Recently (as of 2023-11-01) Apple has changed their notarization process. I took the opportunity to drop Apple's own tools for this process (notarytool) and switch to a Python-based solution using their [documented Web API for notarization](https://developer.apple.com/documentation/notaryapi/submitting_software_for_notarization_over_the_web) This works great and has the additional bonus, that I can now notarize macOS apps from linux (in the context of CI, I can provision linux runners much faster than macOS runners), or a more lightweight installation of macOS (without XCode, or even the XCode CommandLine utilities, installed). Since this went so smooth, I thought about moving more parts of my codesigning process to linux, and the obvious next step is find a solution for stapling the notarization tickets into application, replacing xcrun stapler staple MyApp.app With the help of -vv and some scraps of [online](https://developer.apple.com/documentation/technotes/tn3126-inside-code-signing-hashes) [documentation](https://lapcatsoftware.com/articles/logging-https.html) , it turns out that it is very simple to obtain the notarization ticket if you know the code directory hash (CDhash) of your application. the following will return a JSON-object containing (among other things) the base64-encoded notarization ticket, which just has to be decoded and copied into the .app bundle for stapling:

cdhash=8d817db79d5c07d0deb7daf4908405f6a37c34b4
curl -X POST -H "Content-Type: application/json" \
   --data "{ \"records\": { \"recordName\": \"2/2/${cdhash}\" }}" \
   https://api.apple-cloudkit.com/database/1/com.apple.gk.ticket-delivery/production/public/records/lookup  \
| jq -r ".records | .fields | .signedTicket | .value"

So, the only thing that is still missing for my stapler replacement is a way to obtain the code directory hash for a given application. On macOS (with the XCode tools installed), I can get this hash with codesign -d -vvv MyApp.app, but this obviously only works if I have the codesign binary at hand. I've found a couple of python wrappers for stapling tickets, but all of them just call xcrun stapler staple under the hood. This is **not what I want**. So my question is: is there an (easy) way to extract the code directory hash from a macOS application, without using macOS specific tools. A Python solution would be very much preferred. Ideally, such a solution would be cross-platform (so I should be able to use it on macOS as well as on - say - linux). **NOTE** I've originally asked this question on [StackOverflow](https://stackoverflow.com/questions/77413013) where it was closed as off-topic. If this isn't the correct site either, hopefully somebody can direct me to the real one.

I need to test some signing/notarization issues with Gatekeeper and I need a completely “new” and “fresh” system for that so that I can test the app like a completely new user. Is there an easier way for that than virtualizing a Mac on a Mac? I tried just creating a new user on my local machine, but it turns out the users share the certificates - means I can not test the issue this way since the app launches without issues because of the certificates and previous launching of the app.

With macOS 10.15 and later, before an executable runs for the first time, macOS will query an Apple server. This can be a significant hindrance with some development tasks: I'm dealing with a test suite that runs 500+ executables, and this security feature slows this down from seconds to minutes. This issue is discussed here along with a solution: - https://sigpipe.macromates.com/2020/macos-catalina-slow-by-design/ Add Terminal.app to the "Developer Tools" category of the Security & Privacy section of System Preferences. This works fine when using any graphical terminal app. But **how can I disable this notarization check for SSH sessions** when connecting to a macOS machine remotely?

I'm on macOS Monterey and am running an application which depends on binaries for Postgres. So when I first start up the program, I get the "can't be opened b/c Apple cannot check it for malicious software..." for the binary file "pg_ctl". So I go into Security & Privacy settings and click the Allow Anyway button and all good, we're past that one. The problem is there are over 50 dependency files that throw this warning. So I have to go through the process of allowing the file, kill the app process, start the app again to get the next file that needs to be allowed, for each individual file. This last install I did took 30 mins to get through it all. I now have to go install this on several other Macs. So my question is whether there is way to "whitelist" all these files at once? Perhaps add all their paths to some plist somewhere? Or maybe use the xattr command shown in the accepted answer of this thread: https://apple.stackexchange.com/questions/366542/install-spotify-cant-be-opened-because-apple-cannot-check-it-for-malicious-so but do so to several files at once?

I'm trying to obtain notarization for an app I developed outside Xcode but instead wrote using python and pyinstaller and that I wish to share outside the app store. I have a Developer's license, but am completely new to the notarization process and have been searching all over for assistance. I first stored my Apple credentials using xcrun altool --store-password-in-keychain-item "AC_PASSWORD" -u "my_email@gmail.com" -p "my_apple-password" At the developer's website I created a certificate, developerID_application.cer, which I uploaded to my keychain and see listed as Developer ID Application: MyName (TeamID) I then signed the app using codesign -s "MyName (TeamID)" -v --deep --timestamp --entitlements entitlements.plist -o runtime "dist/My Application.app" entitlements.plist is included here since the binaries were built using pyinstaller. (I'm following advice given at https://haim.dev/posts/2020-08-08-python-macos-app/.) From what I can tell, the signing works. Now I attempt to notarize via xcrun altool —notarize-app -f /Users/my_name/Desktop/my_application.zip --primary-bundle-id TeamID -u my_email@gmail.com —password "@keychain:AC_PASSWORD" The resulting error message states "No command argument was specified" What is the fundamental issue I'm overlooking?

After updating to macOS Big Sur 11.0.1, a 3rd party epub quicklook plugin stopped working: I've already forgotten how I installed the plugin (from Homebrew cask or downloaded from the web, but judging from the error message, it was the latter one). If it's an unnotarized GUI app, I'd remove the com.apple.quarantine attribute from the app so that it would work, but I don't know how to do that with a quick look plugin. Is there a way to make the plugin work?

When discussing a recent outage of Apple's OCSP server, people on various Twitter accounts (in the threads following this tweet ) and "fefe's blog " claimed that the way trustd works on macOS would leak information about which software was used when to Apple and potentially to third parties as well. I always thought that trustd only sent hashes upstream and used OCSP stapling to prevent disclosing that sort of information. Is there any reliable information out there about the privacy implications of trustd on macOS?

I am running into [this issue](https://sigpipe.macromates.com/2020/macos-catalina-slow-by-design/) where MacOS does security checks on new executables *over the network*. This introduces a significant delay when first running a new executable. It's very annoying when developing code because the executables are almost always new. Is there any way to disable this check *without disabling SIP*?

I'm building a macOS binary to accompany a Chrome extension using the Chrome Native Messaging API. When the binary (unsigned, unnotarized) is in my Downloads folder, Chrome is not able to launch it. However, when I move the binary to /Applications (per https://stackoverflow.com/a/59710823/12581350) , Chrome is able to launch it. I was curious if anyone knows the reason why it's able to run from /Applications but not ~/Downloads?

This would be interesting in general but also helpful in diagnosing the frequent appearance of MacOS error: -67062 in the Console. Edit: in response to comments, the question is more specifically about trying to find out which processes are running that are NOT signed (or notarized). Finding all running processes is trivial, but finding out whether their signed status seems to be tricky.

I'm trying to notarise my app from apple using xcrun altool, the documentation shows the following : xcrun altool --notarize-app --primary-bundle-id "com.example.ote.zip" --username "AC_USERNAME" --password "@keychain:AC_PASSWORD" --asc-provider \ --file OvernightTextEditor_11.6.8.zip but I couldn't find the parameter to provide to the --asc-provider can any one let me know what it is and where to search for that parameter. All other parameters I have found and fine. Help me out I'm new to mac.

Is there a way to install homebrew on MacOS such that anything downloaded from the Internet is cryptographically validated for integrity and authenticated to the actual publisher? Unfortunately, the method listed on the official brew.sh website to install it on MacOS is a horribly insecure curl-piped-to-bash command

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh) "

> **Note that https doesn't provide authentication** since X.509 checks in curl trusts a *ton* of certificates (including certs issued by CAs owned by Nation States that have known history of committing cyber attacks, including active content manipulation over https via MITM attacks) Ideally, these cryptographic checks would come in the form of a signed checksum file using gpg. Is there any way to install brew in a way that provides cryptographic validation of the installer's integrity and authenticity?

In macOS Catalina Apple has started requiring macOS apps to be notarized, otherwise users will be told "macOS cannot verify this app is free from malware" and prompted to move the app to the trash. The current workaround for this is that users have to right-click on the app and press "Open," which is then followed by another warning about "exposing your computer to malware". To avoid users having to worry about this, is it possible to notarize my app without a paid developer account, so users aren't prompted with the scary "malware" warning?

I have an application which is distributed without an installer. Just a .zip is given to the users which contains the .app structure of the application. The application is signed with a valid Developer ID and the .zip has been notarized successfully. When I run the security check with the the command spctl -a -vv -t execute the response is "accepted". However this doesn't seem to be a valid check because also old version of the application (without notarization) obtain the same response. The problem is that when the .zip is downloaded this is flagged with the attribute com.apple.quarantine and when the user double click on the .app an error message is shown: *The application MyApp.app can't be opened*. The only way to run the application is manually remove the flag and set the executable permission to the binary. 1. How can I avoid these manual steps without creating a .pkg of the application ? 2. Why Gatekeeper doesn't trust the application which is signed and notarized ?

I have written a Java application which I want to distribute in form of a macOS application bundle. The application needs to execute a command line application which is also part of the bundle. The bundle is correctly signed (verified using the codesign command) and the hardened runtime is enabled. I am able to run the application, but then the application fails to execute the bundled command line application. The code used to execute the command line application:

Runtime.getRuntime().exec("/path/to/app/bundle/Contents/cli/myCommandLineApplication");

The code works fine when I sign the bundle without enabling the hardened runtime. Once I enable the hardened runtime, I get the following exception: > Cannot run program "myCommandLineApplication": error=0, posix_spawn failed What am I doing wrong? Is it even possible to spawn child processes from within a hardened runtime application? The Java runtime I am using is AdoptOpenJDK (build 11.0.4+11). The application is not sandboxed. The entitlements I used when signing the bundle were

com.apple.security.cs.allow-jit

com.apple.security.cs.allow-unsigned-executable-memory

com.apple.security.cs.disable-executable-page-protection

com.apple.security.cs.disable-library-validation

com.apple.security.cs.allow-dyld-environment-variables

com.apple.security.automation.apple-events

I don't have an Apple Developer ID and I have an installer and app, neither signed nor notarized. Apple now blocks the App in Catalina and even the Open option won't work. Rather than [][1] I seek information to authenticate these. What is the process to register and notarize for macOS? **Update:** I'm asking from the developer's perspective .. not as a user.

This question is prompted by the new Notarization requirements that Apple will enforce for Mac Apps distributed outside of the Mac App Store targeting Mojave (in the near future.) I maintain a suite of self-hosted, Developer ID Application certificate-signed apps, using a custom runtime (Excelsior JET for Mac Java JIT Compiler / Runtime); custom bash scripts (are used as part of the apps in the installation process) and automate the builds. Therefore, there are no XCod` projects per-se involved in this process. After consulting the developer docs, I wasn't able to find a way to activate and customize this "hardened mode" (described here ) by using any kind utilities from XCode, but from the CLI (instead of the IDE GUI). Is there any way to accomplish this?

By 'verifying' I mean either - an explicit popup of 'Verifying' - or app launch stuck with XProtectService comsuming CPU in background What I know - An app on local drive with com.apple.quarantine xattr will be verified on the first start, or after something changed in the app. However I found some app on without the xattr will still be verified, especially app copied from (or directly run on) an external/network drive. - What is the exact behavior? - Anyway to avoid this (without fully disable SIP)?

Is there a possibility to install software that was not "notarized" for macOS Catalina? I have an application that worked on macOS Mojave but cannot be installed anymore on macOS Catalina. I think the developers must "notarize" this software. Checking with spctl -a -vv my.app confirmed that it is **rejected**. 1. What can an end user do about it to install it anyway until this process is finished?

I am developing JavaFX with Spring applications that are shipped with native installers for Windows, Linux and macOS. I am hosting the macOS DMG and pkg installers outside Mac App Store on my web site. When I download and attempt to install a DMG on my macOS Mojave, the latter forbids to install because the app is not from a trusted Apple developer. Downloading the same installer from FTP is allowed by Mac to be installed. My question is - Can I have my package installer signed (by registering as an Apple developer) if the application is purely Java and has nothing to do with Apple specific SDKs?