search

objective-see / BlockBlock

BlockBlock provides continual protection by monitoring persistence locations.
GNU General Public License v3.0
619 stars 38 forks source link

Notarized mode blocks TestFlight apps #61

Open Roguelazer opened 1 year ago

Roguelazer commented 1 year ago

Something sort of odd I've noticed: Notarization mode blocks running Catalyst applications from TestFlight. This is weird, because they're fully-signed apps, so presumably shouldn't hit this flow at all.

Screenshot 2023-01-23 at 15 27 39 Screenshot 2023-01-23 at 15 29 05

I'm not sure if this is a Catalyst bug, a TestFlight bug, or a BlockBlock bug, but I figured I'd start here. This is all on Ventura (just confirmed it's still broken on 13.2).

objective-see commented 1 year ago

Aloha, BlockBlock appears to be working correctly ...the app shown in the screen shot ("Mammoth") though signed does not appear to be notarized ...and thus is blocked.

Attached is an example of a WYS screen shot of a notarized app (note: "signed & notarized"):

Screenshot 2023-01-24 at 22 03 36

You can also test for notarization via: spctl -a -t exec -vvv <path 2 app>

% spctl -a -t exec -vvv /Applications/BlockBlock\ Helper.app 
/Applications/BlockBlock Helper.app: accepted
source=Notarized Developer ID
origin=Developer ID Application: Objective-See, LLC (VBG97UB4TA)
Roguelazer commented 1 year ago

That was just an example, none of the TestFlight apps I can find have the notarized bit; do you know if it's possible to both notarize and distribute through TestFlight? Or is it just best to disable notarization checking when using TestFlight? I natively expected BB to treat TestFlight apps the same way it treats MAS-signed apps.

objective-see commented 6 months ago

Good point, let me dig into this more. Can you email a test-flight app to me (patrick@objective-see.com), so I can test more, yes and ideally ignore TestFlight apps. Mahalo!