beaTunes News

Thursday, August 1, 2019

Notarization and Java Apps

Catalina will be upon us this Fall, which means that iTunes will be no more (R.I.P.). But that's not the only thing that will change. According to Apple:

Mac apps, installer packages, and kernel extensions that are signed with Developer ID must also be notarized by Apple in order to run on macOS Catalina.

This has a number of consequences.

First of all, this may increase security for users. A notarized app may be less able to carry out an attack. And users will be able to distinguish between notarized and unnotarized apps. If I am not mistaken, it might also give Apple a kill switch on any such app, at least when you first try to run it. Because as it turns out, macOS 10.14 and later phone home when first running a notarized app. Additionally, this gives Apple unique data about which software was installed on which IP address at what time. So for the user there are some privacy concerns and maybe some security benefits.

What does it mean for developers?

Frank Reiff recently wrote a lengthy post about all the trouble he faced when trying to notarize an app. It took him 5 days to get it all to work. In the end he concludes:

As a long time Mac developer (since 1994), however, I can’t help thinking though that the security people at Apple would have done better ironing out the bugs and limitations of the sandbox to get it work properly and be less of a nuisance, rather than adding yet another security approach.

If early reports about Catalina are to be believed, it looks like there are so many people working on Mac security that they have to roll out new security features at each release, whether they are a net benefit to users or not. Perhaps, these people could be tasked with making macOS great again instead?

AFAIK, Frank is using XCode and ships native apps. For beaTunes things are a little different, as it uses Java as runtime. So far Oracle (or anybody else I know of) has not shipped a Java runtime that has been compiled against macOS SDK 10.9 or later and the hardened macOS runtime. Additionally, Oracle's Java executables are not signed with suitable signature algorithms (see Bug JDK-8223671 for a detailed list of notarization failures). All these are requirements for notarization. There is no way for me to ship a notarized version of beaTunes before they are addressed and unless I want to roll my own version of Java (I don't!!), I simply have to wait and hope that someone at Oracle will take pity on Mac devs.

Not a pleasant situation to be in.

Update 8/6/2019

It turns out that notarizing a Java app that bundles Java 11 is a bit painful, but absolutely possible.

Labels: , ,

2 Comments:

Blogger mattsheppard said...

Not sure if it helps, but https://medium.com/adoptopenjdk/bundling-adoptopenjdk-into-a-notarized-macos-application-f4d69404afc suggests they have a notarised jdk11 distribution and suggested they might be progressing a jdk8 one

August 3, 2019 at 4:42:00 AM EST  
Blogger beaTunes said...

Thanks for the hint! I indeed ended up moving to Java 11. See https://blog.beatunes.com/2019/08/new-beatunes-snapshot-for-catalina.html

August 6, 2019 at 5:18:00 AM EST  

Post a Comment

<< Home