Apple Requiring Notarization for Non Mac App Store Apps Starting February 2020

Apple this afternoon announced that developers who create Mac apps outside of the Mac App Store will need to submit them for the notarization process starting on February 3, 2020.

Apple temporarily relaxed the notarization requirements for non ‌Mac App Store‌ apps in September after the launch of macOS Catalina, and at the time, said developers would have until January 2020 to get used to the new rules.

The January 2020 deadline has been extended to February 2020, but at that time, developers will need to adhere to Apple's requirements.

Apple suggests that developers upload their software and review the developer log for warnings, as these warnings will become errors starting on February 3. Apple says that all errors will need to be fixed by that date for software to be notarized.

In June, we announced that all Mac software distributed outside the ‌Mac App Store‌ must be notarized by Apple in order to run by default on ‌macOS Catalina‌. In September, we temporarily adjusted the notarization prerequisites to make this transition easier and to protect users on ‌macOS Catalina‌ who continue to use older versions of software. Starting February 3, 2020, all submitted software must meet the original notarization prerequisites.

If you haven't yet done so, upload your software to the notary service and review the developer log for warnings. These warnings will become errors starting February 3 and must be fixed in order to have your software notarized. Software notarized before February 3 will continue to run by default on ‌macOS Catalina‌.

As a reminder, all installer packages must be signed since they may contain executable code. Disk images do not need to be signed, although signing them can help your users verify their contents.

Apple has been requiring new software distributed with a Developer ID outside of the ‌‌Mac App Store‌‌ to be notarized in order to run since macOS Mojave 10.14.5, with the notarization process designed to protect Mac users from malicious and harmful apps.

For the notarization process, Apple provides trusted non ‌‌Mac App Store‌‌ developers with Developer IDs that are required to allow the Gatekeeper function on macOS to install non ‌‌Mac App Store‌‌ apps.

Notarization is not required for apps that are distributed through the ‌‌Mac App Store‌‌. More information on notarization can be found on Apple's developer site.

Top Rated Comments

(View all)

zorinlynx

5 weeks ago

Before people start to panic, remember this only affects being able to double-click an app to open it by default. You can still go out of your way to run a non-notarized app by right-clicking and clicking open. That then whitelists the app to run in the future normally.

This is more about stopping users from accidentally executing malicious code than a strongarmed attempt to lock down the platform.

Remember that MacOS is a development operating system; they can't lock it down like iOS without crippling the ability to develop software on it.

Rating: 50 Votes

konqerror

5 weeks ago

Apple this afternoon announced ('https://developer.apple.com/news/?id=12232019a') that developers who create Mac apps outside of the Mac App Store will need to submit them for the notarization process starting on February 3, 2020.

This statement is wrong and is getting everybody upset. A critical part of Apple's statement was deleted:

In June, we announced that all Mac software distributed outside the Mac App Store must be notarized by Apple in order to run by default on macOS Catalina.

Very simply put, signed apps must now be notarized. Unsigned apps are unchanged.

Rating: 15 Votes

Bustycat

5 weeks ago

Dual Boot (Mojave + Catalina) systems will soon become the norm !

Every Mac User I know has either already implemented it, OR working towards it.

NOBODY I know, including me, trusts Apple to do the right thing !

Your circle is really special.

Rating: 11 Votes

KALLT

5 weeks ago

Isn't this slightly different with a higher bar of verification? All apps must be signed to run, notarized or not?

No. Users can still override Gatekeeper on a case-by-case basis or disable it altogether. The verification is also still contingent upon File Quarantine, which means that it will not apply to software that is downloaded via software that does not quarantine files (such as curl). Software that is not signed thus continues to work under the same limitations as before.

Does this mean we have to submit our proprietary source code to Apple now?

Apple does not even get to see the source code when an app is submitted for publication on the App Store. For notarisation, a compiled product is sent to Apple for verification. They do some static analysis on the object code to check it for known malware signatures and confirm that it was properly code-signed. It is an automated process as far as I know.

Rating: 6 Votes

dukebound85

5 weeks ago

i'll call that bluff

Rating: 4 Votes

zorinlynx

5 weeks ago

That's exactly the behavior hackers are targeting:

[URL unfurl="true"]https://blog.confiant.com/new-macos-bundlore-loader-analysis-ca16d19c058c[/URL]

You can only protect users so much.

I mean, if someone deliberately opens the gun safe using their combination, loads a round into the shotgun, aims it at their foot, and pulls the trigger, you can't blame the maker of the safe for being "insecure".

Rating: 4 Votes

ignatius345

5 weeks ago

Hey MacRumors editors: this above should have been front and center in your article. Unless you’re just trying to stir the pot and get people all agitated in your forums ?

Rating: 4 Votes

konqerror

5 weeks ago

Isn't this slightly different with a higher bar of verification? All apps must be signed to run, notarized or not?

Nope. The only thing that was ever changed with unsigned apps was in Sierra, where you have to right-click on them to open.

Does this mean we have to submit our proprietary source code to Apple now?

Nope. You have to submit the final binary. Compare this to Windows which will send the binary to Microsoft the first time it's run anyway (automatic sample submission/cloud-delivered protection), or users which will upload it to VirusTotal.

Rating: 4 Votes