Is macOS notarization possible without spending $99?

I have been asked the above question by a long-time developer, and I don't know the answer. To find out I fired up Xcode (11.0beta6), added my non-developer AppleID to the account preferences, flipped the signing team from my developer account to the new "Gavin Eadie (Personal Team)," hardened the app, archived it and tried to send it for notification with "Developer ID" selected as the distribution method.


My non-dev account was happily given an "Apple Development Certificate" via Xcode (visible in account prefs) but notarizing was refused by:


Team "Gavin Eadie (Personal Team)" is not enrolled in the Apple Developer Program.


Is "enrolled in the Apple Developer Program" the same as "hasn't paid $99 this year"? And how did I get a Apple Development Certificate if I'm not enrolled? The documentation around this feature is astonishly confusing. Is the "Apple Development Certificate" that Xcode got me not a "Developer ID certificate" as referenced in the following Xcode help text?


"In some cases, you may want to distribute an app outside of the Mac App Store. Because the app won’t be distributed by Apple, assure users that you are a trusted developer by signing your app with a Developer ID certificate. Users gain additional assurance if your Developer ID-signed app is also notarized by Apple."


"A notarized app is a macOS app that was uploaded to Apple for processing before it was distributed. When you upload a macOS app to be notarized by Apple, you’ll select Developer ID as the distribution method and it’ll be code signed with a Developer ID Application certificate."

Replies

>Team "Gavin Eadie (Personal Team)" is not enrolled in the Apple Developer Program.

>Is "enrolled in the Apple Developer Program" the same as "hasn't paid $99 this year"?


I assume you meant "Is "-not- enrolled in the Apple Developer Program" the same as "hasn't paid $99 this year"?" Correct, same as.


What is allowed based on account type is here: https://developer.apple.com/support/app-capabilities/


I see no mention of notarization, so...

Is "enrolled in the Apple Developer Program" the same as "hasn't paid $99 this year"?


Yes.


And how did I get a Apple Development Certificate if I'm not enrolled?


Pay $99 and enrol.


Is the "Apple Development Certificate" that Xcode got me not a "Developer ID certificate" as referenced in the following Xcode help text?


No.


Apple has made some provisions so that developers can build and install their own apps, or open-source apps, on their own machines. You can do this for free. But distributing apps to other people is an entirely different question. The world is currently overflowing with scams, malware, and adware. The Notarization process allows Apple to check all Mac software for malicious content before it is ever installed. There is a small fee to access that process.

"Apple has made some provisions so that developers can build and install their own apps, or open-source apps, on their own machines. You can do this for free. But distributing apps to other people is an entirely different question. The world is currently overflowing with scams, malware, and adware. The Notarization process allows Apple to check all Mac software for malicious content before it is ever installed. There is a small fee to access that process."


- it would be very surprising that the notarization process can detect new scams, malware or adware before they are in the wild. It can detect known malware automatically. For instance, does the notarization process automatically fail when a password protected archive stored in the Resources folder of a bundle is detected? Apple would need to allocate human resources to analyze each app that is submitted through notarization.


- Scams, malware and adware are produced for profit. Freeware is not made for profit, obviously.


Who has more money to spend on notarization/distribution? A Freeware developer or a malware, adware, scam author? If someone believes that adding a fee to distribute software is going to prevent the distribution of malware, I'm worried.


My $0.02

There is a very good reason why you cannot get App notarized with free Apple Developer account. When you setup Apple Developer account you can build apps and even run them on another Mac, use certian entitlements (not all though). That's good for developers who wish to become familiar with the platform.

You can even distribute your app, but when another user starts your app, gatekeeper will present a warning that this app is from unidentified developer. You can still go to System Preferences -> Security and allow the app to load, but users generally should never do that, unless they really don't care what happens on their machine. When the app is notarized, macOS displays a prompt "Apple checked this app for malicious content and found no problem with this app" (or some text like that). User can click "Open" to instantly start the app. Now imagine how much malware, spyware and other types of harmful apps are out there and how many people try to exploit users' trust. Gatekeeper prevents apps from unidentified developers to load for very good reason.

If anyone could get app notarized, than bad guys could build an app that doesn't look suspicious, but after a year could start misbehaving. It's something that's very diffcult to catch even for Apple, no one really has enough time to disassemble apps and go instruction by instruction to verify what apps really do. If app causes damage, it may be difficult to get the author to answer for his crime. You can create free developer acount online, easily and with any email address and you can pretty much make up mailing address, you don't have to fill up billing info. This allows anyone to learn software development, even someone who cannot afford pay for development tools, so it's open to anyone, students, kids, people from countries with worse economic conditions. On the other hand bad guy can use fake identity and cause harm. Then it would be impossible to trace him.

When you pay for Apple Developer account, you create a tracable financial transaction. These days it's not easy to open bank account without verification of identity. So if the bad guy distributes app to other people and casues damage to user or to Apple servers, authorities can trace him pretty much anywhere in the world, you can get court order and bank would have to reveal identity of the account holder. Although not all countries would cooperate in such investigations and countries with lower moral standards probably wouldn't even care if one of their citizens managed to sell users' data or managed to make money from ransomwere from people who trusted their apps, but it's definitely getting harder for bad guys to avoid consequences. More and more countries cannot afford to ignore international relationships and law&order.

Another question is if the price for paid Apple Development membership should be $99 or $0.99. But again bad guy could have his/her developer account closed, but for $0.99 he could create 100 paid accounts and cause damage. $99 is low enough if developer really wants to create legitimate app and distribute to users, and at the same time, it is enough to discourage bad guys paying for multiple accounts that could be revoked 1 by 1 in case of misbehavior.

Today's operating systems are more secure and it is partially thanks to app signing and verification of developer's identity.
I remember in the old days I encountered 2 viruses:
  1. In around 1992 Yenkee Doodle virus which copied itself into ever executable on machines running MSDOS. It was easy to cleanup using antivirus, but still anoying.

  2. In 2002 or 2003 there was an interesting virus called MS Blast. I had an official Windows XP SP1 cd and after installation I connected to my internet service provider and bang! a popup with "Your machine will restart in 60s, 59, 58..." showed up. There was nothing you could do and machine rebooted and repeated the process. That happened actually without opening browser or doing anything else. Just a clean OS and connecting to Internet service provider who had their servers infected.

  • 99$ is not a barrier to entry for someone making malicious software. It's a cash grab and a mechanism to assert CONTROL. Comfortable slaves be slaving.

Add a Comment