[DCKing]

Having to get any Apple code signing key for regular users is a barrier of entry for malware. However low it is, it is there. Moreover, it gives Apple the power to revoke certificates in the future to at least attempt to contain further malware activity.

Is it really that hard to get your code signed as a malware developer? No, not at all. Is that worth bothering developers so much? Maybe not. Is it a power grab? Probably. Does that together make notarization useless for security? No, not really.

Notarization is just a step in the chain. It disincentives malware, especially trivial malware (which is the largest quantity and the most relevant for the bulk of the users) by tipping the economics of it slightly less in the malware developer's favor. It does this at the cost of also tipping economics less in regular developer's favor. You may disagree whether or not that's worth it (and I might be inclined to share that opinion), but that doesn't make notarization useless from a security perspective.

[judge2020]

The economics also work in Apple's favor as it either requires using your real identity to commit fraud, committing identity theft by creating an LLC with someone else's identity, or paying for a registered agent in a third-world country to sign up for you (not sure how much that costs though, I've never looked!). I'm sure most malware cases they deal with are triaged for the possibility of filing a police report.

[saagarjha]

It turns out that getting access to an Apple developer account is not all that hard.

[mrtesthah]

And how is any of that different from the Developer ID code-signing Apple had already? You still needed to register as either a corp or an individual using legal identifying documents just to generate the certificates. This is the step you seem to be attributing to notarization. It’s not new at all.

Moreover, Apple was also already using OSCP to check for revoked certificates when validating the code signature. They’d already revoked malware-producing Developer ID certificates several times in the past before notarization ever existed.

[judge2020]

I'm explaining how it currently works - they have the legal resources file police reports for serious reports of malware, or if it's in a place with largely uncooperative police, a domestic federal investigation into the activity.

[mrtesthah]

But the question is why they needed to require notarization; it adds nothing to this protection ability.

[judge2020]

That’s been discussed a lot elsewhere in the thread. The parent of my comment specially talks about how any barrier to entry (My add: especially legal/criminal ones) deters most unsophisticated/undedicated attackers from widely distributing malware.