Hacker News new | ask | show | jobs
by saagarjha 2242 days ago
> In 2020, distributing requires learning the intricacies of certificates, code signing, provisioning profiles, hardening, notarization, .dmg creation, gatekeeper, and paying a $99 per year fee.

I had to manually create, sign, and notarize a Mac app the other day and it was total madness. It took multiple tabs of Apple documentation (new documentation, I might add, created this year because everyone complained last year about how the process was impenetrable) and back-and-forth with some seasoned Mac devs before I had something that would launch successfully on a fully updated, GateKeepered system.
3 comments
makecheck 2242 days ago
It’s so frustrating that automation and command-line is treated as almost second-class citizenship on macOS.

You know how I log into a remote server securely without ever entering my password? I enter the command "ssh" and the server name. Why the hell isn’t notarization implemented, effectively, as "notarize appname.app" where all the details are resolved securely, just as magically, to your developer keys?

Yet if you upload something to the App Store, you understand Apple’s backwards mindset completely. The whole concept of a 6-step wizard that you have to CLICK through, EVERY time, for EVERY update, confirming stupid little things that should be in a config file, means that Apple has no idea how this stuff really ought to work. And that means that Apple must not use this themselves. They have to have some secret, simple, tolerable process internally which is why they never improve the tools that literally everyone else must put up with.

link
davidvartan 2242 days ago
Shameless plug: I created xcnotary [1] to make command line notarization quite a bit less painful. It will poll the service and block for completion, return a non-zero failure code for CI, and will even audit your app for some common code signing issues prior to uploading it to Apple.

[1] https://github.com/akeru-inc/xcnotary

link
henvic 2241 days ago
That's amazing! Thanks!

Shameless plug of my own: Last month I shared a post sharing a few thoughts on secure software redistribution, notarization, safe updates, and so on: https://henvic.dev/posts/cs-security/

link
mullingitover 2242 days ago
> It’s so frustrating that automation and command-line is treated as almost second-class citizenship on macOS.

Sure, they're horrible, but I look at it as Apple generously creating jobs for engineers. I had a full-time job as a build engineer specializing in navigating the Lovecraftian nightmare of iOS build automation. Sure, they could've made it easy, but instead they chose to help transfer large sums of money from my family-friendly multinational megacorp employer to me. I returned the favor by using some of that money to buy their products.

link
rickdeckard 2242 days ago
This is a hilariously weird response to a valid criticism. "Yeah, internet-outages are horrible. And sure, AT&T could fix that. But instead they chose to help people to disconnect from time to time and focus more on their families, which is overall the biggest contribution a company can make to society and should be rewarded by buying more of their services"

I keep seeing this kind of other-worldly self-defense only related to Apple. Positioning a brand as an element of the users' personal identity is truly an impressive thing...

link
williamdclt 2242 days ago
I think (though not entirely certain) the comment you're responding to was sarcastic

> Positioning a brand as an element of the users' personal identity is truly an impressive thing

Apple definitely did an impressive job at that!

link
pinfisher 2242 days ago
I assumed it was satire.
link
1-more 2242 days ago
A year or so back I wrote a little ffmpeg concatenation helper to make a friend's life easier. It was an OK shell script but it needed a config file to list all of the files that needed concatenation, and I wanted to just make a GUI that would let her add and reorder files to a list, then generate a temp file with the list (ffmpeg required the list to live in a file for some reason) and fire off the ffmpeg command to concatenate them both with and without sound.

This is apparently like a DEFCON 0 type operation to perform on a Mac requiring two guys in white lab coats to turn keys at the same time at opposite ends of the room, because there was no way to even ask for the permission to run the command if I remember right. It ended up being a case where I would be spending a ton of time to get more functionality than the command line script, so I quit. Plus it was one of those one plane ride projects.

link
comex 2242 days ago
Unless you wanted to submit this to the Mac App Store, you could have just turned off sandboxing. With that off, the only permission required would be Catalina’s permission dialogs when any app first accesses various folders (Documents, etc.), and those are automatic without needing any code in the app to request them.
link
1-more 2241 days ago
I thought I could locally, but it crashed on her machine which makes me think I did it wrong. I could have kept at it but I think one debugging session on her computer would have wiped out any time savings she would have realized.
link
tumultco 2242 days ago
Exactly! The primary purpose of the `altool` for notarization is probably to do so in an automated manner, but it will not block while waiting for notarization. So to make this part of automation, nearly every developer needed to add polling loops and parse the response to figure out if it was done! The proper text to wait on also isn't obvious nor documented; if the status says "Package Approved" it may not even be complete yet.

Further, the first version would write status to standard error. Clearly a mistake, Apple did fix this in a future version... which of course broke everyone's automation around it. My polling script now logs the tool's stdout and stderr just in case.

link
saagarjha 2242 days ago
altool actually blocks for some things, like performing the actual upload…
link
tumultco 2242 days ago
Which could sometimes be a ridiculous amount of time itself too!

https://twitter.com/rosyna/status/1194765305987227649

link
jrs95 2242 days ago
Especially given how Mac was at one point ahead of everyone else in terms of automation...
link
saagarjha 2242 days ago
The APIs still exist! They just sometimes don't work…
link
gwbas1c 2242 days ago
> It’s so frustrating that automation and command-line is treated as almost second-class citizenship on macOS.

Try automating signing a windows driver. It's all GUI.

At least the mac code signing tools are command-line.

link
fxtentacle 2242 days ago
No, it's one well documented command line tool called signtool. I've used it quite extensively and it has never failed me in an unexpected way.

I can't report much good about the Apple signing side. In the end we put that into a VM because different xcode versions will produce vastly different signatures for no obvious reason, and the older ones were more widely compatible.

link
markmark 2242 days ago
Isn't signing on windows done with signtool? https://docs.microsoft.com/en-us/windows/win32/seccrypto/sig...
link
kick 2242 days ago
This may be a question you get a lot, and I apologize in advance if it is, but: Why use Mac, if it makes so simple of things difficult?
link
_jal 2242 days ago
App signing has always been inexplicably horrible; other than Cupertino contempt for their developers, I really don't know what would explain it, it certainly doesn't have to be that way.

But things have gotten worse for developers recently with Catalina. I should note that I don't write mac-specific code - I mainly write things that target Linux servers.

The Mac has long been the best unix workstation on the market. It is solid, generally stable (although that's been slipping), and certainly has by far the best window manager. It has nice consumer apps for when you need them and is a solid, if not always up to date, unix. The hardware is generally great.

Then the sandboxing, weird parallel fire permission systems/quarantining, new filesystem conventions/restrictions and so on made it incredibly difficult to treat, well, like a unix workstation.

We'll probably keep using Macs at work out of inertia, and it is a lot easier for me to use other resources there. And my personal Mac laptop is probably good for quite a while yet - I tend to get 7+ years out of them. But this is the end of the road for me and the Mac. I require that my tools do what I tell them, not the other way around.

link
tincholio 2242 days ago
> The Mac has long been the best unix workstation on the market. It is solid, generally stable (although that's been slipping), and certainly has by far the best window manager. It has nice consumer apps for when you need them and is a solid, if not always up to date, unix. The hardware is generally great.

I was on that same line of thinking until some time ago when my old macbook pro died, and I ended up again on Linux, on a thinkpad. I'm currently running Manjaro (plasma + i3), and tbh, the Mac's window manager is awful once you get used to the power of i3. Dev experience (for anything but Mac/iOS apps) is probably better on Linux, too...

If you haven't used Linux in a while (as was my case), I can highly recommend it.

link
schwartzworld 2242 days ago
Yeah, modern plug and play distros like Ubuntu are not the Linux of yesteryear.
link
7thaccount 2242 days ago
I have a System76 fully loaded little NUC. It is a beast, extremely quiet, and was a lot cheaper than a Mac. System76 customer support is really really good. You send an email and you get a response back from a developer pretty quick. I've been pretty satisfied so far. They don't make their own hardware, but they make sure a customized Ubuntu distro (Debian and Fedora are also supported) is silky smooth on all their systems. You pay a little extra, but the process was so painless and still a lot cheaper than Apple, so I'm happy.
link
josteink 2242 days ago
> App signing has always been inexplicably horrible;

Maybe on Mac. On Windows you just run signtool.exe and you're done.

> I require that my tools do what I tell them, not the other way around.

Sounds like you'll be glad once you can ditch that old Mac and get a proper Linux dev-machine ;)

link
tonyedgecombe 2242 days ago
The problem on Windows is getting and/or renewing your authenticode certificate. Dealing with the certificate authority is like spending time in a Gerorge Orwell novel.
link
josteink 2242 days ago
But unlike with Mac, you are free to shop in the market for the least Orwellian CA, because there’s more than just one.
link
linguae 2242 days ago
I've been a Mac user since 2006, and I currently own a 2013 MacBook Air and a 2013 Mac Pro that I both regularly use. For a long time macOS was the marriage of Unix with commercial hardware support (even if tied to a specific manufacturer) and support for major proprietary software products such as Microsoft Office. I also loved the stability and quality of the operating system, not to mention that it looked wonderful.

Unfortunately I've been disappointed with Apple's stewardship of the Mac under Tim Cook. The move toward soldered RAM and SSDs throughout most of their lineup, the increased locking down of macOS (especially with Catalina's enforced notarization), the stagnation of the Mac Pro and then the doubling of price of the entry-level Mac Pro in 2019 from $2,999 to $5,999, and the butterfly keyboard fiasco (although finally completely over as of this week) have pushed me toward a greater appreciation of the Linux/BSD ecosystem, despite its shortcomings. I'm still using my Macs (albeit they're still running Mojave), but my long-term plan is to switch to Linux or FreeBSD, though I might keep a Mac around for Keynote use unless a compelling competitor for Linux emerges. The thought of replacing my MacBook Air with an X-series ThinkPad sounds really enticing, as well as one day replacing my Mac Pro with a Threadripper build.

link
phs318u 2242 days ago
This exactly. I recently resurrected my MacBook Air by replacing a dead SSD (was it coincidence that it died right after the Catalina upgrade? Can SW brick an SSD?). I’m now running UbuntuStudio on there and spending great chunks of my lockdown time re-learning Linux (after a 17 year hiatus) and trying to iron out weird kinks in my config (Bluetooth detects my Logitech K670 keyboard but just won’t pair with the damn thing).

I’ve already determined that when I pick up my next contract, I’ll be buying a Lemur Pro from System76.

Apple, you had me 17 years ago. Now you’re losing me.

link
nsomaru 2242 days ago
The lack of tb3 on the lemur is seriously discouraging me. I’m thinking about building a headless server and just xfowarding.

This way I can run a win10 be for games too

link
flir 2242 days ago
It's the trackpad that keeps dragging me back in... it's a hard habit to break.
link
iainmerrick 2242 days ago
Yeah, you’d think all other manufacturers would just start making trackpads that don’t suck.

(Sarcasm, of course... Although I don’t quite see what makes it so difficult a problem. Unless there are patents involved, maybe?)

link
saagarjha 2242 days ago
I actually get it a lot less than I would expect, so no need for an apology. You may find it interesting that I actually use Linux an increasing amount of my time. However, it's still only a small fraction as of now, so the question is still valid :)

To answer the question of why I use a Mac: mostly because the hardware is good (I'm on a early 2015 MacBook Pro), the software consistent and high-quality (I refuse to run Electron) and the tooling fairly decent (I have UNIX, and MacPorts, and I can compile the rest). And it works extremely well with all my other hardware, which is something that Linux still doesn't really do well. And by this point I have enough macOS experience that while I counter-intuitively probably have more complaints about the OS than most other people, I also generally know how to fix it. While it's often compared to iOS in how annoying and locked-down it is, it's really nowhere close. Out of the box, it might be approaching that point, but macOS holds the trump card of being able to pretty much turn off everything you don't want. Want to debug a system process? Turn off SIP. Want to let your shell script manage your mail messages? Insert it into the TCC database. Apple thinks some operation is something only their code should do? Well they can pound sand, I can turn off AMFI. macOS lets you do this, and as annoying as it is to keep doing all of this it hasn't yet gotten to the point where it's enough of a drag to make me stop using it.

The answer to a slightly more on-topic question: why would I develop for macOS? The answer to that is really "I mostly don't". I have much more iOS development experience (although my most recent job in that area was actually "spotting exactly what part of your app is pretending that it's using native controls", not actual programming). I know enough of AppKit to be useful, but actually write very few apps. Most of the code is just regular old stuff that would work equally well on Linux and I just happened to compile for macOS. The rare exceptions are if I am writing something for myself (in which case I care little about any codesigning stuff) or I am contributing on an open source project (in which case Xcode takes care of this for me). I only hit these notarization/Gatekeeper hurdles recently because this particular thing needed to run on other people's computers and and had to be manually cobbled together for complicated reasons which I cannot describe at the moment.

link
kick 2242 days ago
Thanks for the detailed response!
link
chongli 2242 days ago
The reason to use a Mac is because the hardware and the trackpad are so good! The OS in general is pretty good, with multi-touch gestures and homebrew [1] picking up a lot of the slack. I just bought a new (2020) MacBook Air and it's the best computer I've ever owned (bought my first computer in 1996). The keyboard is fantastic now! No Touch Bar either; only real F-keys and a real escape key.

Yes, the killing of 32-bit apps in Catalina and the code signing issues are very frustrating. It's still worth it though. People are finding ways around it. The biggest annoyance (for me) has been the breakage of 32-bit Wine. I bought a license for Crossover [2] though, so it should hold me over until the upstream Wine has 32-bit-on-64 support working.

[1] https://brew.sh

[2] https://www.codeweavers.com/products

link
firecall 2242 days ago
It's generally a solid OS.

The issues noted are specifically about the process of submitting apps to the macOS app store. A process that for iOS and macOs has been notoriously confusing and problematic with regards to the signing process.

You think you have it sorted... then boom! it wont pass signing validation and you cant submit to the app store.

It's much better than it used to be though. And it's one of those things that you do once, get it working, then forget how you did it and come back to it a year later and it's confusing all over again :-)

The dev tools themselves (XCODE) are actually pretty good.

link
saagarjha 2242 days ago
Submitting to the store is actually not too bad, because Xcode has gotten much better at automating the process. The problem is that the steps it goes through are not very well documented, and it cannot handle some non-standard cases.
link
deergomoo 2242 days ago
For me it's simple: it runs all the software Linux does, but also runs all the software Linux doesn't. I can use those familiar and powerful CLI tools, but I also have real Office and real Photoshop when I need it.

While things have certainly taken a tumble in the last few years with the faulty keyboards and slipping software quality, I am still yet to find a better laptop than a MacBook Pro, when considered as a complete package.

link
iainmerrick 2242 days ago
Using apps is generally great on a Mac.

It’s very nice for command-line development too as it’s a decent Unix under the hood.

Developing Mac apps can even be pleasant! Xcode has its good points and the APIs are mostly very nice.

The hassle of distributing Mac apps is the only big downside. It’s the same on iOS, but there you don’t have a command line and scripting available.

link
ken 2242 days ago
Because there isn't any other operating system that makes all the things I want to do with a computer any simpler. We've got only 3 major desktop operating systems, and they're all overly complex and poorly designed in lots of ways.

Since the late 1990's, I've alternated: I use a Mac for a while until I get fed up with it, and then I use Linux for a while until I get sick of that, and then I go back. (I've used Windows at work, and it's not any better.) I just need enough time to forget how much I hated the other one.

link
andai 2242 days ago
> I just need enough time to forget how much I hated the other one.

This is exactly how it is for me! Except I switch between all three. It's like StarCraft, each has its strengths and weaknesses.

Same way with iOS and Android. iOS is much nicer to use until I run into the inevitable, "Oh, i'm not allowed to do that", so I just carry two phones around...

link
filoleg 2242 days ago
I think it is less about Mac development and more about submitting it to Mac App Store. You can still make an app for Mac without submitting it to the app store, without having to deal with majority of those issues. It's just sometimes there are good reasons for wanting to have it in the app store.

No personal experience with either, but I would wager that you would encounter somewhat similar roadblocks if you try submitting things to Chrome App Store or Microsoft Store.

link
grishka 2242 days ago
> You can still make an app for Mac without submitting it to the app store, without having to deal with majority of those issues.

Not any more. Apple is so much of a control freak lately that non-app-store apps on Catalina are still required to go through them for "notarization" to be allowed to run on an unmodified OS — and yes that requires the $99 account. For me personally, that's the reason I'm staying on Mojave. That and 32-bit apps.

link
tumultco 2242 days ago
Yes, it is really just a different set of tradeoffs now.

It isn't just notarization, it is also that notarization requires app hardening which has very strict rules. Shipping an app with 3rd party binaries that supports older versions of macOS is especially tricky to get right.

Also using direct distribution you have to deal more with Gatekeeper.

One particularly fun issue is that if you distribute your app as a zip and a user downloads (to their standard ~/Downloads/ folder) and runs it, then Gatekeeper will use path randomization (aka app translocation), which effectively makes the app look like it is on a read-only volume. Older versions of the sparkle update framework would not show update prompts if on a read-only volume (as what's the point?), and therefore if a user continued to run an app from their downloads folder they would never get updates!

Apple made this change without informing any developers that their users could be left behind for a while. I imagine this security feature prevented users from getting many security fixes.

The way to disable the app translocation is to have a user manually drag the app to their Applications folder, which is why so much software is distributed in DMGs now with the Applications folder symlink.

link
grishka 2242 days ago
TIL. I thought this was just so that all apps are in one place for ease of access. When I first tried OS X in the form of hackintosh around 2009, most apps were already distributed in dmgs with "drag to install" so I just thought it's a very neat, Apple-ish way (ugh Windows install wizards) and assumed it's always been like that. Older PPC Macs were basically never really a thing where I'm from.

Now I remember seeing these weird long paths pointing to weird places with the word translocation in them — never really dug into the why. I've also seen apps ask to move themselves to /Applications when launched from ~/Downloads.

Anyway, with all these Gatekeeper changes, it's almost as if Apple doesn't want non-app-store apps at all.

link
realusername 2242 days ago
> Anyway, with all these Gatekeeper changes, it's almost as if Apple doesn't want non-app-store apps at all.

Of course that's their idea, The Mac Store has been a moderate failure, so now they are pushing people into it slowly more and more every release.

As Apple and Microsoft (with their Windows Store) have learned, if there's a real choice between an app store and a standard install, nobody will pick the app store. They cannot promote it naturally, they have to push it through by force.

link
tumultco 2242 days ago
Apps did start doing this before, definitely. I always felt they were arrogant in assuming they deserved a spot in my Applications folder. I should be able to put the app wherever I'd like. At the same time dmgs seem backwards-looking since disks were "old" technology so why use an image format for them? So I was personally against distributing my software this way, but Apple forced my hand with the Gatekeeper app translocation change.

Apple themselves ships some software, like the non-Mac App Store versions of Xcode, as xips (signed zips), but for some reason decided 3rd party developers cannot use these.

Apples recommendations are in the "Shipping your Signed Code" section of this tech note:

https://developer.apple.com/library/archive/technotes/tn2206...

link
ihuman 2242 days ago
> non-app-store apps on Catalina are still required to go through them for "notarization" to be allowed to run on an unmodified OS

Apple tries to hide the option, but you can still run non-notarization software on a Mac. The first time you run the application, open in from the right click menu. It'll give you a warning, and if you select OK it'll run. After that you can just run it by double clicking like normal, and it won't warn you.

link
Lammy 2242 days ago
That's fine for you and I, but good luck distributing an app to end users that way.
link
ashtonkem 2242 days ago
You use a Mac because the user experience is really nice, and you develop for Mac because your users are there.
link
Wowfunhappy 2242 days ago
If you're a developer, because you want to reach Mac users.

If your a Mac user, you can copy and paste one line in the Terminal and you can run whatever simple unsigned apps you want.

link
grishka 2242 days ago
Can't help but wonder why no apps ship with instructions on how to disable SIP and AMFI, thus effectively neutering the entire signature/notarization requirement thing for good.

And before you say "security": it ain't that if someone else (Apple) has the private key.

link
tumultco 2242 days ago
I've definitely seen apps that do provide instructions on how to do this; off the top of my head I know SwitchResX requires it for a lot of the features [1]. There was also the "varsectomy" bug debacle of Avid Media Composer users disabling SIP, which then lead to a bug where a Chrome update broke macOS [2].

I won't say "security" :) but I'm sure a lot of app developers do not want to be held responsible for jeopardizing users' machines or data.

While Whisk doesn't have to deal with SIP, it still has to get around sandboxing on the Mac App Store version to be able to read files that are associated with the .html page (like in an <img> tag). We pretty much need to throw up a scary dialog asking users to allow access via an Open Panel. On any "normal" (non mac app store) app this is implicitly granted, and I'm sure users don't give it a second though. I personally was worried about what the reaction to asking for permission would be and so wrote up a whole explanation on the sandboxing technology and reasons for our request [3]. Originally I did prompt the user to choose the root level of their file system, but App Store review would only approve of "project folders."

[1] https://www.madrau.com/support/support/srx_1011.html

[2] https://arstechnica.com/information-technology/2019/09/no-it...

[3] https://tumult.com/whisk/documentation/v2/app-security.html

link
saagarjha 2242 days ago
Because such an action requires rebooting the computer, which is generally where your users stop listening to what you have to say.
link
userbinator 2242 days ago
...unless you're using Windows.
link