The Anatomy of a macOS App

(eclecticlight.co)

278 points elashri | 5 comments | 07 Dec 25 12:31 UTC | HN request time: 0.878s | source

Show context

mitchellh ◴[07 Dec 25 15:12 UTC] No.46182248[source]▶

> while that shown in blue is the stapled notarisation ticket (optional)

This is correct, but practically speaking non-notarized apps are pretty terrible to use for a user enough so that this isn't optional and you're going to pay your $99/yr Apple tax.

(This only applies to distributed software, if you are only building and running apps for your own personal use, its not bad because macOS lets you do that without the scary warnings)

For users who aren't aware of notarization, your app looks straight up broken. See screenshots in the Apple support site here: https://support.apple.com/en-us/102445

For users who are aware, you used to be able to right click and "run" apps and nowadays you need to actually go all the way into system settings to allow it: https://developer.apple.com/news/?id=saqachfa

I'm generally a fan of what Apple does for security but I think notarization specifically for apps outside the App Store has been a net negative for all parties involved. I'd love to hear a refutation to that because I've tried to find concrete evidence that notarization has helped prevent real issues and haven't been able to yet.

replies(8): >>46182546 #>>46183094 #>>46183222 #>>46183383 #>>46183424 #>>46185443 #>>46186860 #>>46190047 #

jclay ◴[07 Dec 25 15:47 UTC] No.46182546[source]▶

>>46182248 #

I thought the macOS notarization process was annoying until we started shipping Windows releases.

It’s basically pay to play to get in the good graces of Windows Defender.

I think all-in it was over $1k upfront to get the various certs. The cert company has to do a pretty invasive verification process for both you and your company.

Then — you are required to use a hardware token to sign the releases. This effectively means we have one team member who can publish a release currently.

The cert company can lock your key as well for arbitrary reasons which prevents you from being able to make a release! Scary if the release you’re putting out is a security patch.

I’ll take the macOS ecosystem any day of the week.

replies(6): >>46182614 #>>46182764 #>>46182861 #>>46183552 #>>46184093 #>>46188140 #

deltaknight ◴[07 Dec 25 15:56 UTC] No.46182614[source]▶

>>46182546 #

The EV cert system is truly terrible on Windows. Worst of all, getting an EV cert isn’t even enough to remove the scary warnings popping up for users! For that you still need to convince windows defender that you’re not a bad actor by getting installs on a large number of devices, which of course is a chicken-and-egg problem for software with a small number of users.

At least paying your dues to Apple guarantees a smooth user experience.

replies(2): >>46182780 #>>46184204 #

jonathanlydall ◴[07 Dec 25 19:14 UTC] No.46184204[source]▶

>>46182614 #

No, this information is wrong (unless it’s changed in the last 7 years). EV code signing certs are instantly trusted by Windows Defender.

Source: We tried a non-EV code signing certificate for our product used by only dozens of users at the time, never stopped showing scary warnings. When we got an EV, no more issues.

In case it makes a difference, we use DigiCert.

replies(1): >>46189314 #

1. e40 ◴[08 Dec 25 07:11 UTC] No.46189314[source]▶

>>46184204 #

Not true for us. We EV cert sign (the more expensive one) and my CEO ( the only one left that uses Windows) had this very problem. Apparently the first time a newly signed binary is run it can take up to 15 minutes for defender to allow it. First time I saw this, it was really annoying and confusing.

replies(1): >>46190157 #

2. jonathanlydall ◴[08 Dec 25 09:20 UTC] No.46190157[source]▶

>>46189314 (TP) #

Interesting.

I regularly download our signed installer often within a minute of it being made available, never noticed a delay.

Maybe it’s very the first time Windows Defender sees a particular org on a cert.

I renewed our cert literally on Friday, tested by making a new build of our installer and could instantly install it fine.

You sure there was no other non Windows default security software on your bosses machine?

replies(2): >>46193417 #>>46209953 #

3. feznyng ◴[08 Dec 25 15:33 UTC] No.46193417[source]▶

>>46190157 #

They did change it, I think after some debacle with Nvidia pushing an update. They seem to want devs to submit their files via their portal now to get rid of the screen: https://www.microsoft.com/en-us/wdsi/filesubmission

replies(1): >>46203748 #

4. jonathanlydall ◴[09 Dec 25 11:35 UTC] No.46203748{3}[source]▶

>>46193417 #

I've never submitted our installers to there (or anywhere). I'm often the very first to install new builds (particularly our nightlies) and never had a delay or anything.

5. e40 ◴[09 Dec 25 20:08 UTC] No.46209953[source]▶

>>46190157 #

Did you install it on the same machine or a different one?

I was always able to install immediately on the same machine.

↑