[tumult]

Nope. Notarization is not code signing. It’s an extra step, after code signing, where you upload your software to Apple’s servers and wait for their system to approve it. It’s more onerous than code signing alone and, with hindsight, doesn’t seem to have been offering any extra protection.

[jeroenhd]

It's not the same, but in practice it's also not so different. Microsoft keeps track of how many times a certain executable has been run and only after a certain threshold does the executable become openable without hunting for tiny buttons. The kicker: this also applies for signed binaries.

Microsoft will upload these executables to the cloud by default if you use their antivirus engine ("sample collection").

In a way, Microsoft is building the same "notarisarion database", but it's doing so after executables have been released rather than before it. Many vendors and developers will likely add their executables to that "database" by simply running it on a test system.

On the other hand, SmartScreen can be disabled pretty easily, whereas macOS doesn't offer a button to disable notarisarion.

[makeitdouble]

Microsoft's notorisation sounds fully automated and transparent, while Apple's is more political and hands on. Individual apps getting their notorisation slowed down to a glacier pace because the platform owner doesn't like them doesn't seem to happen in Microsoft land.

[mort96]

Wasn't there even a story some time ago about how some completely legit, legal, above-board app to virtualize old (pre OS X) versions of Mac OS got rejected by Apple's notarization process?

[makeitdouble]

Yes. Probably this story ?

https://9to5mac.com/2024/06/19/iphone-pc-emulator-block-ille...

[raddan]

“UTM SE” is now on the App Store. Perhaps this was just a mistake?

https://apps.apple.com/us/app/utm-se-retro-pc-emulator/id156...

[immibis]

It was the standard business pattern of denying your competitors everything you can, unless it causes a third-party fuss.

[robenkleene]

Note this is an iPhone app (noting because this thread seems to mainly be about macOS).

[mort96]

Notarization is the same for macOS and iOS AFAIK. Both platforms have a separate app store review process that's even more strict than the notarization process.

[Earw0rm]

The bigger difference is that Apple isn't just checking for malware, it's checking for conformance with various APIs, manifest requirements and so on. Not as strict as the iOS App Store, maybe, but it will refuse to notarize if it detects use of unsanctioned API calls.

You don't even need signing for Microsoft's system to do what it does - it can operate on unsigned code, it's all hash based.

[makeitdouble]

> it will refuse to notarize if it detects use of unsanctioned API calls.

Or really any reason. They're not supposed to exert editorial control but that's how it has been happening in practice.

[robenkleene]

> detects use of unsanctioned API calls

Is there a concrete example of this? We know this isn't blanket policy, because of a recent story (https://news.ycombinator.com/item?id=45376977) that contradicts it. I can't find a reference to any macOS app failing notarization due to API calls.

[drysart]

Notarization doesn't blanket block all access to private APIs; but the notarization process may look for and block certain known accesses in certain cases. This is because notarization is not intended to be an Apple policy enforcement mechanism. It's intended to block malicious software.

So in other words, using private APIs in and of itself isn't an issue. Neither is it an issue if your application is one that serves up adult content, or is an alternate App Store, or anything else that Apple might reject from its own App Store for policy reasons. It's basically doing what you might expect a virus scanner to do.

[robenkleene]

Yeah, don't disagree with any of that, but I'm looking for explicit evidence that that is true (right now it sounds like it's just an assumption)? E.g., either examples of apps failing notarization due to API calls, or Apple explicitly saying that they analyze API calls. Without that it sounds like we're just guessing?

[Earw0rm]

I have experienced it myself but this was some years ago, may not be current. Think it was things they were trying to deprecate, which are now fully gone - was around the time they introduced Hardened Runtime, 2018-19 ish.

[hkpack]

I have the opposite experience - on macOS you can guarantee what users will see when you distribute your notarized app, while on Windows you cannot for undefined time.

How often do you notarize your apps? Why does the speed matter at all? In my cases it takes 2 seconds for the notarization to complete.

[makeitdouble]

The article is about iOS, and getting your notorization in 2 seconds or weeks is IMHO a big difference.

There's obviously simple cases where the iOS notorization also flies in 2 secs, but there seems to be enough tougher cases:

https://www.reddit.com/r/iOSProgramming/comments/1l9m7jd/how...

[drysart]

The length of time notarization takes depends primarily upon how large and complicated your app is, and how different is from previous versions of the same application you've previously notarized. The system seems to recognize large blocks of code that it's already analyzed and cleared and doesn't need to re-analyze. How much your binary churns between builds can greatly influence how fast your subsequent notarizations are.

A brand new developer account submitting a brand new application for notarization for the first time can expect the process might take a few days; and it's widely believed that first time notarizations require human confirmation because they do definitely take longer if submitted on a weekend or on a holiday. This is true even for extremely small, trivial applications. (Though I can tell you from personal experience that whatever human confirmation they're doing isn't very deep, because I've had first time notarizations on brand new developer accounts get approved even when notarizing a broken binary that doesn't actually launch.)

And of course sometimes their servers just go to shit and notarizations across the board all take significantly longer than normal, and it's not your fault at all. Apple's developer tooling support is kinda garbage.

[Someone]

> I've had first time notarizations on brand new developer accounts get approved even when notarizing a broken binary that doesn't actually launch

https://developer.apple.com/documentation/security/notarizin... (emphasis added):

“Notarize your macOS software to give users more confidence that the Developer ID-signed software you distribute has been checked by Apple for malicious components. _Notarization_of_macOS_software_is_not_App_Review. The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly.”

⇒ It seems notarization is static analysis, so they don’t need to launch the process.

Also, in some sense a program that doesn’t launch should pass notarization because, even though it may contain malware, that’s harmless because it won’t run.

[robenkleene]

I went through the comment there, all of those look like the most likely explanation is just bugs in the notarization system.

[layer8]

The important part is that once you have a code signing certificate, you can sign your executable independently, offline, without involvement from Microsoft, which isn’t possible with Apple’s notarization.

[tonyedgecombe]

>It’s more onerous than code signing alone and ...

I don't know, I sometimes contemplated sticking sharpened pencils in my eyes for light relief whilst trying to renew my code signing certificates.

[Earw0rm]

It's more akin to an enforced malware scanner, at least in principle, kind of mandatory VirusTotal with a stapled certificate.

In practice though they use it to turn the screws on various API compliance topics, and I'm not sure how effective it is realistically in terms of preventing malware exploits.

[robenkleene]

> In practice though they use it to turn the screws on various API compliance topics

Do you have an example of this on macOS?

[robenkleene]

> doesn’t seem to have been offering any extra protection.

How would this be measured?

Since no one has pointed it out here, it seems obvious to me that the purpose of the notarization system is mainly to have the code signatures of software so that Apple can remotely disable any malware from running. (Kind of unsavory to some, but probably important in today's world, e.g., with Apple's reach with non-technical users especially?)

Not sure how anyone external to Apple would measure the effectiveness of the system (i.e., without knowing what has been disabled and why).

There's a lot of unsubstantiated rumors in this comment thread, e.g., that notarization on macOS has been deliberately used to block software that isn't malware on macOS. I haven't seen a concrete example of that though?

[tumult]

Disabling malware via hash or signature doesn't require the Notarization step at all. Server can tell clients to not run anything with hash xxyyzz and delete it. I mean, just think about it. If disabling stuff required the Notarization step beforehand, no anti-malware would have existed before Notarization. Nonsense.

[robenkleene]

I think notarization is just a more automated way to do this approach, e.g., otherwise Apple has to hunt down all the permutations of the binary themselves. It seems like it just simplifies the process? (It makes it a white list not a black list, so it's certainly more aggressive.)