Apple recently introduced a new security feature in Mac OS High Sierra for 'User Approved Kernel Extension Loading'.
"...a new feature that requires user approval before loading newly-installed third-party kernel extensions (KEXTs). When a request is made to load a KEXT that the user has not yet approved, the load request is denied. Apps or installers that treat a KEXT load failure as a hard error will need to be changed to handle this new case."
Does this mean developers can sign kexts with their own developer certificates, and no longer need specific Apple approved certificates to ship kexts to users?
Heard back from Apple that this does not change the kext code signing process, you still need certificates from them to sign your kext.
https://developer.apple.com/library/content/technotes/tn2459/_index.html
Secure Kernel Extension Loading is a new security feature of macOS High Sierra. macOS now requires you to manually approve the installation of third party kernel extensions. Everything remains the same at developer side to sign kext with apple approved certificate.
Related
I want to build a macOS app that filters specific network requests so I need to add the NetworkExtensions capability. But after I add a NetworkExtensions capability, I get the following message:
Your development team, "Potato Dev2", does not support the Network Extensions capability.
Image of where the above message is from: https://i.stack.imgur.com/H46gE.png
From Apple's documentation on "Adding Capabilities to Your App":
The platform, and whether you're a member of the Apple Developer Program, may limit the capabilities available to your app
The documentation doesn't explicitly say which capabilities require being a part of the Apple Developer Program. I also don't see why I'd need to be a part of the Apple Developer Program to write software on and for my own computer. Note that, at least to my knowledge, the NetworkExtensions capability does not depend on any service from Apple (as opposed to HealthKit or Game Center).
So is there a way to add a Network Extensions capability to a macOS app without joining the Apple Developer Program?
You should be able to do it if you disable system integrity protection (SIP) on your Mac (csrutil disable in the Terminal in the macOS Recovery Environment), and disable amfid's entitlements check by adding amfi_get_out_of_my_way=1 to the kernel's command line arguments. (Again in the recovery environment, nvram boot-args='amfi_get_out_of_my_way=1')
You will need to bypass Xcode when code signing and use the codesign command directly because Xcode performs the provisioning profile entitlements check, as you noticed. codesign itself does not perform this check.
This works for basically allowing just about anything to do with DriverKit system extensions, so I'd expect it to work with Network System Extensions as well.
I figured out the answer to my question: to write macOS software that uses the NetworkExtension APIs, you must be a member of the Apple Developer Program ($100/year). See https://developer.apple.com/support/app-capabilities/ for details.
I've recently bought an old Alesis io26 Firewire Audio interface. The last driver release was only working on mountain Lion and older. After some time I've managed to install said drivers on Catalina, by manually dragging the midi driver into /Library/Audio/MIDI drivers and installing the kernel extension into /System/Library/Extensions via KEXT droplet. The problem I have now is that my mbpro only recognises the Interface if my SIP is disabled. I've heard that the driver is not signed and that this is the reason why the SIP is preventing it from working. So as a total noob, how can I somehow whitelist that kext so that I don't have to go to recovery mode and disable SIP every time I want to record some Audio.
The 3 "correct" ways of doing this are probably unlikely:
Get the original developer to sign the kext
Somehow persuade Apple to add it to macOS's built-in whitelist
If you have a kext signing certificate yourself, you can sign it. (Apparently, Apple no longer issues these, however.)
The best you can do in practice is probably to only disable the kext signing part of SIP by using the command
csrutil enable --without kext
instead of
csrutil disable
Of course, this leaves your system open to being attacked via unsigned kexts, though I've not heard of any malware that specifically targets Macs with kext signing disabled.
Actually, the question is for Catalina. We cannot partially disable SIP by running with --without kext. from Mojave this option is disabled and one has to either enable or disable it from Recovery OS.
Is it necessary to notarize app before uploading to Apple App Store? I come across some article says that notarization is needed for non-app store distribution, while apple will run notarization before approving an app store version.
Anyone can confirm?
The reason I ask this question is because I notarized the app for outside Mac App Store distribution and it works fine. For the Mac app store build, I can upload and distribute it and it works fine on Mac, only have issue on Catalina(beta) when user try to open, see attached pic. Wonder if it's related to notarization.
Update: the issue was not due to notarization, but due to code signing. One of the node binary is not signed before uploading to MAS, maybe Catalina has a more strict rule checking it.
No, it's not required. Apps downloaded from the app store are not notarized. You can verify it using spctl command.
spctl -a -v /Applications/Pages.app
/Applications/Pages.app: accepted
source=Mac App Store
Gatekeeper will check notarization only if the app is downloaded from outside the App Store.
From Safely open apps on your Mac
When you install Mac apps, plug-ins, and installer packages from
outside the App Store, macOS checks the Developer ID signature and
notarization status to verify that the software is from an identified
developer and that it has not been altered.
Notarization is only required for distribution outside the Mac App Store. See Distribute outside the Mac App Store (macOS), which says:
In some cases, you may want to distribute an app outside of the Mac App Store [...] Users gain additional assurance if your Developer ID-signed app is also notarized by Apple.
The macOS User Guide has this to say:
App Store: [...] All the developers of apps in the Mac App Store are identified by Apple, and each app is reviewed before it’s accepted
App Store and identified developers: [...] Identified developers are registered with Apple and can optionally upload their apps to Apple for a security check. If problems occur with an app, Apple can revoke its authorization.
We currently have problems with the download versions (ZIP) of our applications under the new operating system MacOS Sierra from Apple. It is a (non-native) video tutorial app with external data and different startfiles (certificate signed) for Mac and Windows (originally created for DVDs).
Although the Mac startfile of the download version was properly signed with a valid Apple Developer ID certificate, an authorization problem now appears and the application can no longer load external data. The same application on DVD still works impeccably.
My researches have shown that under "macOS Sierra" developer ID signed apps (outside the App Store) are not allowed to use external libraries, external code or external data:
https://developer.apple.com/library/content/releasenotes/MacOSX/WhatsNewInOSX/Articles/OSXv10.html
Starting in macOS 10.12, you can not get any longer. An app distributed outside the Mac App. To provide secure execution, code your disk image is using the codesign tool, or distribute your app through the Mac App Store. For more information, see the updated revision to macOS Code Signing In Depth.
https://developer.apple.com/library/content/technotes/tn2206/_index.html
Is our described type of application no longer compatible with macOS Sierra?
Is there any solution to continue offering our applications as a download for macOS Sierra outside the App Store?
Possibly one could encapsulate here in the individual trainings over an automatism all necessary files in an app, afterwards sign and to prepare as DMG !?
Have solved the problem.
With a signed DMG everything works again as before. This is now possible under macOS Sierra (and from Mac OS X 10.11.5.)
Scenario
I want to release an app for Mac OS X, but not on the AppStore. The app runs on 10.6 - 10.8 and up.
Problem
Apple requires all apps for Mac OS X 10.8+ to be signed by the developer to get past Gatekeeper. And unless I tell each user to temporarily disable and re-enable gatekeeper just for my app, according to this document and the Mountain Lion change log... my app won't be allowed to run.
From the wording on Apple's website, it sounds like I'll have to pay the $99.00 a year for the certificate. However, I do not want to pay the $99 - I'm not publishing to the AppStore!
Question
Is there any way I can get around paying the $99 for distribution on 10.8+? I know my app will work on 10.6 and 10.7, but according to Apple it won't be allowed to run on 10.8 without the certificate. Is that true? How can I distribute on 10.8+ (preferably a DMG) without a $99 distribution certificate? Thanks in advance!
Edit #1
DMG files are not authenticated by Gatekepper, only the app itself is.
OS X Lion 10.7.5+ also has Gatekeeper * angry face *
Apple currently provides no way to get around Gatekeeper without paying the $99 / year membership fee. To me, this seems unfair because it squishes out the smaller developers (but that's a discussion for elsewhere).
For a rather cumbersome workaround, one can include a ReadMe or note on the download page for their software to explain to users that they need to right click your app and then click 'Open' and then click confirm to run it. I have also found through experimenting that Gatekeeper does not run security checks on DMG files or the installation of files, only the execution / running of Apps. So one could include some kind of note in their DMG installer that told the user exactly how to install and run the app.
Hopefully Apple will provide a workaround for developers (possibly a cheaper solution for a limited membership) that distribute freeware and open source software.
You don't need to purchase membership. Just get a code signing certificate from any agency and sign your app with it. Then it will bypass the Gatekeeper check. Gatekeeper only checks whether the app is from identified developer or not.