Hi,
After this Feb, do shell scripts which are coded by myself need to be signed for notarization? I have a signed App that regularly and automatically starts shell scripts. So I wrote shell scripts and had the App run them to do my tedious jobs automatically. However, I am not sure this will still work after this Feb due to Notarization. Apple says all programs need to be signed, but does this mean even manual shell scripts need to be signed?
Thanks,
Kaz
AFAIK, script signing is your choice/based on your requirements, vs. mandated.
Shell scripts are just files. They don't need to be signed. Except in very unsual circumstances, they can't be signed. When running a shell script, the executable is the shell script interpreter, which is signed by Apple. Notarization only applies to files that you are distributing to other people. Code that you write for your own use does not need to be signed or notarized.
Apple has said that a future version of macOS will required signed software by default, but they haven't done into any detail on this and it is unknown how or if that will apply to developers. Currently, developers build their own code instead of downloading it. This means the quarantine flags are never set, Gatekeeper is never triggered, and their apps are therefore exempt from any signing or notarization.
However, I am not sure this will still work after this Feb due to Notarization.
You seem to have misunderstood the upcoming notarisation change. Please see this thread for clarification.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"Thank you for the response. If my colleague and I use the same signed app and I send him the script I wrote via email, then would this script need to be signed and notarized? According to your point of view, shell scripts do not need to be signed, so it would still work on my coleague's mac. Is my understanding correct?
Thank you for the comment. So I understood the notary service is currently running as the warning mode and it will run as the error mode after Feb 3rd. Currently, the script I wrote is running fine. It will also be fine on my mac.
You are welcome to your own point of view. But in that case, you are going to have to figure out how to sign shell scripts.
If my colleague and I use the same signed app and I send him the script I wrote via email, then would this script need to be signed and notarized?
There are a lot of interrelated concepts in play here:
Code signing can sign shell scripts. However, that signature ends up being stored in an extended attribute. This is quite brittle.
Due to the way that notarisation is implemented, it’s not possible to notarise a shell script.
Gatekeeper is not invoked when you run a quarantined shell script from the shell within Terminal.
Gatekeeper is invoked when you double click a quarantined shell script in the Finder and it opens in Terminal. However, it runs the open-an-executable-document code path, which behaves very differently from the run-an-executable code path.
When you embed a shell script within an app, you should embed it as data, not code. This is a bit odd — it’s reasonable to consider a shell script to be code — but there you go.
However, that advice doesn’t apply to your case. Here the shell script is more like an executable document. Gatekeeper has a mechanism for dealing with those, and if you actually want to tackle this problem then that’s what you should look into.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"