Thread overview
[Issue 20124] macOS 10.15 requires notarized apps
Aug 12
ponce
August 12
https://issues.dlang.org/show_bug.cgi?id=20124

ponce <aliloko@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |aliloko@gmail.com

--- Comment #1 from ponce <aliloko@gmail.com> ---
Created attachment 1759
  --> https://issues.dlang.org/attachment.cgi?id=1759&action=edit
Notarization script

Here is a script app developers share in my domain. I've not used it yet.

>From what I heard, notarization apparently must be applied to a complete
redistributable (such as a ZIP file). It will notarize in a "deep" manner what
it founds.

One of the (few?) advantages is that notarization will warn about errors with
code signing.
Code-signing for macOS is just $99/year and relatively easy.

--
August 13
https://issues.dlang.org/show_bug.cgi?id=20124

Nicholas Wilson <iamthewilsonator@hotmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |iamthewilsonator@hotmail.co
                   |                            |m

--- Comment #2 from Nicholas Wilson <iamthewilsonator@hotmail.com> ---
I guess this will affect LDC & GDC too.

--
August 13
https://issues.dlang.org/show_bug.cgi?id=20124

--- Comment #3 from Jacob Carlborg <doob@me.com> ---
(In reply to Nicholas Wilson from comment #2)
> I guess this will affect LDC & GDC too.

Not just LDC and GDC. Basically any application out there. RDMD, Dub, digger and so on.

--
August 13
https://issues.dlang.org/show_bug.cgi?id=20124

Iain Buclaw <ibuclaw@gdcproject.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ibuclaw@gdcproject.org

--- Comment #4 from Iain Buclaw <ibuclaw@gdcproject.org> ---
Will this affect OSX ports in any way?

--
August 13
https://issues.dlang.org/show_bug.cgi?id=20124

--- Comment #5 from Nicholas Wilson <iamthewilsonator@hotmail.com> ---
RDMD, Dub, digger et al, are all distributed with DMD. LDC and GDC aren't.

--
August 13
https://issues.dlang.org/show_bug.cgi?id=20124

--- Comment #6 from Jacob Carlborg <doob@me.com> ---
(In reply to Iain Buclaw from comment #4)
> Will this affect OSX ports in any way?

What exactly do you mean with "ports"?

--
August 13
https://issues.dlang.org/show_bug.cgi?id=20124

--- Comment #7 from Iain Buclaw <ibuclaw@gdcproject.org> ---
https://www.macports.org/(In reply to Jacob Carlborg from comment #6)
> (In reply to Iain Buclaw from comment #4)
> > Will this affect OSX ports in any way?
> 
> What exactly do you mean with "ports"?

https://www.macports.org/

--
August 13
https://issues.dlang.org/show_bug.cgi?id=20124

--- Comment #8 from Jacob Carlborg <doob@me.com> ---
I looked into this a bit more. It looks like the OS (in this version at least) only checks applications with the quarantined flag. That's an extended attribute which is set when downloading a file using a browser (tested with Safari and Chrome). When I download the same file using "curl", it's not set. So that's not as bad as I thought it was.

I still think this needs to be done though.

--
6 days ago
https://issues.dlang.org/show_bug.cgi?id=20124

Vladimir Panteleev <dlang-bugzilla@thecybershadow.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dlang-bugzilla@thecybershad
                   |                            |ow.net

--- Comment #9 from Vladimir Panteleev <dlang-bugzilla@thecybershadow.net> ---
(In reply to Jacob Carlborg from comment #0)
> On the latest version of macOS, Catalina (10.15), currently in beta, it's required that all applications are notarized. This includes command line applications and installers.

(In reply to Jacob Carlborg from comment #8)
> I looked into this a bit more. It looks like the OS (in this version at least) only checks applications with the quarantined flag.

I was about to say, that sounded strange, as based on your initial description, it would also apply to executables *produced* by the compiler, making it thus impossible to use any compiler on such a system. Presumably there would be a developer mode that someone could enable to run non-notarized programs, but then, this would also apply to the compiler itself, making it unnecessary to notarize.

We already do code signing for Windows, so if the foundation has the money to spare and the release manager can fit this into their flow, I guess "why not".

> That's an
> extended attribute which is set when downloading a file using a browser
> (tested with Safari and Chrome). When I download the same file using "curl",
> it's not set. So that's not as bad as I thought it was.

BTW, Windows and Free Desktop platforms (Linux/FreeBSD) have this too. On Windows it's in the :Zone.Identifier:$DATA alternate NTFS stream, and on Free Desktop, it's the user.xdg.referrer.url extended attribute.

--