macOS 10.14.5 and later requires that “all new or updated kernel extensions and all software from developers new to distributing with Developer ID” as of April 7th, 2019 is notarized in order to run. Notarization will be required of all kernel extensions and software in some future version of macOS.
Gatekeeper is a technology included in macOS that prevents unsafe or unverified software from running on your Mac. When running software downloaded from a third-party source rather than the Mac App Store, Gatekeeper checks the software to ensure that it had been signed using a valid Apple Developer ID. Going forward, Gatekeeper will include an additional verification of non-App Store software known as notarization. The intended result of this change is that users can be more confident that they are running safe third-party software on their Macs.
What is notarization?
Notarization is a security verification performed by Apple that will check to make sure there isn’t any malicious code present and that there are no issues with the code-signing of Developer-ID-signed applications and kernel extensions. Per Apple’s documentation:
“The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly. If there are no issues, the notary service generates a ticket for you to staple to your software; the notary service also publishes that ticket online where Gatekeeper can find it.”
After the code has been scanned and passed, Gatekeeper will provide additional information in the prompt when attempting to run the software. This will notify the user that the code has been scanned for malicious content and passed.
Notarization also helps developers protect their software from unauthorized distribution by providing an audit trail for the usage of a developer’s signing key.
How does notarization impact my MDM deployment?
For administrators of Mac deployments with MDM, in-house macOS PKGs and kernel extensions will need to be notarized before being distributed via MDM. If your organization is using custom written kernel extensions, software, or is signing and distributing your own instances of popular open source software like Munki, you will need to add notarization to your build process.
Using an MDM does provide some flexibility with kernel extensions, however. Notarization is not required for kernel extensions that are specified in a kernel extension whitelist profile, delivered by MDM.
Need to notarize? Here’s how.
Apple’s documentation explains that notarization can take place automatically in the process for preparing your application for distribution via Xcode. This process is described in more detail in the Xcode documentation.
Apple has also produced additional documentation on the notarization process, including an up-to-date list of the requirements.