lionheart / openradar-mirror

A mirror of radars pulled from http://openradar.me/.
245 stars 17 forks source link

49783279: Notarization of kernel extensions not clearly documented #21171

Open openradar-mirror opened 5 years ago

openradar-mirror commented 5 years ago

Description

Summary: On the week of April 8, 2019, the Apple article "Notarizing Your App Before Distribution" https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution added the following text:

Important Beginning in macOS 10.14.5, all new or updated kernel extensions and all software from developers new to distributing with Developer ID must be notarized in order to run. In a future version of macOS, notarization will be required by default for all software.

The rest of the documentation focuses on notarizing applications, with little to no discussion of the effect on kernel extensions. For example, one of the documented steps in "Prepare Your Software for Notarization" is "Enable the Hardened Runtime capability"; however, the Capabilities tab does not appear for a kernel extension target. It seems that this requirement may not apply to kernel extensions, but this is not made clear by the documentation.

Also, in "Customizing the Notarization Workflow", the note on custom installers implies that the payload must be packaged inside the installer to be notarized, and does not explain how to handle the case where components of the payload are downloaded from a secure server at installation time.

The previous paragraph, stating "The notary service accepts disk images ... It processes nested software as well, like packages inside a disk image", seems to imply that one could submit a disk image that contains the various components to be notarized, including the installer and kernel extensions; if so, this should be clarified and/or made more explicit.

This issue is filed as a bug because it blocks the ability to comply with Apple's direction that kernel extensions be notarized to run in macOS 10.14.5, with the apparent result that unnotarized kernel extensions will stop functioning when that OS version is released. There are already reports that unnotarized kernel extensions are not loading in beta releases of 10.14.5.

Steps to Reproduce: In the role of a developer, observe the directive in "Notarizing Your App Before Distribution" that kernel extensions must be notarized in macOS 10.14.5, and refer to the Apple documentation for instructions on how this should be accomplished.

Expected Results: The Apple documentation contains the necessary instructions for notarizing kernel extensions (as opposed to applications).

Actual Results: The Apple documentation on notarization is unclear on how to obtain notarized kernel extensions.

Version/Build: "Notarizing Your App Before Distribution" https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution and "Customizing the Notarization Workflow" https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/customizing_the_notarization_workflow, retrieved 2019-04-10

- Product Version: Created: 2019-04-10T18:30:26.817800 Originated: 2019-04-10T00:00:00 Open Radar Link: http://www.openradar.me/49783279