Notarization is required on macOS 10.14.5

[xxyzz]

Describe the bug
All software must be notarized in order to run on macOS 10.14.5 according to this document. The latest release(1.34.0) seems didn't get notarized.

Please confirm that this problem is VSCodium-specific

• This bug doesn't happen if I use Microsoft's Visual Studio Code. It only happens in VSCodium.

Please confirm that the issue/resolution isn't already documented

• I checked the Docs page and my issue is not mentioned there.

To Reproduce
Steps to reproduce the behavior:

1. Download the latest release app(1.34.0).
2. Open it.

Expected behavior
It can be opened.

Screenshots

Desktop (please complete the following information):

• OS: macOS
• Architecture: x64
• Version: 10.14.5

Additional context

[stripedpajamas]

Yikes! Thanks for bringing this to my attention! 🙏

Signing the Mac OS release was just implemented in the latest version, but no notarizing is being done right now. I will look into it.

[optikfluffel]

It seems, for now, one can context-click the App and then hit "Open" while pressing alt on the keyboard. After doing this once I can now open the app normally.

[stripedpajamas]

I spent a little time this evening working on the signing + notarization, but I don't have Mojave to test it. Can someone with Mojave see if this version (an older version, 1.33.0) opens up, can edit files, and can install extensions? https://github.com/stripedpajamas/vscodium/releases/download/1.33.0/VSCodium-notarized.zip

If not, we might need to add some entitlements to the signing process.

[stripedpajamas]

Oh I forgot to staple the notarization result to the app. It should still pass tests, but I will staple and reupload tomorrow.

[optikfluffel]

I tried and it doesn't seem to fully work yet.

After clicking "Open" the app doesn't start.

Console output:

error	09:13:28.323606 +0200	contextstored	Death of untracked active application: <private>
error	09:13:28.739169 +0200	deleted		unable to create CacheDeleteDaemonVolume for <private>
error	09:13:29.063889 +0200	storagekitd	<private>

[stripedpajamas]

Ok that's a start -- the app is showing as notarized but doesn't work yet 😄

I will try to figure out which entitlements to add and reupload.

[stripedpajamas]

Just confirming what was stated by the OP -- Visual Studio Code does not have this problem, right?

[xxyzz]

Visual Studio Code works well.

[stripedpajamas]

@xxyzz can you confirm what version of VSCodium this is? It looks like you installed it from Brew, I'm wondering if you got 1.34.0 or 1.33.1

[xxyzz]

It's 1.34.0. After updated from brew, I got the can't be opened alert.

[florianfranconi]

Same error here on the latest version 1.34.0. I'm on Mojave and I'm installing via Homebrew.

[stripedpajamas]

This might be something we can't fix at this time. Here's what I've found in researching this (correct me if any of this is off base):

• Notarization requires enabling the "hardened runtime" during code signing
  • Hardened runtime locks down the app from accessing resources unless they are explicitly granted via entitlements, also provided at code signing
  • Getting electron apps to work within hardened runtime seems to be an ongoing struggle (1, 2)
• Microsoft is not currently notarizing Visual Studio Code as far as I can tell
  • See the below screenshot when opening Visual Studio Code
    
  • When an App is notarized, the yellow triangle is not there, and the text reads "Apple checked it for malicious software and none was detected." (see here)
• So why does our unnotarized app fail to open while Microsoft's unnotarized app opens just fine?
  • I believe it's because the Developer ID used to sign the app is new and VSCodium is the first app it's been used on:

  Beginning in macOS 10.14.5, all new or updated kernel extensions and all software from developers new to distributing with Developer ID must be notarized in order to run. In a future version of macOS, notarization will be required by default for all software.

  • Since MS is not a "developer new to distributing with Developer ID", I believe their app does not have to be notarized at this time

Without using VSCode's entitlements as a reference (there are none), guessing at entitlements until VSCodium launches sounds risky to me. It opens us up to a lot of potential bugs that are VSCodium-specific and we actually have no idea if VSCode can even be run in hardened runtime mode at all.

Given that the app still can be run (albeit with a very cumbersome first time action), I think we should update the README to include Mojave 10.14.5 instructions and then wait until MS grapples with this themselves (when Apple enforces all apps to be notarized).

Closing this issue for now, comments/feedback welcome; I'll reopen if a viable alternative is suggested.

[twoodford]

Microsoft just merged a fix to enable notarization: microsoft/vscode#74782

[stripedpajamas]

Thanks for the heads up @twoodford -- will make a fresh issue so we can implement this as well.