terminal-notifier icon indicating copy to clipboard operation
terminal-notifier copied to clipboard

Published 20 hours ago verified publisher icon julienXX

MacOS Notarization

Open tilmanginzel opened this issue 5 years ago • 10 comments

Hi @julienXX,

first of all thanks for this neat tool. :)

Since MacOS Catalina (currently in beta), all applications have to be notarized by default. Otherwise, Gatekeeper won't allow to open the app. See:

  • https://developer.apple.com/news/?id=06032019i
  • https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution
  • https://eclecticlight.co/2019/06/07/notarization-in-mojave-and-catalina/

Do you have a developer ID certificate? If yes, would it be possible for you to notarize the app, so it will run without any issues in future MacOS versions?

Thanks in advance!

Cheers Tilman

Reference: https://github.com/tilmanginzel/alfred-bluetooth-workflow/issues/9#issuecomment-517848591

tilmanginzel avatar Aug 03 '19 19:08 tilmanginzel

Thanks! I don't and I'm not really sure I want to pay fo this honestly :(

julienXX avatar Aug 03 '19 19:08 julienXX

That's totally understandable. As many applications will face the same issue, I just hope that there will be a user-friendly workaround so single apps can be whitelisted. Basically the same behavior as in current MacOS versions.

I have not tried Catalina yet and it's still in Beta, so we will see how it will turn out later on. There has to be some workaround without disabling Gatekeeper.

tilmanginzel avatar Aug 03 '19 19:08 tilmanginzel

Yes, since I have only one machine I won't install Catalina before the official release so let's hope for the best :)

julienXX avatar Aug 03 '19 19:08 julienXX

Anyone can notarize terminal-notifier. If you have a regular code-signing certificate, you can send any app in for notarization.

EDIT – solved the problem of terminal-notifier nested in a Platypus app bundle; before code-signing the main bundle, you need to code-sign terminal-notifier first… if you just code-sign the main bundle with the --deep argument, terminal-notifier will in reality not be signed as code but just added into the bundle's code resources, i.e. code-signing needs to be done "inside out".

JayBrown avatar Jun 24 '20 20:06 JayBrown

@JayBrown Do you mind elaborating on the self-notarization process, or pointing to some resources, if I only need to use terminal-notifier as a standalone terminal command? Would it require a (paid?) developer account?

ZhaofengWu avatar Sep 25 '20 18:09 ZhaofengWu

Yes, afaik for notarization you would need a paid developer account. With only a free dev account, you can still codesign, so that it runs without problems on your local machine: for that you can use a free Apple Development certificate (the one with your email address in its X.509 commonName), or just an ad-hoc signature. But for distribution, so that other people can use it, terminal-notifier (the terminal-notifier.app, that is) should probably be bundled/nested, and codesigned + notarized. Otherwise you will definitely have users telling you that it doesn't work.

As it stands now, terminal-notifier will run just fine without any code signature at all. (But that will change on macOS 11 on ARM Macs.)

I think that in the future, terminal-notifier (the universal binary app) should be released in two versions, one with a code-signature and notarization, e.g. the version that is installed via Homebrew, and one without any signature, as a GitHub download-only release, for users who need to change the Info.plist, the icon etc., and who then need to re-codesign it. (Just my 2¢.)

JayBrown avatar Sep 25 '20 18:09 JayBrown

Thanks! Although I must be missing something -- you said terminal-notifier will run just fine as-is (in Catalina and I assume in Intel chip Big Sur), why is that? I haven't upgraded to Catalina, but doesn't its notarization requirement precisely forbids applications without signatures from running?

ZhaofengWu avatar Sep 25 '20 18:09 ZhaofengWu

That's right. But if you remove the quarantine extended attribute, it won't be a problem. (And if you install it with Homebrew, you don't even have to remove the quarantine XA, because afaik there isn't one to begin with.) This "dequarantine" workaround is probably also going to be possible in Big Sur on ARM Macs, at least for programs & apps that are not notarized, but it's not a practical solution to tell users to run a Terminal command before they can use a software.

JayBrown avatar Sep 25 '20 18:09 JayBrown

Thanks :)

ZhaofengWu avatar Sep 25 '20 18:09 ZhaofengWu

Can confirm @JayBrown's assessment. I have signed, packaged inside another Mac app, and notarized terminal-notifier. It works on all versions of macOS as far as I can tell, up to 12.4. I also turned it into a universal binary using lipo so it works on M1 and Intel simultaneously. The app I used to sign and notarize is gon.

A link to the signed app: https://github.com/Notifiarr/notifiarr/tree/eec162e49c75b857d4849487725f12b041714a50/init/macos/Notifiarr.app/Contents/Resources

davidnewhall avatar Jul 15 '22 08:07 davidnewhall