[mmastrac]

Notarization has been a nightmare of a solution to a problem that isn't effective. You can get practically as much security by pushing malware signatures to the client without the massive privacy overreach of having Apple archive each and every bit of code that you generate for distribution.

This is just Apple's overreach extended to the desktop. Excessive control that makes developer's lives hell while adding barely any security on top.

[jolux]

>You can get practically as much security by pushing malware signatures to the client without the massive privacy overreach of having Apple archive each and every bit of code that you generate for distribution.

Apple do this too, it's called XProtect: https://support.apple.com/guide/security/protecting-against-...

They also have a built-in malware remediation tool, which is presumably what was used when they killed the vulnerable Zoom web server on everyone's Mac: https://www.zdnet.com/article/apple-update-kills-off-zoom-we...

Notarization is clearly part of a defense in depth strategy for macOS.

[AnthonyMouse]

> Notarization is clearly part of a defense in depth strategy for macOS.

Defense in depth means layering security. It's, for example, when you use password hashing but also full disk encryption. That way if someone gets your hard drive, even if they break the disk encryption, they don't get your password in plaintext. Even if they know how to crack the password hash, they first have to get past the disk encryption.

Notarization and signatures aren't two separate measures. They're the same measure implemented two different ways. That's basically useless. If some piece of code is identified as malware then it both gets revoked and added to the malware list, and then they both catch it. If it hasn't been identified then it's neither revoked nor on the malware list.

The things that make it past one also make it past the other. There is no defense in depth because there is no depth. The two measures would have to operate based on a different principle in order to achieve that.

[iancarroll]

Notarization is distinct from code signing/signatures, and has distinct security benefits. Notarization involves uploading the entire binary to Apple, where signatures involve you creating signatures on files that Apple is blind to.

Apple cannot guarantee they are revoking all certificates for a given malicious application with code signing, because they do not know what variants exist even if they have obtained one of them. Revoking just one code signing certificate may not be sufficient. With notarization, they can search for these variants and prevent new variants from being signed by new developer accounts -- protecting machines that i.e. have outdated XProtect definitions.

[AnthonyMouse]

It's linguistically confusing to try to distinguish between malware signatures and digital signatures when we're comparing them, so let's call one fingerprinting and the other one certifying.

> Apple cannot guarantee they are revoking all certificates for a given malicious application with code signing, because they do not know what variants exist even if they have obtained one of them.

This is making the case that certification/notarization is worse than fingerprinting because the same malicious application could have multiple independent certificates. But since notarization is the thing people are objecting to, that's no argument in its favor. (Though, of course, they could, and possibly do, refuse to notarize apps with known-malicious fingerprints, so if there is a difference there at all then it's only by implementation and not by necessity.)

> With notarization, they can search for these variants and prevent new variants from being signed by new developer accounts -- protecting machines that i.e. have outdated XProtect definitions.

Let's think about this for a minute. You have a malicious application that at one point had a valid certificate. The user goes to run it.

If they have a working network connection to check whether the certificate is revoked, they have a working network connection to get the latest malware fingerprints. If they don't, they get neither. So what's it buying you?

[mmastrac]

> Notarization involves uploading the entire binary to Apple

And that's exactly what I have a problem with.

[jolux]

XProtect has a wider scope than notarization, though, and its detection rules are different. Notarization and XProtect are both focused on stopping malware but they don't actually operate on the same principle, notarization happens in the cloud before deployment (to stop malware from being deployed) and XProtect happens continuously in the operating system (to stop malware from running), checking for malicious signatures. That functionality intersects with notarization, but it's not equivalent.

[AnthonyMouse]

It operates based on the same principle. There is a list of known-malicious software and you reject that software. If the bad software is known, they can both reject it. If it isn't known, neither of them would.

Defense in depth requires one of the measures to catch things the other one wouldn't.

[AnthonyMouse]

People seem to be having trouble with this, so let's go to the ogre analogy.

Defense in depth is layered, like an onion.

Combining automatic certification with fingerprinting is layered, like a cake. It's not the same thing.

[hda2]

> Notarization is clearly part of a defense in depth strategy for macOS.

The issues being called out here is that it comes at too high of a cost to both develops and users compared to the benefits it provides.

[jolux]

I hardly notice the cost as a user. Sometimes I have to right-click and application to open it the first time, same as it’s been since Gatekeeper was introduced as far as I know.

As for developers, well. Apple clearly do not treat their developers right.

[userbinator]

"defense in depth" should really be shortened to, and called, what it really is: "paranoia".

[barrkel]

A defense in depth would be to have layers of trust for applications, identifying and preventing bad behaviours, rather than trying to lock developers in.

[jolux]

>A defense in depth would be to have layers of trust for applications

They do, it’s called…code signing and notarization?

[DCKing]

Having to get any Apple code signing key for regular users is a barrier of entry for malware. However low it is, it is there. Moreover, it gives Apple the power to revoke certificates in the future to at least attempt to contain further malware activity.

Is it really that hard to get your code signed as a malware developer? No, not at all. Is that worth bothering developers so much? Maybe not. Is it a power grab? Probably. Does that together make notarization useless for security? No, not really.

Notarization is just a step in the chain. It disincentives malware, especially trivial malware (which is the largest quantity and the most relevant for the bulk of the users) by tipping the economics of it slightly less in the malware developer's favor. It does this at the cost of also tipping economics less in regular developer's favor. You may disagree whether or not that's worth it (and I might be inclined to share that opinion), but that doesn't make notarization useless from a security perspective.

[judge2020]

The economics also work in Apple's favor as it either requires using your real identity to commit fraud, committing identity theft by creating an LLC with someone else's identity, or paying for a registered agent in a third-world country to sign up for you (not sure how much that costs though, I've never looked!). I'm sure most malware cases they deal with are triaged for the possibility of filing a police report.

[saagarjha]

It turns out that getting access to an Apple developer account is not all that hard.

[mrtesthah]

And how is any of that different from the Developer ID code-signing Apple had already? You still needed to register as either a corp or an individual using legal identifying documents just to generate the certificates. This is the step you seem to be attributing to notarization. It’s not new at all.

Moreover, Apple was also already using OSCP to check for revoked certificates when validating the code signature. They’d already revoked malware-producing Developer ID certificates several times in the past before notarization ever existed.

[judge2020]

I'm explaining how it currently works - they have the legal resources file police reports for serious reports of malware, or if it's in a place with largely uncooperative police, a domestic federal investigation into the activity.

[mrtesthah]

But the question is why they needed to require notarization; it adds nothing to this protection ability.

[judge2020]

That’s been discussed a lot elsewhere in the thread. The parent of my comment specially talks about how any barrier to entry (My add: especially legal/criminal ones) deters most unsophisticated/undedicated attackers from widely distributing malware.

[Closi]

> You can get practically as much security by pushing malware signatures to the client without the massive privacy overreach

I think the issue with pushing malware signatures to the client is that it is reactive rather than proactive - i.e. by the time you have identified a malware signature, it is already too late (which leads to an inevitable cat-and-mouse / whack-a-mole game).

[fiddlerwoaroof]

So, my take has been that Apple’s been doing a long push to switch incrementally from a Unix user/group/ACL security mode to a capability model: the various entitlements, things like PowerBox not having an API, notarization, etc.

The big issue I’ve always had with capability security (as implemented here and in Fuschia) is that, while it is a better security model in many ways, it’s also a lot easier to use against developers and power users, especially when you depend on PKI to implement your unforgeable tokens.

[mmis1000]

And it does not even work in every case even signature is successfully identified. For example. If the malware already take down the network in some way. There is just no chance for apple to push the malware signatures and fix to client anymore.

[AnthonyMouse]

> I think the issue with pushing malware signatures to the client is that it is reactive rather than proactive - i.e. by the time you have identified a malware signature, it is already too late (which leads to an inevitable cat-and-mouse / whack-a-mole game).

But notarization is the same. Apple isn't vetting notarized apps before they're distributed. All it does is impose a cost on the developer, who could still for all you know be a member of the Russian mafia. Or any random developer who has had their machine compromised and then used to sign the compromising party's malware.

It doesn't get revoked until somebody identifies the code as malware. It's the same reactive process as malware signatures.

[zackees]

Malware can change its signature and then it’s no longer on the exclusion list.

However if an inclusion list is used, then the malware changing its signature means that it loses the ability to execute.

[AnthonyMouse]

Except that approval is automatic so they just modify the signature and submit it to be included again.

[joseluisq]

Honestly I never have seen such piece of crap like "Notarization". One of the Apple's failures ever (if is not the most one).

A nightmare (and not cheap) to deal with it as a developer.

[Klonoar]

$100/yr is fairly cheap all things considered, and it takes thirty minutes Max to set up a bash script to handle it.

And that’s just non-Xcode. If you use Xcode it’s often automatic.

[mvanaltvorst]

Cheap considering what? Considering the 30% margins they take on any further sale? Considering the 25$ one-time fee the Play Store takes?

[kalleboo]

For macOS (which is what we're talking about in a topic about notarization), you can sell your software any way you want outside of the App Store, without the 30% cut. There's still a $100/year developer account fee to be able to notarize new builds of your app.

This is not iOS where the App Store is the only way to install an app.

This comment is not an endorsement of any aspect of Apple's business model, I'm just correcting a factual error in your comment.

[nicky0]

Just FWIW it's a 15% cut nowadays. (Unless you are doing >$1million a year of sales, which anyone quibbling over a $100 annual fee isn't.)

[kalleboo]

That is correct, but that is a special discount program you have to apply for, wait for judgement, and get approved for in advance. It's not the default.

It was a great step forward, but I don't understand why they made it so complicated with an approval process, when Google did the same thing afterwards and could just say "the first million dollars a year is 15%, after that it's 30%".

The total revenue difference for the different companies is probably negligible.

(or... outside of the App Store you can sign up for a PayPal account and accept payments at a 3% rate instantly)

[Klonoar]

Cheap considering buying a proper certificate for signing and releasing on Windows will often cost you the same. ;P

If your bar to hit is Linux, you'll never be happy with anything.

[nly]

On this note, does HN know where to acquire the cheapest possible code signing cert for Windows?

[judge2020]

The cheapest base code signing certificate will be via a Sectigo (formerly Comodo, although they allow resellers to advertise either brand) reseller. I'm not affiliated with this site beyond being a customer, but the website 'codesigncert.com' is the absolute cheapest i've found for Windows signing (EV 3 years: $219/yr [0] / regular 3 years: $59/yr [1]).

Note that this landscape might change in the future. Microsoft is working on Azure Code Signing, which will mean Microsoft themselves manages issuing the certificate, doing the identity verification, etc - the only catch being that they probably don't want to have to deal with any lost keys or improperly stored keys, so they don't let you generate your own cert and you can only sign certs via the API or other integrations. All of this info is available via this talk [2] and it's the only public information available on this service that i've found.

0: https://codesigncert.com/sectigo-ev-code-signing

1: https://codesigncert.com/sectigocodesigning

2: https://youtu.be/Wi-4WdpKm5E?t=530

[TomSwirly]

> If you use Xcode it’s often automatic.

You can't have read the same article I just read!

[pwinnski]

Not everyone has the same difficulties the author did.

XCode notarization does work for many developers, perhaps even the majority! It is a fragile process, though, and the author is not the only one for whom it fails.

[ece]

Maybe independent notaries are what you're after if privacy is the problem? The web seems to do fine with independent cert providers.

[eecc]

Yeah but that puts the burden of verification on Apple. This way the application author has to (legally) undersign their intentions.

Makes sense to me...