Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I verify that a macOS pkg is notarized

How do I verify that a macOS installer pkg file has been notarized? Is there a command-line tool to do this?

like image 245
craig65535 Avatar asked Mar 09 '19 05:03

craig65535


People also ask

What is macOS notarization?

Notarization is not App Review. The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly.


1 Answers

Unfortunately, there's more than one right answer.

The notarization process works by uploading a package, app, or binary to apple. Apple will then verify it. If the underlying format supports it, you may download that "ticket" and "staple" it. Notable here, is that you do not need to staple the ticket for it to be notarized. Gatekeeper will look it up with apple at runtime.

You can check whether there's a ticket stapled, by using the staple command. But you can use spctl to get a broader answer about whether or not gatekeeper will accept it.

There is an additional wrinkle -- Apple Developer accounts that predate 2019-August are exempt from the notarization requirements. (At least on Mojave.) This can make trying to tell what's going on very confusing.

Some examples on an unsigned, signed, and notarized binary. No staples here.

Using an apple developer account that is several old. Notarization not required for a gatekeeper check:

$ spctl -a -vvv -t install go-hello-unsigned
go-hello-unsigned: rejected
source=no usable signature

$ spctl -a -vvv -t install go-hello-signed-oldapple
go-hello-signed-oldapple: accepted
source=Developer ID
origin=Developer ID Application: Example Inc (oldapple)

$ spctl -a -vvv -t install go-hello-notarized-oldapple
go-hello-notarized-oldapple: accepted
source=Notarized Developer ID
origin=Developer ID Application: Example Inc (oldapple)

Using a newer apple developer account. Subject to the notarization requirements:

$ spctl -a -vvv -t install go-hello-unsigned
go-hello-unsigned: rejected
source=no usable signature

$ spctl -a -vvv -t install go-hello-signed-newapple 
go-hello-signed-newapple: rejected
source=Unnotarized Developer ID
origin=Developer ID Application: Kolide, Inc (newapple)

$ spctl -a -vvv -t install go-hello-notarized-newapple
go-hello-notarized-newapple: accepted
source=Notarized Developer ID
origin=Developer ID Application: Kolide, Inc (newapple)

Update

Now that catalina has been released, this has changed slightly. The age of the signing key effects Mojave. Catalina now requires everything be notarized.

like image 141
seph Avatar answered Sep 19 '22 14:09

seph