Arduino Forum

Development => Other Software Development => Topic started by: J-M-L on Apr 11, 2019, 10:29 am

Title: Notarizing the Arduino IDE for MacOS?
Post by: J-M-L on Apr 11, 2019, 10:29 am
Hi

I was reading this article Notarization Required for Mac Apps Created With New Developer IDs Starting in macOS 10.14.5 (https://www.macrumors.com/2019/04/08/mac-apps-notarization-macos-10-14-5/)

Seems Apple plans to make notarization a default requirement for all software in the future.

is there any plan for the downloadable packaged/executable version of IDE to be notarized? that would reinforce the trust in what we install on our systems.   
Title: Re: Notarizing the Arduino IDE for MacOS?
Post by: Robin2 on Apr 11, 2019, 11:04 am
is there any plan for the downloadable packaged/executable version of IDE to be notarized? that would reinforce the trust in what we install on our systems.  
Just out of idle curiosity does this notarization process require money to be given to Apple?

...R
Title: Re: Notarizing the Arduino IDE for MacOS?
Post by: J-M-L on Apr 11, 2019, 12:34 pm
I don't know.

You need to get a Developer ID that will be used in the process of signing the code and submit into an automated verification engine

There is a free developer program but also another one for a fee if you want to sell your apps in the app store or get code-level support ($99 per year for a company, no per developer fee)

The process is described here (https://developer.apple.com/developer-id/)

Quote
Get Your Software Notarized
Give users even more confidence in your software by submitting it to Apple to be notarized. The service automatically scans your Developer ID-signed software and performs security checks. When it's ready to export for distribution, a ticket is attached to your software to let Gatekeeper know it's been notarized.
and in more details there (https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution)

There is an extra value for developers they highlight,
Quote
If you discover unauthorized versions of your software, you can work with Apple to revoke the tickets associated with those versions
There has been many attacks in the past across platforms with rogue versions of developer tools that inject extra code in your apps... Getting the assurance we download the right version  as compiled by the vendor is of actual value  (in my opinion). (that's why I never got ch340 drivers from China for example)

seems nothing is enforced for the time being anyway, just an annoying pop-up from time to time stating that the IDE is not signed -  so just curious if arduino plans to get signed versions of the IDE