Notarize Signature Block Acceptance with airSlate SignNow

Notarize signature block acceptance

good afternoon everyone thanks for joining us today I'm Garrett and I work on the trusted execution team here at Apple and today we're here to talk all about notarization here's a quick agenda for the talk we're gonna start with a brief overview of what notarization is and some of the benefits that it provides then we're going to talk about the application requirements to get your software notarized and then finally we'll run through the workflows and tools that you'll need to use to notarize your software so let's get started what exactly is notarization well it's a process that we introduced last year at dub dub DC to help identify and block malicious software prior to distribution now it's an extension of the developer ID program which means that you don't need to register for anything different or use different certificates which also means that you stay in control of signing and distribution of your software just like you did before notarization was introduced now the key to this is the notary service which performs automated security checks on developer ID signed content so let's run through a little bit about what the workflow looks like when you need to start notarizing your software for the first time now here's a diagram that talks a little bit about what the development workflow can look like and local development remains completely unchanged you build and sign at your desk using your Apple developer certificates until you have a release candidate at that point you sign the software with your developer ID certificate and you can send a copy of it to the Apple notary service for notarization when notarization is complete and successful the notary service can send back a ticket which you staple to your software prior to distribution and once it's stapled the software is ready for distribution just like you did before now it's worth calling out that this workflow didn't change it all from last year so this is just a bit of a refresher now what we didn't talk about last year was what happens when someone downloads your software and uses it for the first time so when a user downloads your stapled software and double-click it to launch it gate keeper will perform a verification it'll check the local ticket and it will also reach out to the notary service via cloud kit to check for a ticket also as long as the ticket checks out and the ticket matches the content of your app gatekeeper will allow the application and the user will see the normal first launch prompt now I want to remind everyone that notarization is not an app review the notary Service performs a set of automated security checks now last year we made a goal to get most responses back from the notary service within an hour and it actually turns out that over the last year 99% of submissions have had an answer back within 15 minutes also the status of the notary service is now on Apple's public status page so you can easily check to see if there are any service problems that would it would cause problems now what are the benefits to notarization well there are many of them so I'm just gonna highlight a few of them today first the notary service can help prevent you from inadvertently shipping a malicious dependency second apps with the hardened runtime are more secure by default and we'll talk a little bit more about that later that can help prevent your app from being abused by attackers third users are more likely to download and try new software knowing that Apple has scanned it for known security issues and finally notarization also provides an audit trail of software notarized by your developer ID account that you can use to check the submission history and ensure that software hasn't been released that you didn't intend to release from your account so that's a little bit of an overview of notarization now let's bring up Robert to talk about the application requirements to notarize your software so to start I want to say that for any of the software that you previously distributed it doesn't have to meet any new requirements you can submit your new salt your existing distributed software for notarization as is without change but for new software you need to make sure that it needs a few security requirements in particular it has to be completely incorrectly signed and it needs to adopt the hardened runtime and by new software I mean software signed on or after June 1st of 2019 so we're gonna go into detail on what we mean by both of those things but the complete incorrect signing and the hardened runtime so first when you to completely sign everything you need to sign everything that means bundles mako's installer packages wherever they are whether you have Mako's in your installer packages to install our packages in your bundles anywhere that they're found in any place within your product they need to be signed yet they need to be signed correctly so to sign correctly that means you have to sign bundles Mako's and code and I'll talk more about code in a second with your developer ID application certificate and be sure to include a secure timestamp for executables they need to opt into the hardened runtime you don't need to opt into the hardened runtime for dial id's or frameworks or bundles just for executables for installer packages you need to sign them with your developer ID installer certificate and this is different from your developer ID application certificate so be careful also if you choose to sign your disc images to avoid gatekeeper path randomization then those must be signed with your developer ID application certificate and include a secure timestamp so if you're using Xcode for building your package or your software this is easy if you turn on automatic so code signing Xcode does all of this for you but you have to be careful if you use script build phases or copy build faces those might be introducing new code into your software that Xcode doesn't know about and then you have to make sure that those get correctly signed so I mentioned code files so when we introduced code signing a number of years ago we documented in the tech note that there are these things called code places so any files found in any of these places within their bundle are considered code by the code signing infrastructure and that means they need to have an attached signature Mako's are the best for this you can embed the signature inside of any Marco that you put in these places as well as for bundles but if you put other types of files such as JPEGs or raw binary files those have to be signed as well but they don't get an attached signature instead the signature ends up in Isaacs as an extended attribute and that means that you have to be careful when you're packaging up your code to make sure that that extended attribute stays within those to avoid having to be too careful with that we recommend that you put anything that isn't a Marco or a bundle containing a Marco in a place other than any of these places when you're structuring your app so to get signing right when you're doing it outside of Xcode we recommend what we call inside out code signing that means you sign the most deeply nested bundle or piece of code within your app first and in this case it would be the updater app inside of the sparkle framework inside of the watching grass grow app and then you move up a level and sign each of the the things individually note that when you sign this sparkle framework by itself the sparkle framework that grabs the sparkles main executable as well as signing the updater app together and note you need to go individually to watch grass grow saver grow grass die Lib and watching grass grow helper and finally after you've signed all those you sign everything together at the top bundle and again this will sign the main executable of your bundle as indicated by your info.plist some of you use the dash dash deep flag in your custom workflows but you need to be careful the - just deep flag only looks for code in code places and in this case the the grow grass dye lib the watching grass grows saver and the updater dot app wouldn't be found as code they would be signed in as resources but they wouldn't be signed as code and therefore they mode would be rejected by the notarization unless you took the extra steps to do the inside out signing and see tech note 22:06 for more information on inside out signing in code places after the top