| ▲ | mitchellh a day ago |
| > while that shown in blue is the stapled notarisation ticket (optional) This is correct, but practically speaking non-notarized apps are pretty terrible to use for a user enough so that this isn't optional and you're going to pay your $99/yr Apple tax. (This only applies to distributed software, if you are only building and running apps for your own personal use, its not bad because macOS lets you do that without the scary warnings) For users who aren't aware of notarization, your app looks straight up broken. See screenshots in the Apple support site here: https://support.apple.com/en-us/102445 For users who are aware, you used to be able to right click and "run" apps and nowadays you need to actually go all the way into system settings to allow it: https://developer.apple.com/news/?id=saqachfa I'm generally a fan of what Apple does for security but I think notarization specifically for apps outside the App Store has been a net negative for all parties involved. I'd love to hear a refutation to that because I've tried to find concrete evidence that notarization has helped prevent real issues and haven't been able to yet. |
|
| ▲ | jclay a day ago | parent | next [-] |
| I thought the macOS notarization process was annoying until we started shipping Windows releases. It’s basically pay to play to get in the good graces of Windows Defender. I think all-in it was over $1k upfront to get the various certs. The cert company has to do a pretty invasive verification process for both you and your company. Then — you are required to use a hardware token to sign the releases. This effectively means we have one team member who can publish a release currently. The cert company can lock your key as well for arbitrary reasons which prevents you from being able to make a release! Scary if the release you’re putting out is a security patch. I’ll take the macOS ecosystem any day of the week. |
| |
| ▲ | dceddia a day ago | parent | next [-] | | The situation on Windows got remarkably better and cheaper recently-ish with the addition of Azure code signing. Instead of hundreds or thousands for a cert it’s $10/month, if you meet the requirements (I think the business must have existed for some number of years first, and some other things). If you go this route I highly recommend this article, because navigating through Azure to actually set it up is like getting through a maze. https://melatonin.dev/blog/code-signing-on-windows-with-azur... | | |
| ▲ | lwkl 12 hours ago | parent | next [-] | | That's not easier and cheaper than before. That's how it's always been only now you can buy the cert through Azure. For an individual the Apple code signing process is a lot easier and more accessible since I couldn't buy a code signing certificate for Windows without being registered as a business. | | |
| ▲ | dceddia 10 hours ago | parent [-] | | > That's how it's always been only now you can buy the cert through Azure. Where can you get an EV cert for $120/year? Last time I checked, all the places were more expensive and then you also had to deal with a hardware token. Lest we talk past each other: it's true that it used to be sufficient to buy a non-EV cert for around the same money, where it didn't require a hardware token, and that was good enough... but they changed the rules in 2023. |
| |
| ▲ | jonathanlydall a day ago | parent | prev | next [-] | | Thanks for the link, I see only available to basically US, Canada and EU though. | |
| ▲ | feznyng 10 hours ago | parent | prev | next [-] | | As you said, you need to have a proper legal entity for about 2 years before this becomes an option. My low-stakes conspiracy theory is that MS is deliberately making this process awful to encourage submission of apps to the Microsoft Store since you only have to pay a one-time $100 fee there for code-signing. The downside is of course that you can only distribute via the MS store. | |
| ▲ | Razengan a day ago | parent | prev [-] | | > it’s $10/month So $120 a year but no it's only Apple with a "tAx" | | |
| ▲ | TimeBearingDown a day ago | parent [-] | | Millions of Windows power users are accustomed to bypassing SmartScreen. A macOS app distributed without a trusted signature will reach a far smaller audience, even of the proportionately smaller macOS user base, and that's largely due to deliberate design decisions by Apple in recent releases. |
|
| |
| ▲ | deltaknight a day ago | parent | prev | next [-] | | The EV cert system is truly terrible on Windows. Worst of all, getting an EV cert isn’t even enough to remove the scary warnings popping up for users! For that you still need to convince windows defender that you’re not a bad actor by getting installs on a large number of devices, which of course is a chicken-and-egg problem for software with a small number of users. At least paying your dues to Apple guarantees a smooth user experience. | | |
| ▲ | jonathanlydall a day ago | parent | next [-] | | No, this information is wrong (unless it’s changed in the last 7 years). EV code signing certs are instantly trusted by Windows Defender. Source: We tried a non-EV code signing certificate for our product used by only dozens of users at the time, never stopped showing scary warnings. When we got an EV, no more issues. In case it makes a difference, we use DigiCert. | | |
| ▲ | e40 18 hours ago | parent [-] | | Not true for us. We EV cert sign (the more expensive one) and my CEO ( the only one left that uses Windows) had this very problem. Apparently the first time a newly signed binary is run it can take up to 15 minutes for defender to allow it. First time I saw this, it was really annoying and confusing. | | |
| ▲ | jonathanlydall 16 hours ago | parent [-] | | Interesting. I regularly download our signed installer often within a minute of it being made available, never noticed a delay. Maybe it’s very the first time Windows Defender sees a particular org on a cert. I renewed our cert literally on Friday, tested by making a new build of our installer and could instantly install it fine. You sure there was no other non Windows default security software on your bosses machine? | | |
|
| |
| ▲ | ryandrake a day ago | parent | prev [-] | | Wow. I haven't written software for Windows in over a decade. I always thought Apple was alone in its invasive treatment of developers on their platform. Windows used to be "just post the exe on your web site, and you're good to go." I guess Microsoft has finally managed to aggressively insert themselves into the distribution process there, too. Sad to see. | | |
| ▲ | jeroenhd 16 hours ago | parent | next [-] | | > Windows used to be "just post the exe on your web site, and you're good to go." That's also one of the main reasons why Windows was such a malware-ridden hellspace. Microsoft went the Apple route to security and it worked out. At least Microsoft doesn't require you to dismiss the popup, open the system settings, click the "run anyway" button, and enter a password to run an unsigned executable. Just clicking "more details -> run anyway" still exists on the SmartScreen popup, even if they've hidden it well. Despite Microsoft's best attempts, macOS still beats Windows when it comes to terribleness for running an executable. | | |
| ▲ | ryandrake 9 hours ago | parent [-] | | I just wish these companies could solve the malware problem in a way that doesn't always involve inserting themselves as gatekeepers over what the user runs or doesn't run on the user's computer. I don't want any kind of ongoing relationship with my OS vendor once I buy their product, let alone have them decide for me what I can and cannot run. |
| |
| ▲ | etbebl a day ago | parent | prev | next [-] | | I get that if you're distributing software to the wider public, you have to make sure these scary alerts don't pop up regardless of platform. But as a savvy user, I think the situation is still better on Windows. As far as I've seen there's still always a (small) link in these popups (I think it's SmartScreen?) to run anyway - no need to dig into settings before even trying to run it. | | |
| ▲ | Archit3ch an hour ago | parent [-] | | Are you sure? I had not used Windows for years and assumed "Run Anyway" would work. Last month, I tested running an unsigned (self-signed) .MSIX on a different Windows machine. It's a 9-step process to get through the warnings: https://www.advancedinstaller.com/install-test-certificate-f... Perhaps .exe is easier, but I wouldn't subject the wider public (or even power users) to that. So yeah, Azure Trusted Signing or EV certificate is the way to go on Windows. |
| |
| ▲ | a day ago | parent | prev [-] | | [deleted] |
|
| |
| ▲ | jezek2 a day ago | parent | prev | next [-] | | I solved it by putting a "How to install.rtf" file alongside the program. Another alternative would be to bundle this app: https://github.com/alienator88/Sentinel It allows to easily unlock it by drag'n'drop. | | |
| ▲ | tyre a day ago | parent [-] | | What is the subset of users who are going to investigate and read an rtf file but don’t know how to approve an application via system settings (or google to do so)? | | |
| ▲ | jezek2 a day ago | parent [-] | | I would say quite a lot of users because even the previous simple method of right clicking wasn't that known even by power users. Lot of them just selected "allow applications from anyone" in the settings (most likely just temporarily). In one application I also offered an alternative by using a web app in case they were not comfortable with any of the option. Also it's presented in a .dmg file where you have two icons, the app and the "How to install". I would say that's quite inviting for investigation :) |
|
| |
| ▲ | Klonoar a day ago | parent | prev | next [-] | | I have been trying to get people to realize that this is the same or worse for like a year now. It’s unfortunate it’s come to this but Apple is hardly the worst of the two now. | |
| ▲ | TobbenTM a day ago | parent | prev | next [-] | | You certainly don't need a hardware token, you can store it in any FIPS 140 Level 2+ stores. This includes stuff like Azure KeyVault and AWS KMS. Azure Trusted Signing is 100% the best choice, but if for whatever reason you cannot use it, you can still use your own cloud store and hook in the signing tools. I wrote an article on using AWS KMS earlier this year: https://moonbase.sh/articles/signing-windows-binaries-using-... TLDR: Doing this yourself requires a ~400-500$/year EV cert and miniscule cloud costs | | |
| ▲ | jonathanlydall a day ago | parent [-] | | Can confirm this, we use Azure KeyVault and are able to have Azure Pipelines use it to sign our release builds. We’re (for the moment) a South African entity, so can’t use Azure Trusted Signing, but DigiCert has no issue with us using Azure KeyVault for our EV code signing certificate. I had ours renewed just this week as it happens. Cost something like USD 840 before tax, don’t have a choice though and in the grand scheme of things it’s not a huge expense for a company. |
| |
| ▲ | rxliuli 21 hours ago | parent | prev [-] | | That's right, there's a similar comparison between the iOS App Store and Android Play Store. Although the annual $99 fee is indeed expensive, the Play Store requires every app to find 12 users for 14 days of internal testing before submission for review, which is utterly incomprehensible, not to mention the constant warnings about inactive accounts potentially being disabled. |
|
|
| ▲ | jezek2 a day ago | parent | prev | next [-] |
| In my case, as a developer of a programming language that can compile to all supported platforms from any platform the signing (and notarization) is simply incompatible with the process. Not only is such signing all about control (the Epic case is a great example of misuse and a reminder that anyone can be blocked by Apple) it is also anti-competitive to other programming languages. I treat each platform as open only when it allows running unsigned binaries in a reasonable way (or self-signed, though that already has some baggage of needing to maintain the key). When it doesn't I simply don't support such platform. Some closed platforms (iOS and Android[1]) can be still supported pretty well using PWAs because the apps are fullscreen and self-contained unlike the desktop. [1] depending on if Google will provide a reasonable way to run self-signed apps, but the trust that it will remain open in the future is already severely damaged |
| |
| ▲ | conradev a day ago | parent [-] | | The signing is definitely about control, as is all things with Apple, but there are security benefits. It's a pretty standard flow for dev tools to ad-hoc (self) sign binaries on macOS (either shelling out to codesign, or using a cross-platform tool like https://github.com/indygreg/apple-platform-rs). Nix handles that for me, for example. It makes it easy for tools like Santa or Little Snitch to identify binaries, and gives the kernel/userspace a common language to chat process identity. You can configure similar for Linux: https://www.redhat.com/en/blog/how-use-linux-kernels-integri... But Apple's system is centralized. It would be nice if you could add your own root keys! They stay pretty close to standard X.509. |
|
|
| ▲ | sholladay a day ago | parent | prev | next [-] |
| I’m only aware of two times that Apple has revoked certificates for apps distributed outside of the App Store. One was for Facebook’s Research App. The other was for Google’s Screenwise Meter. Both apps were basically spyware for young teens. In each case, Apple revoked the enterprise certificate for the company, which caused a lot of internal fallout beyond just the offending app, because internal tools were distributed the same way. Something may have changed, though, because I see Screenwise Meter listed on the App Store for iOS. https://www.wired.com/story/facebook-research-app-root-certi... https://www.eff.org/deeplinks/2019/02/google-screenwise-unwi... |
| |
| ▲ | lapcat a day ago | parent [-] | | The article is about macOS apps, but you're talking about iOS apps. Apple revokes macOS Developer ID code signing certificates all the time, mostly for malware, but occasionally for goodware, e.g., Charlie Monroe and HP printer drivers. Also, infamously, Apple revoked the macOS Developer ID cert of Epic Games, as punishment for their iOS App Store dispute. |
|
|
| ▲ | internet2000 a day ago | parent | prev | next [-] |
| Maybe half of the 3rd party apps I have on my applications folder right now are not notarized. It’s really not that big of a deal. |
| |
| ▲ | jonathanlydall a day ago | parent | next [-] | | It’s a friction point for potential customers, so we do it with our Electron based app, The USD 99 annual fee is almost inconsequential, the painful part was getting a DUNS number (we’re a South African entity) and then getting it to work in a completely automated manner on our build server. Fortunately, once set up it’s been almost no work since. | |
| ▲ | sneak a day ago | parent | prev [-] | | It is a big deal. You can no longer just right click apps to run them, you have to take a trip to a subpanel of system settings, after clicking though two different dialogs that are designed to scare you into thinking something is wrong (one mentions malware by name). For normal users this might as well be impossible. Remember, your average user needs a shortcut to /Applications inside the .dmg image otherwise they won’t know where to drag the app to to install it. |
|
|
| ▲ | mrpippy a day ago | parent | prev | next [-] |
| The stapled ticket is optional beyond notarization itself. If you notarize but don’t staple the ticket, users may need an internet connection to check the notarization status. |
|
| ▲ | saagarjha 16 hours ago | parent | prev | next [-] |
| Apple’s Mac security team in general kind of sucks at their job. They are ineffectual at stopping real issues and make the flow for most users more annoying for little benefit. |
|
| ▲ | sneak a day ago | parent | prev | next [-] |
| The problem is not that it’s $99/year. The problem is that it requires strong ID, and if you are doing it as a company (ie if you don’t want Apple to publicize your ID name to everyone who uses your app) then you have to go through an invasive company verification process that you can fail for opaque reasons unrelated to fraud or anything bad. The system sucks. I’d love to be able to sign my legitimate apps with my legitimate company, but I don’t wish to put the name on my passport onto the screens of millions of people, and my company (around and operating for 20-ish years now) doesn’t pass the Apple verification for some reason. I also can’t use auto-enroll (DEP) MDM for this reason. |
| |
| ▲ | tensor a day ago | parent | next [-] | | I think the lack of any human to talk to is the worst part of modern tech. Especially for business, where your income may depend on it. It's beyond cruel to prevent people from operating with no explanation of why and no way to find out how to fix it. | |
| ▲ | lwkl 12 hours ago | parent | prev | next [-] | | At least you can use your ID. If you want to get a code signing certificate for Microsoft at least in Switzerland all the CAs I tried using required me to be incorporated. I'm not sure how it is now but at least a few years ago I couldn't get a code signing certificate as an individual. | |
| ▲ | bitwize 17 hours ago | parent | prev [-] | | Well, what can I say except that the 80s, with their little independent app vendors shipping floppy disks in little baggies, are long behind us. Computers are now commonplace enough, with all the attendant dangers, that platform vendors are demanding a bit of accountability if you want to ship for their platforms, and unfortunately accountability means money and paperwork. The platform vendors are well within their rights to do so. They have a right to protect their reputations, and when malicious or buggy software appears on their platform, their reputation suffers. Half or more of the blue screens on Windows in the late 90s and early 2000s for instance, were due to buggy third-party drivers, yet Microsoft caught the blame for Windows crashing. It took a new driver model, standards on how drivers are expected to behave, and signed drivers to bring this under control. The future is signed code with deep identity verification for every instruction that runs on a consumer device, from boot loader through to application code. Maybe web site JavaScript will be granted an exception (if it isn't JIT-compiled). This will be a good thing for most consumers. Until Nintendo cleaned out all the garbage and implemented strict controls on who may publish what on their console, the North American video game market was a ruin. The rest of computing is likely to follow suit, for similar reasons. | | |
| ▲ | Citizen_Lame 15 hours ago | parent [-] | | Congratulations on writing the most servile corporate apologia I've seen all week. This is a masterpiece of Stockholm syndrome. "Accountability means money and paperwork." Beautiful. Just beautiful. You know what else means money and paperwork? A protection racket. "Nice app you got there, shame if something happened to it before it reached customers. That'll be 30% please." But sure, let's call extortion "accountability" because Tim Apple said so. Your driver signing example is chef's kiss levels of missing the point. Microsoft said "hey, sign your drivers so we know they're not malware" they didn't say "only drivers we approve can run, and also we get a cut." You're comparing a bouncer checking IDs to a mafia don enforcing territory. These are not the same thing. And oh my god, the Nintendo argument. You're seriously holding up Nintendo's lockout chip as consumer protection? The same lockout chip they used to squeeze third-party developers, control game production, and maintain an iron grip on pricing? "Until Nintendo cleaned out the garbage" yeah, they cleaned it out alright, straight into their own pockets. The video game crash was caused by publishers like Atari flooding the market with garbage like E.T., not by independent developers needing more "accountability." "The future is signed code with deep identity verification for every instruction." Holy hell. You're not describing a security feature, you're describing a prison. You're literally fantasising about a world where every line of code needs corporate permission to execute. That's techno feudalism with RGB lighting. This isn't about protecting anyone from bugs. It's about trillion-dollar companies convincing people like you that you need their permission to use the computer you bought. And somehow, SOMEHOW, you've decided this is good actually, and the 1980s with its freedom and innovation was the problem. The fact that you think general-purpose computing is a "danger" that needs to be locked down says everything about how effectively these corporations have trained you to beg for your own chains. | | |
| ▲ | bitwize 3 hours ago | parent [-] | | > "The future is signed code with deep identity verification for every instruction." Holy hell. You're not describing a security feature, you're describing a prison. You're literally fantasising about a world where every line of code needs corporate permission to execute. That's techno feudalism with RGB lighting. Yeah. It's gonna suck for us but the consumer market will eat it up. An Xbox that runs Excel. It's not a fantasy. What do you think the Windows 11 hardware requirements were all about? It's Microsoft's way of getting people to get rid of their old PCs without the necessary security hardware, so that when Windows 12 comes out the PC will be a fully locked down platform. Again, consumers ate up the NES. They ate up the iPhone. This happened partially because of, not in spite of, the iron grip the vendor had over the platform, because they came with a guarantee (a golden seal even, in Nintendo's case!) that no bad stuff would slip through. It filtered out a lot of good stuff, too, but the market has shown that's a price it's willing to pay for some measure of assurance that the bad stuff will be stopped at the source. It's a business strategy that works in the broader market, even though it harms techies. Techies are a tiny, tiny minority, and it's time they learned their place in the grand scheme of things. |
|
|
|
|
| ▲ | TheDong a day ago | parent | prev [-] |
| > notarization has been a net negative for all parties involved Notarization made it significantly harder to cross-compile apps for macOS from linux, which means people have to buy a lot of macOS hardware to run in CI instead of just using their existing linux CI to build mac binaries. You also need to pay $99/year to notarize. As such, I believe it's resulted in profit for Apple, so at least one of the parties involved has had some benefit from this setup. Frankly I think Apple should keep going, developer licenses should cost $99 + 15% of your app's profit each year, and notarization should be a pro feature that requires a macbook pro or a mac pro to unlock. |
