Apple Notarisation: Current Mac software installers might not run smoothly on macOS Catalina

Apple’s new ‘notarisation’ security requirement for macOS Catalina might mean that installers you have for pre-2019 software will not run if you double-click them in the Finder. Also many installers available online that are not updated will not run in macOS Catalina.

Those of us who have created installers of all kinds – including for Final Cut plugins – should prepare for extra work before macOS Catalina is released in Autumn.

For installer applications to run as normal, they will need to be ‘notarised’ by Apple.

This process includes using Xcode or a Terminal command to submit your application to Apple. Once an automated process approves your application (which takes less than 30 minutes at the moment), it is notarised. That means when a user double-clicks it (or a browser attempts to start it), the Mac will go to the internet to see if it has been notarised. If notarised, it will run. If not, it won’t. If there is no internet connection – if someone runs an installer on a Mac with no or restricted online access – the application will not run.

So that notarised applications can run on offline Macs, there is an additional process known as ‘stapling’ which attaches the notarisation ticket to the application itself. If the installer application has been ‘stapled,’ it will run as normal on non-internet connected Macs.

I used Plugin Manager (from Digital Rebellion’s Pro Maintenance Tools) to make the many installers for my free Final Cut plugins. Part of the process was signing the installers with my Apple developer ID. These installers from years ago will not work smoothly with macOS Catalina.

I watched a long presentation on notarisation by Tom Bridge who has written on his blog:

I found a package that is properly signed that delivers Motion and Final Cut Pro templates that also triggered the quarantine warning. They were signed for distribution, but not notarized. They still flagged the quarantine check because they were distributing files.

Developers might see this as an opportunity to review old installers. I hope Digital Rebellion can help me with my NLE plugin installers. I might also need to make a whole load of new installers that I can notarise using other tools.

It is time for macOS developers to do the research to make sure their applications will easily run in macOS Catalina and newer.

Watch Tom’s presentation (aimed at Mac administrators who are happy building applications using Xcode) from 33:22 to find out more about the notarisation process:

If you do nothing, users running your pre-2019 installers will see this (from Tom’s blog):

How to run un-notarised applications in Catalina

There are many useful Mac software installers on the internet that remain safe to use, but whose developers have moved on – who are very unlikely to go through the notarisation process.

Apple have said that users will always be able to run any software they like on their Macs. Their security policies in recent years have been about making running unchecked applications less straightforward – to protect naive users from malicious software.

In the Finder, use the File:Open command (or control-click its icon to see a context menu that includes the Open command) to get a dialog box that asks if you are sure you want to open it – which includes an ‘Open’ button which you can click. Here is what that dialog box looked like in 2013:

Click ‘Open’ and the un-notarised application will always run on your Mac. For each new Mac you move the installer to, you will have to go through the same process.

8th August 2019

Happy birthday Apple Motion 5 – here’s to the next 15 years!

16th August 2019

Admin tool distributes Apple’s additional content for Logic Pro X, GarageBand and MainStage 3