Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MacOS Notarization #271

Open
tilmanginzel opened this issue Aug 3, 2019 · 10 comments
Open

MacOS Notarization #271

tilmanginzel opened this issue Aug 3, 2019 · 10 comments

Comments

@tilmanginzel
Copy link

Hi @julienXX,

first of all thanks for this neat tool. :)

Since MacOS Catalina (currently in beta), all applications have to be notarized by default. Otherwise, Gatekeeper won't allow to open the app. See:

Do you have a developer ID certificate? If yes, would it be possible for you to notarize the app, so it will run without any issues in future MacOS versions?

Thanks in advance!

Cheers
Tilman

Reference: tilmanginzel/alfred-bluetooth-workflow#9 (comment)

@julienXX
Copy link
Owner

julienXX commented Aug 3, 2019

Thanks! I don't and I'm not really sure I want to pay fo this honestly :(

@tilmanginzel
Copy link
Author

That's totally understandable. As many applications will face the same issue, I just hope that there will be a user-friendly workaround so single apps can be whitelisted. Basically the same behavior as in current MacOS versions.

I have not tried Catalina yet and it's still in Beta, so we will see how it will turn out later on. There has to be some workaround without disabling Gatekeeper.

@julienXX
Copy link
Owner

julienXX commented Aug 3, 2019

Yes, since I have only one machine I won't install Catalina before the official release so let's hope for the best :)

@JayBrown
Copy link

JayBrown commented Jun 24, 2020

Anyone can notarize terminal-notifier. If you have a regular code-signing certificate, you can send any app in for notarization.

EDIT – solved the problem of terminal-notifier nested in a Platypus app bundle; before code-signing the main bundle, you need to code-sign terminal-notifier first… if you just code-sign the main bundle with the --deep argument, terminal-notifier will in reality not be signed as code but just added into the bundle's code resources, i.e. code-signing needs to be done "inside out".

@ZhaofengWu
Copy link

@JayBrown Do you mind elaborating on the self-notarization process, or pointing to some resources, if I only need to use terminal-notifier as a standalone terminal command? Would it require a (paid?) developer account?

@JayBrown
Copy link

JayBrown commented Sep 25, 2020

Yes, afaik for notarization you would need a paid developer account. With only a free dev account, you can still codesign, so that it runs without problems on your local machine: for that you can use a free Apple Development certificate (the one with your email address in its X.509 commonName), or just an ad-hoc signature. But for distribution, so that other people can use it, terminal-notifier (the terminal-notifier.app, that is) should probably be bundled/nested, and codesigned + notarized. Otherwise you will definitely have users telling you that it doesn't work.

As it stands now, terminal-notifier will run just fine without any code signature at all. (But that will change on macOS 11 on ARM Macs.)

I think that in the future, terminal-notifier (the universal binary app) should be released in two versions, one with a code-signature and notarization, e.g. the version that is installed via Homebrew, and one without any signature, as a GitHub download-only release, for users who need to change the Info.plist, the icon etc., and who then need to re-codesign it. (Just my 2¢.)

@ZhaofengWu
Copy link

Thanks! Although I must be missing something -- you said terminal-notifier will run just fine as-is (in Catalina and I assume in Intel chip Big Sur), why is that? I haven't upgraded to Catalina, but doesn't its notarization requirement precisely forbids applications without signatures from running?

@JayBrown
Copy link

That's right. But if you remove the quarantine extended attribute, it won't be a problem. (And if you install it with Homebrew, you don't even have to remove the quarantine XA, because afaik there isn't one to begin with.) This "dequarantine" workaround is probably also going to be possible in Big Sur on ARM Macs, at least for programs & apps that are not notarized, but it's not a practical solution to tell users to run a Terminal command before they can use a software.

@ZhaofengWu
Copy link

Thanks :)

@davidnewhall
Copy link

davidnewhall commented Jul 15, 2022

Can confirm @JayBrown's assessment. I have signed, packaged inside another Mac app, and notarized terminal-notifier. It works on all versions of macOS as far as I can tell, up to 12.4. I also turned it into a universal binary using lipo so it works on M1 and Intel simultaneously. The app I used to sign and notarize is gon.

A link to the signed app: https://github.com/Notifiarr/notifiarr/tree/eec162e49c75b857d4849487725f12b041714a50/init/macos/Notifiarr.app/Contents/Resources

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants