julienXX / terminal-notifier

Send User Notifications on macOS from the command-line.
Other
6.38k stars 330 forks source link

MacOS Notarization #271

Open tilmanginzel opened 5 years ago

tilmanginzel commented 5 years ago

Hi @julienXX,

first of all thanks for this neat tool. :)

Since MacOS Catalina (currently in beta), all applications have to be notarized by default. Otherwise, Gatekeeper won't allow to open the app. See:

Do you have a developer ID certificate? If yes, would it be possible for you to notarize the app, so it will run without any issues in future MacOS versions?

Thanks in advance!

Cheers Tilman

Reference: https://github.com/tilmanginzel/alfred-bluetooth-workflow/issues/9#issuecomment-517848591

julienXX commented 5 years ago

Thanks! I don't and I'm not really sure I want to pay fo this honestly :(

tilmanginzel commented 5 years ago

That's totally understandable. As many applications will face the same issue, I just hope that there will be a user-friendly workaround so single apps can be whitelisted. Basically the same behavior as in current MacOS versions.

I have not tried Catalina yet and it's still in Beta, so we will see how it will turn out later on. There has to be some workaround without disabling Gatekeeper.

julienXX commented 5 years ago

Yes, since I have only one machine I won't install Catalina before the official release so let's hope for the best :)

JayBrown commented 4 years ago

Anyone can notarize terminal-notifier. If you have a regular code-signing certificate, you can send any app in for notarization.

EDIT – solved the problem of terminal-notifier nested in a Platypus app bundle; before code-signing the main bundle, you need to code-sign terminal-notifier first… if you just code-sign the main bundle with the --deep argument, terminal-notifier will in reality not be signed as code but just added into the bundle's code resources, i.e. code-signing needs to be done "inside out".

ZhaofengWu commented 4 years ago

@JayBrown Do you mind elaborating on the self-notarization process, or pointing to some resources, if I only need to use terminal-notifier as a standalone terminal command? Would it require a (paid?) developer account?

JayBrown commented 4 years ago

Yes, afaik for notarization you would need a paid developer account. With only a free dev account, you can still codesign, so that it runs without problems on your local machine: for that you can use a free Apple Development certificate (the one with your email address in its X.509 commonName), or just an ad-hoc signature. But for distribution, so that other people can use it, terminal-notifier (the terminal-notifier.app, that is) should probably be bundled/nested, and codesigned + notarized. Otherwise you will definitely have users telling you that it doesn't work.

As it stands now, terminal-notifier will run just fine without any code signature at all. (But that will change on macOS 11 on ARM Macs.)

I think that in the future, terminal-notifier (the universal binary app) should be released in two versions, one with a code-signature and notarization, e.g. the version that is installed via Homebrew, and one without any signature, as a GitHub download-only release, for users who need to change the Info.plist, the icon etc., and who then need to re-codesign it. (Just my 2¢.)

ZhaofengWu commented 4 years ago

Thanks! Although I must be missing something -- you said terminal-notifier will run just fine as-is (in Catalina and I assume in Intel chip Big Sur), why is that? I haven't upgraded to Catalina, but doesn't its notarization requirement precisely forbids applications without signatures from running?

JayBrown commented 4 years ago

That's right. But if you remove the quarantine extended attribute, it won't be a problem. (And if you install it with Homebrew, you don't even have to remove the quarantine XA, because afaik there isn't one to begin with.) This "dequarantine" workaround is probably also going to be possible in Big Sur on ARM Macs, at least for programs & apps that are not notarized, but it's not a practical solution to tell users to run a Terminal command before they can use a software.

ZhaofengWu commented 4 years ago

Thanks :)

davidnewhall commented 2 years ago

Can confirm @JayBrown's assessment. I have signed, packaged inside another Mac app, and notarized terminal-notifier. It works on all versions of macOS as far as I can tell, up to 12.4. I also turned it into a universal binary using lipo so it works on M1 and Intel simultaneously. The app I used to sign and notarize is gon.

A link to the signed app: https://github.com/Notifiarr/notifiarr/tree/eec162e49c75b857d4849487725f12b041714a50/init/macos/Notifiarr.app/Contents/Resources