beaTunes News

Tuesday, August 6, 2019

New beaTunes Snapshot for Catalina

Good news! Notarization turned out not to be as difficult as previously thought. But it required more internal changes to beaTunes than anticipated. Obviously, that's a good reason to post another snapshot that contains these changes. And because they are not just about packaging, but the bundled Java runtime, the Windows version is affected as well. In essence, I had to move from Java 8 to Java 11. One of the consequences is that using macOS 10.11 or later is now recommended.

Please give this new snapshot a shot (ha! please excuse the pun), if you're on macOS 10.15/Catalina or Windows and feel adventurous.

Currently there are no known issues. But keep in mind that you cannot simply go back to v5.1.x, because the internal database will be changed the first time you run v5.2.x. So, if your database is valuable to you, please keep a backup!

Here are the two links:

Please report feedback in the forum.

Thank you!

Labels: ,

Thursday, August 1, 2019

Notarization and Java Apps

Catalina will be upon us this Fall, which means that iTunes will be no more (R.I.P.). But that's not the only thing that will change. According to Apple:

Mac apps, installer packages, and kernel extensions that are signed with Developer ID must also be notarized by Apple in order to run on macOS Catalina.

This has a number of consequences.

First of all, this may increase security for users. A notarized app may be less able to carry out an attack. And users will be able to distinguish between notarized and unnotarized apps. If I am not mistaken, it might also give Apple a kill switch on any such app, at least when you first try to run it. Because as it turns out, macOS 10.14 and later phone home when first running a notarized app. Additionally, this gives Apple unique data about which software was installed on which IP address at what time. So for the user there are some privacy concerns and maybe some security benefits.

What does it mean for developers?

Frank Reiff recently wrote a lengthy post about all the trouble he faced when trying to notarize an app. It took him 5 days to get it all to work. In the end he concludes:

As a long time Mac developer (since 1994), however, I can’t help thinking though that the security people at Apple would have done better ironing out the bugs and limitations of the sandbox to get it work properly and be less of a nuisance, rather than adding yet another security approach.

If early reports about Catalina are to be believed, it looks like there are so many people working on Mac security that they have to roll out new security features at each release, whether they are a net benefit to users or not. Perhaps, these people could be tasked with making macOS great again instead?

AFAIK, Frank is using XCode and ships native apps. For beaTunes things are a little different, as it uses Java as runtime. So far Oracle (or anybody else I know of) has not shipped a Java runtime that has been compiled against macOS SDK 10.9 or later and the hardened macOS runtime. Additionally, Oracle's Java executables are not signed with suitable signature algorithms (see Bug JDK-8223671 for a detailed list of notarization failures). All these are requirements for notarization. There is no way for me to ship a notarized version of beaTunes before they are addressed and unless I want to roll my own version of Java (I don't!!), I simply have to wait and hope that someone at Oracle will take pity on Mac devs.

Not a pleasant situation to be in.

Update 8/6/2019

It turns out that notarizing a Java app that bundles Java 11 is a bit painful, but absolutely possible.

Labels: , ,