macOS Catalina : software notarization ... ?

[Youlean]

I did buy 10.7 and 10.8 recently, but they didn't send me the activation code and I called their support bit still nothing.

Where did you manage to do that? Only 10.7 could be purchased back in 2011, and it was exclusively available in the Mac App Store. Every subsequent macOS upgrade was free. Would really love to know where you thought you could legitimately purchase 10.7 / 10.8 these days?

On Apple.com
https://www.apple.com/shop/product/D6106Z/A/os-x-lion

[Youlean]

Also, here is the 16Gb of RAM if someone wants to upgrade for just $400. It's a steal.

https://www.apple.com/shop/product/MP7M ... dimm-2x8gb

[xhunaudio]

About the notarization (from Presonus):

https://support.presonus.com/hc/en-us/a ... y-plug-ins

So at this point - thanks to Apple - we have a company like Presonus (and many others will follow) which is basically forced to recommend their customers to download, install and use the previous versions of their DAWs/Hosts softwares instead of the current version... The only way for you to continue using all the plugins of the last 15-20 years (for which you paid money). Amazing.

Think different.

[discoDSP]

I created a HOWTO at viewtopic.php?f=33&t=531663

Cheers,
George.

[Blue Cat Audio]

This whole notarization stuff is definitely nonsense, and it seems like yet another attempt to lock the platform and have total control over third party applications. For us it does not scale, given the number of binaries to notarize for each release and the number of releases per year. Plus it seems (haven't verified yet) that they are forcing you to drop support for Mac OS 10.8 and earlier to get notarized. Did I hear "planned obsolescence"?

However the only limitation (so far) seems to be that the user has to right-click and select "open" on your installer instead of double clicking on it so that it can be authorized. Not a big deal for established developers who are already trusted, but a problem for newcomers who could be suspected of installing malware.

Of course when host applications start using the "hardened" runtime it will be another story, as each one may have different setups, so you will end up having random crashes depending on how each host is configured. Dark days ahead...

Maybe (hopefuly?) if pro software companies do not accept the notarization process as is, Apple will have to drop the ball like they have done for AU sandboxing a few years ago?

[Audiority]

I guess that if the whole "pro" industry (audio, video and so on) will stop using Apple products, it'll be only a small dent in their revenue compared to what mobile and apps monetize for them.

[wrl]

Of course when host applications start using the "hardened" runtime it will be another story, as each one may have different setups, so you will end up having random crashes depending on how each host is configured. Dark days ahead...

I'm worried about this as well. Particularly concerned about the MAP_JIT stuff since I'm betting that many hosts won't enable that.

[Blue Cat Audio]

I think there are many plug-ins that use some kind of scripting system with JIT, so maybe hosts will take this into account. But we can predict lots of problems anyway, especially when Apple update their security policies and add more restrictions (probably quite often).

[BertKoor]

they are forcing you to drop support for Mac OS 10.8 and earlier to get notarized.

So oldest supported Mac OS/X version is 10.9: Mavericks from October 2013 (6 years ago)
Not too bad, it can run on iMacs since 2007 and MacBooks since 2008.

Clients on older stuff have had plenty of time to save up for replacing it, economical life of such devices has surely ended.

[Zaphod (giancarlo)]

Of course when host applications start using the "hardened" runtime it will be another story, as each one may have different setups, so you will end up having random crashes depending on how each host is configured. Dark days ahead...

I'm worried about this as well. Particularly concerned about the MAP_JIT stuff since I'm betting that many hosts won't enable that.

You concerns are my exact ones
I'm really surprised nobody is speaking about this!!!!!!!!!!!!!!
Possibly many developers posting on tech forums like this one have very very simple copy protection code, they don't one even what we are speaking about.

[Wallander]

Plus it seems (haven't verified yet) that they are forcing you to drop support for Mac OS 10.8 and earlier to get notarized.

Are you sure that’s the case? I had no problems notarizing plugins built with plain old XCode 9, with 10.6 as the deployment target.

I downloaded Xcode 10, but used only the command-line tools to notarize.

But then I have no standalone apps in my installer .pkg that I notarized, only plugins.

[Blue Cat Audio]

I guess it could be because hardened runtime is not required yet for notarization at this point (but it should change by January 2020), but hopefully I am just wrong

[Wallander]

I guess it could be because hardened runtime is not required yet for notarization at this point (but it should change by January 2020), but hopefully I am just wrong

I believe those are for executables only. Since plug-ins inherit the entitlements from the host app. But someone would need to confirm that.

I have only plugins in my PKGs. No executables, except codesigned scripts. It notarized without warnings.

[Zaphod (giancarlo)]

There is something I really don't understand, I hope someone has a clue here.
Several days ago PACE sent an email with a lot of deails on the matter, and among them this warning:

Entitlements needed for wrapping
If you’re wrapping an application that needs to be notarized, or if you’re notarizing a host application that loads wrapped bundles (like PACE protected plugins), then you will need to add the com.apple.security.cs.allow-unsigned-executable-memory entitlement when signing.

now, this kind of email is normally sent to
- all ilok costomers
- aax plugin developers, since they are using pace signing tools.

It seems like this warning is addressed to host developers, not pace customers.
They are basically asking to relax a flag, a security entitlement because they need it (and I'm very interested in this flag, because we have the same requirements, as all people using virtualized protection code).
But I'm puzzled: host developers are not in the mailing list necessarily. I mean

if you’re notarizing a host application that loads wrapped bundles (like PACE protected plugins)

to my understanding means: if you are coding a sequencer which is loading plugins you need to do this.
Now, the real problem is that some will NOT do it, for example logic. Apple is developing this sequencer and obviously it is going ot load "wrapped bundles like PACE protected plugins", and I don't think they will enable a fallback they said is dangerous, the very reason why this notarization mess started.

Could please someone point to me if I'm wrong and why? I'm really interested in answers: if they are not going to adapt we'll be forced to code a very complex workaround.

[Blue Cat Audio]

Well, that's probably good news: if no almost no third party plug-in can be loaded by Logic (which will probably be the case without this flag), you can be sure they'll have to relax their policy!