The Notarization of binaries with Apple Notary Service is a fascinating topic worth exploring, and in this year’s talk at Mac Admins, I delved deep into the subject. The current version of macOS now requires all kernel extensions not just to be signed by their authors, but to be notarized by the Apple Notary Service. Beginning with macOS 10.15 Catalina, all software will need to be notarized, as well.
This represents a bit of a change over the past, and it will require software developers not just to submit their software for notarization, but to staple the resultant ticket to their binary. Doing this isn’t terribly complicated, but why does this have to happen? What’s the mechanism for getting something notarized? How can we work around this, if circumstances require it?
This post is designed to be both the repository for the slides from this talk, as well as useful links and documentation associated with the materials discussed in the talk. I will not be including my presenters notes.
Slides & Downloads
Here are the slides associated with the talk.
Apple: Safely open apps on your Mac, a Gatekeeper Guide
Apple: Your Apps and the Future of macOS Security, a WWDC Video from 2018
Apple: Advances in macOS Security, a WWDC Video from 2019
Howard Oakley: Notarization Category on Eclectic Light, a collection of blog posts on notarization
Apple, Gatekeeper and Developer ID, a WWDC transcript from 2012
Rich Trouton: Clearing the quarantine extended attribute, a blog post on xattr and quarantine bits.
Howard Oakley: More about the quarantine extended attribute, a blog post on xattr and quarantine bits.
Mothers Ruin: Suspicious Package, a tool for reviewing packages and apps
My sincerest thanks to #notarization on the Mac Admins Slack, to people like Joel Rennich, Robert Hammen, Rich Trouton, Armin Briegel, Jennifer Unger, Dr. Emily Kausalik-Whittle, Some Little Birdies, and anyone else I inflicted my questions and draft slides on. I also want to thank Apple for their wealth of new documentation tools, and the WWDC video archives.