term. In the first try, it took Apple higher than one hour to bear the inexplicable issues to our code after is modified into as soon as uploaded, and then finally approve and notarize it. Put collectively for it to hang plenty longer, so right here’s no longer a short thing you may well presumably bear continually. And put collectively to protect the machine doing that running, you fabricate no longer desire to inaugurate up from scratch when one thing fails.

But at the least now we contain a notarized NeoFinder 7.5b1 for attempting out in macOS 10.15.

The Gates of Hell, Segment 4

Sadly, that’s no longer all. The new notarizing route of entirely breaks plugins and bundles, and it does so by invent and on motive.

It is merely now no longer that you just may well presumably be also mediate of to load Plugins or Bundles into any application unnotarized.

With Applications, a user can still bewitch to inaugurate it anyway (using the Open present within the context menu), but with Bundles or Plugins, that’s merely no longer that you just may well presumably be also mediate of anymore.

That is a gigantic predicament for all highly efficient purposes that rely on being extensible. NeoFinder already suffers from it for its mighty

AutoTags Engines.[NSBundle load]; silently fails in macOS 10.15 if either the host application or the bundle are no longer properly notarized and some extra undocumented and arcane prerequisites are no longer met.

And wager what? YES! Xcode can’t even notarize our bundles, as we glimpse the an analogous computer virus we had encountered in “The Gates of Hell, Segment 1” already. And depart, there is rarely any longer this form of thing as a documentation and no help from Apple about this predicament either.

If you spend older plan with 3rd party plugins, you’ve a gigantic predicament in macOS 10.15.

The Gates of Hell, Segment 5

Apple is extremely creative to produce even extra disasters. Nowadays, I modified into as soon as greeted by Xcode with this sparkling and advisable (no, that modified into as soon as a humorous myth, it is no longer!) error message:

handy resource fork, Finder data, or an analogous detritus no longer allowed



And naturally, the arcane and fragile “codesign” route of has again failed wretched. This new error message again has no longer been documented at all by Apple, and I contain no thought what causes this. Obviously, it may in all probability perhaps presumably even be related to anybody of the 800 files within the NeoFinder application bundle, however the message does no longer tell which no doubt one of them.

Also, this error does no longer tell which of the a host of talked about scenarios of route causes this new predicament for Apples developer instruments.

Here is the roughly fine quality plan crap from Apple now we would like to work with recently. A shrimp evaluation on stackoverflow gave us a hint, and it appears to be like this particular case modified into as soon as a graphic file that contained an xattr, extended attribute. We needed to manually stumble on the offensive file within the present line, delete this xattr within the present line, and determined the catch folder, or Xcode would no longer of route hang up the modified file and protect producing this odd error.

Obviously, as the files in seek files from had been copied to the “catch folder” by Apples Xcode itself, why on earth did they even replica the problematic metadata within the first save, as soon as they may be able to’t handle them in “codesign”? Is no longer genuinely anybody at Apple of route taking care of such issues, and paying attention?

Conclusion

Apple has again achieved a horrible job with the brand new notarization route of. And let’s no longer talk relating to the that you just may well presumably be also mediate of future, wherein Apple flatly denies notarization for apps that spend obvious APIs, or NOT spend issues Apple all of sudden judge crucial.

Whereas Apple apt now claims right here’s NOT a overview route of, I’m very obvious they may be able to spend it as such in some unspecified time in the future.

I’m no longer obvious they fully sign what damage they currently bear to the macOS ecosystem for forcing this immature abilities on us builders. The developer instruments are clearly extremely buggy, no longer documented properly, and genuinely badly designed, and the total thing is again a nightmare.

I contain posted your total technical info right here, so presumably fellow builders salvage clues to repair their have Apple notarizing hell issues.

Apples developer boards are fat of

developer postings with hundreds and hundreds of notarizing issues.

There may be ONE single Apple employee serving to out to catch the worst issues solved, the aged Quinn “The Eskimo!” From what I glimpse, he is doing that on his have time, and no one else at Apple presents a about this.

On the tip of the day, notarizing will no longer resolve the malware predicament at all, as Apple is of route technically unable to search out and forestall ALL that you just may well presumably be also mediate of unhealthy codes.

It is one other failed safety promise by Apple that presents a unhealthy appearance of safety, which is rarely any longer the an analogous as accurate safety.

And the genuinely execrable implementation of notarizing damages the macOS ecosystem hugely, undermining the trust of the users in indie builders (hang into consideration the offensive wording within the dread dialog), and hugely undermining the trust of builders in Apple itself.

Apple urgently wants to hang circulation now.

They have to finally inaugurate as much as repair all these bugs, add a LOT of genuinely excellent documentation to your total new file and folder cages they’ve added, and forestall releasing yearly major macOS updates. They’re clearly no longer in a location to handle the plan quality disorders most contemporary in that.

And for you: Originate no longer yet replace to macOS 10.15. That macOS model is clearly no longer appealing for spend day-to-day. Wait till Apple has released at the least macOS 10.15.5 next July, and optimistically all these disorders are mounted by them. Love the horribly embarrassing computer virus in Apples Mac App Retailer, the save you may well presumably still accumulate, download, and installed ragged 32-bit purposes. You proper can’t flee them. Or the large networking issues when attempting to connect with SMB servers or other Macs via File Sharing. That is the roughly low quality plan we currently glimpse from Apple.NeoFinder 7.5 for macOS 10.15

And depart, of route, NeoFinder 7.5 is indeed notarized, and the AutoTags plugins, too. But easiest with big help by the worthwhile “SD Notary” plan, written by a shrimp 3rd party style group of workers.

How basically the most inviting firm within the enviornment is unable to come attend up with acceptable developer instruments for this sick-conceived route of genuinely eludes me. Presumably they are too busy counting their money. Shame on you, Apple, for this fiasco. When will you inaugurate up fixing this?

Further macOS 10.15 reading: https://furbo.org/2019/09/04/icloud-clusterfuck/https://tyler.io/damaged/https://mjtsai.com/weblog/2019/10/11/mail-data-loss-in-macos-10-15/

Read Extra

Share your love