2

I maintain OS software which is distributed as an Mach-O executable in a zip. It's not packaged as an app. I can codesign this without problems but all references to notarization that I can find are talking about .apps. Does anyone know about notarizing simple executables?

seph
  • 813
  • 6
  • 16
PLK
  • 389
  • 2
  • 13
  • The documentation talks about it, but it's not really clear to me. Start by reading [Customizing the Notarization Workflow](https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/customizing_the_notarization_workflow). It tells you to upload the .zip for notarization, but then goes on to say "While you can notarize a ZIP archive, you can’t staple to it directly [...] Although tickets are created for standalone binaries, it’s not currently possible to staple tickets to them." – TheNextman Sep 05 '19 at 16:49
  • So it seems like they want you to upload the .zip, then staple each of the individual items that you added to the zip, then create a new .zip with the stapled items for distribution. But you can't staple an executable; so what happens if that's the only the item in the archive? I would start by simply uploading your .zip with `altool`. – TheNextman Sep 05 '19 at 16:52
  • Thank you for the link - seems like a catch-22 if it's not possible to staple to executables. – PLK Sep 05 '19 at 17:10
  • 1
    See this thread: https://twitter.com/mjtsai/status/1140970936922976258. Basically, what I said above seems to be right. Just notarize the .zip and don't worry about stapling anything to your binary. – TheNextman Sep 05 '19 at 19:59
  • Hmm. I'm then not sure I even need to notarize? If the zip/tgz is downloaded from, say, Sourceforge and then unzipped/untarred and the Mach-O binary in there is codesigned properly, do I even need to notarize? – PLK Sep 05 '19 at 21:35
  • https://forums.developer.apple.com/thread/115542 – TheNextman Sep 09 '19 at 15:41
  • @PLK Whether or not you need to notarize is fuzzy. It depends on how the file was obtained, which OS version you're on, and when the developer's appleid account dates to. Catalina is going to be stricter than Mojave. accounts that predate 2019-08 have fewer restrictions. The entire system only applies for files downloaded via quarantine aware applications. – seph Sep 14 '19 at 23:14
  • Downloaded from sourceforce, and unzipped/untarred will have the quarantine bit in place. Best way to tell is to try try it, and use `spctl` to examine the state. (see my answer below) – seph Sep 16 '19 at 13:14

1 Answers1

5

Yes. You can notarize plain executables. Some caveats...

The upload process does not accept executables, they must be encoded. Zipping them is the easiest way. The notarization is for the underlying executable, you can unzip, re-zip, etc. But the transfer process needs the enclosing zip.

You can't staple to the executable. Gatekeeper can verify against apple's servers, instead of the stapled ticket. (And presumably, the quarantine bit is then removed)

The spctl -a -vvv -t install command will display a bunch of info.

$ file go-hello-notarized-APPLEID
go-hello-notarized-APPLEID: Mach-O 64-bit executable x86_64

$ spctl -a -vvv -t install  go-hello-notarized-APPLEID
go-hello-notarized-APPLEID: accepted
source=Notarized Developer ID
origin=Developer ID Application: Example, Inc (APPLEID)

There's info in https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/customizing_the_notarization_workflow but it's hard to tell until you try it all.

seph
  • 813
  • 6
  • 16
  • Can we distribute the verified executable this way? Or will the quarantine bit re-added when copied to another user's machine? – avee Aug 13 '21 at 04:58
  • If it's notarized, it shouldn't matter whether or not it has the quarantine bit. – seph Aug 13 '21 at 17:30
  • I understand, the reason I asked is that there's a possibility that the user is running my exe on an "air-gapped" machine. The inability to staple to files is quite an inconvenient in this case. – avee Aug 15 '21 at 03:29
  • 1
    Ah. This is a bit out of scope for a comment thread. But hey, here we are... I haven't explored this, so you'll want to play with `stapler`. I don't think it can staple to binaries, but maybe you can use a pkg or a dmg or something. The other route, is to explore quarantine bit. If the y'all are moving binaries to an air gapped machine, you can also manually clear the quarantine bit. `xattr` is the tool for that. Whether it's re-applied depends on the particular mechanism for copying it. Apple changes enough stuff, I think you'll just need to test it – seph Aug 16 '21 at 02:57
  • Roger that, it is a bit out of context.. I'll try playing around with `stapler` again, I'll probably need to change the delivery file format though. And also thanks for the `xattr` suggestion! – avee Aug 17 '21 at 09:06