Associative arrays in zsh

This is an excerpt from my book “Moving to zsh” which is available for order on the Apple Books Store.

One of the advantages of zsh over bash 3 is the support of “associative arrays,” a data structure known as hash tables or dictionaries in other languages.

In associative arrays, you can store a piece of data, or value with an identifying ‘key’. For example, the associative array userinfo has multiple values, each identified with a key:

% echo $userinfo[name]
armin
% echo $userinfo[shell]
bash
% echo $userinfo[website]
scriptingosx.com

Note: bash 4 also added associative arrays, but they are implemented slightly differently.

Creating associative arrays

In zsh, before you can use a variable as an associative array, you have to declare it as one with

declare -A userinfo

This will tell the shell that the userinfo variable is an associative array. You can also use typeset -A as an alternative syntax. You can verify the type of the variable:

% echo ${(t)userinfo}
association

You can then set the key-value pairs of the userinfo associative array individually:

userinfo[name]="armin"
userinfo[shell]=bash
userinfo[website]="scriptingosx.com"

When you set the value for an existing key again, it will overwrite the existing value:

% echo $userinfo[shell]
bash
% userinfo[shell]=zsh
% echo $userinfo[shell]
zsh

Setting the values for each key is useful in some situations, but can be tedious. You can also set the entire associative array at once. There are two syntaxes for this in zsh:

userinfo=( name armin shell zsh website scriptingosx.com )

This format follows the format ( key1 value1 key2 value2 ...). The other syntax is more verbose and expressive:

userinfo=( [name]=armin [shell]=zsh [website]="scriptingosx.com" )

When you set the associative array variable this way, you are overwriting the entire array. For example, if you set the userinfo for ‘armin’ like above and then set it later like this, the website key and value pair will have been overwritten as well:

% userinfo=( [name]=beth [shell]=zsh )
% if [[ -z $userinfo[website] ]]; then echo no value; fi
no value

If you want to partially overwrite an existing associative array, while leaving the other key/value pairs intact, you can use the += operator:

% userinfo+=( [shell]=fish [website]=fishshell.com )
% echo $userinfo[name]                                           
beth
% echo $userinfo[shell]
fish
% echo $userinfo[website]
fishshell.com

To clear an associative array, you can use:

% userinfo=( )

Retrieving data from an associative array

We have already seen you can get the value for a given key with the ‘subscript’ notation:

% echo $userinfo[name]                                           
beth

When you access the $userinfo variable directly, you will get a normal array of the value:

% echo $userinfo
beth fish fishshell.com

You can also get an array of the keys with this syntax:

% echo ${(k)userinfo}
name shell website

or a list of both keys and values:

% echo ${(kv)userinfo} 
website fishshell.com shell fish name beth

You can use this to copy the data from one associative array to another:

% declare -A otherinfo
% otherinfo=( ${(kv)userinfo )
% echo $otherinfo[name]
beth

You can also use this to loop through all the keys and values of an associated array:

for key value in ${(kv)userinfo}; do
    echo "$key -> $value"
done

#output
website -> fishshell.com
shell -> fish
name -> beth

Limitations

Associative arrays have their uses, but are not as powerful as dictionaries in more powerful languages. In zsh, you cannot nest associative arrays in normal arrays, which limits their use for complex data structures.

There is also no functionality to transfer certain file formats, like XML or property lists directly in to associative arrays or back.

Shell scripting was never designed for complex data structures. When you encounter these limitations, you should move “up” to a higher level language, such as Python or Swift.

Weekly News Summary for Admins — 2019-11-08

Another week, … yes, really… another update. iOS 13.2.2 dropped last night. At this rate, I am surprised there is no Catalina 10.15.1 Supplemental update yet. Maybe next week. We did also get new betas for all the next updates.

In other news, Adobe is finally shipping Photoshop for iPad, and announced Lightroom and Illustrator for the future. I will leave the discussion if this is really a “full” Photoshop or not to others. But I will point out, that this is yet another “Pro” application that is now available on iPad. There are still plenty of reasons or excuses to have a Mac over an iPad, but they are dwindling.

Progress update: I got a lot of work done on my new book “Moving to zsh.” I had set the delivery date to Dec 31, because the Books Store interface required me to enter a date, but I am quite confident now that I will beat that.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

#! On Scripting OS X

📰News and Opinion

🐦On Twitter

  • Rene Ritchie: “I’d love both word count and a plain text option in Notes .app.… ”
  • Bryson Tyrrell: “I think I’ve been vastly under-calculating the amount of traffic that Community Patch serves.” (Thread)
  • Arnold: “Xcode, all you ever tell me is WARNINGS and ERRORS, it’s always problems and bad things with you, that’s so toxic would it kill you to say nice things about my code every once in a while?…” (Great Mockups)

🐞Bugs and Security

🔨Support and HowTos

🤖Scripting and Automation

🍏Apple Support

♻️Updates and Releases

🎧To Listen

📚 Support

There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

desktoppr v0.2 – Notarized

I have just pushed an update to my desktoppr tool which can change the desktop on macOS. No new features but the installer pkg is now notarized.

And because you need to use a newer Xcode and Swift 5 to notarize the tool, it now requires the Swift 5 Runtime support for command line tools when you install it on versions of macOS older than 10.14.4. (On those older versions, you can also continue to use desktoppr-0.1)

Book update: macOS Installation v5

There is a new update to my book “macOS Installation!”

It contains lots of updates regarding Catalina, and the usual list of typos and other fixes.

As usual, the update is free when you already own the book.

If you have already purchased the book, you can go to Apple Books application on your Mac and choose ‘Check for available Downloads…’ from the ‘Store’ menu. I have seen the Mac Books app be really slow (or even completely blind) in picking up updates, you can accelerate the process by removing the local download and re-downloading the book. In iOS tap on your iCloud account icon next to ‘Reading Now’ and then choose ‘Updates.’

If you have not yet purchased the book, I have good news for you: I have lowered the price!

Why did I lower the price? Let me explain…

This is the fourth update for “macOS Installation.” It might be its last.

When I first published the book in June 2018, I promised updates until the Mojave release. There have now been two updates beyond that: one for the Mojave “Spring” update, and another one for Catalina.

The format of the book had the original intention to help MacAdmins learn about and deal with the strange, new post-imaging world that came with the High Sierra and T2 Security chip. I like to believe it did that quite well. But since then, the releases of Mojave and Catalina have added more layers of complexity and information on top of that.

The post-imaging world isn’t new anymore. It is still strange, complicated, and sometimes hard to navigate. However, I feel that the book’s format would have to change to keep being a useful guide. Obviously, such a re-structuring is a massive effort and would pretty much result in a new book. Maintaining and updating a book is a lot of effort, re-writing it even more so.

Thus the decision that this might be last update for “macOS Installation.” Depending on how disruptive the changes in the Catalina “spring” update will be, I might update for those, but I am not planning to update the book for 10.16 next year.

I might work on some new book on macOS deployment and management in the future. However, I have a few other topics I want to publish before I do that, so that might be a while.

Charles Edge’s and Rich Trouton’s new book should be a great successor to “macOS Installation”:

  • Rich Trouton’s and Charles Edge’s “Apple Device Management: A Unified Theory of Managing Macs, iPads, iPhones, and AppleTVs”: pre-order on Amazon US, UK, DE (Affiliate Links)

“macOS Installation” should remain useful for the life time of Catalina, which, depending on your deployment practices should be another one to four years, more if 10.16 and 10.17 do not drastically change everything again.

Readers who bought the book 16 months ago got several updates for free. I believe free updates are one of the great value propositions of self-published digital books. Most computer related information changes quickly these days and being able to update digital books is a great way to extend their lifetime, usefulness, and value.

My plan to not further update for “macOS Installation” thus lowers its value a bit, and to reflect that I am lowering its price in the store.

That said, I am convinced the book is still very helpful and full of useful information as it is, so if you have not bought the book yet, this is your chance!

Changes in this version (you can also find this in the book in the ‘Version History’ section):

  • added “Moving to zsh” to More Books and updated links to new Apple Books format
  • extended the explanation on FileVault and the Secure Token
  • added Catalina System Volume Layout description
  • added instructions to block the macOS Catalina download
  • added an explanation for the expiring installer certificates from October 2019
  • updated download links for Older macOS Versions
  • added notes to NetBoot-based Installation regarding its further demise and the removal of System Image Utility from Catalina
  • added information on new softwareupdate features in Catalina to macOS Installer Application
  • added a section on new Catalina features
  • added a description of new stub Installer application behavior with startosinstall
  • added link to new SecureToken documentation
  • updated text and tables to reflect the 2019 iMacs
  • clarified reboot behavior of Mojave and High Sierra with Custom Packages
  • added a list of MDM commands that require DEP
  • now using the term ‘conventional’ Macs to refer to non-Secure Boot or pre-T2 Macs
  • many typos, minor changes and clarifications

Weekly News Summary for Admins — 2019-11-01

While I got to take off a week for vacation, Apple certainly did not… Welcome back!

We got expiring certificates and lots of updates! Also, new AirPods Pro.

I have tried to put some order into all the links I gathered over the last two weeks. If you think I missed anything, please let me know!

Also, remember that my new book “Moving to zsh” is available to pre-order!

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

News and Opinion

MacAdmins on Twitter

  • Adam Codega: “Vendors and others who link to macadmins.org: make sure you’re linking to macadmins.org and not our (now offline) Heroku URL”
  • Erik Gomez: “Catalina brings an undocumented change to MDM profiles. You can no longer mark them as ”removable“. The only way to remove MDM profiles now is by unenrolling from MDM or the MDM sending a removal command. This was never mentioned in WWDC, Developer Notes or AppleSeed.”
  • Peter Steinberger: “There’s a user default setting: NSApplicationCrashOnExceptions to make macOS apps terminate when an exception is thrown – just as things are on iOS. Microsoft has great documentation on that. Apple, not so much.”
  • Mr. Macintosh: “macOS Catalina 10.15.1 Beta 3 is now available. This post was late because I was thinking about stopping my Beta Update posts. Instead, I need to keep showing everyone how embarrassing macOS Patch Notes have become.”
  • Patrick Fergus: “Adobe Shared Device License 2.0, released 10/21/19 – Sign-in only shows needed information, e.g. if only Federated IDs allowed, Facebook not shown – Prompt reminds users to save & sign out of CC – CCDA Apps panel optionally visible & users can install & update”
  • Preshit Deorukhkar: “Massive update to Adobe Creative Cloud on iOS that brings the entire @AdobeFonts / @Typekit Collection to your iPhone or iPad. Dark Mode too.”

Bugs and Security

Expired Package Certificates

Support and HowTos

Scripting and Automation

Apple Support

Apple Updates

Updates and Releases

To Listen

Just for Fun

Support

There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Weekly News Summary for Admins — 2019-10-18

Another week, another iOS update. And also another macOS Catalina… Supplemental… Update?

As a Mac admin, I am getting envious of iOS system version numbering.

While I grumble about the nomenclature, the “Supplemental Update” fixed the persisting request to log in to iCloud i had on my MacBook, so it is welcome, whatever it is called.

Note: because of travel and vacation, there will be no Newsletter next week, October 25. The newsletter will be back on November 1!

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

On Scripting OS X

News and Opinion

MacAdmins on Twitter

  • mikeymikey: “32-bit Intel Macs: Introduced 13 years ago – stopped shipping that same year. Every since has been 64-bit. 10.7 Lion: Launched 8 years ago in 2011 – required 64-bit. macOS had warnings about 32-bit app launches in 10.13 and 10.14. Why was ANY dev shipping 32-bit -only-?” (Thread)
  • Erik Schwiebert: “It took us /years/ to get rid of the Carbon code in Office and make the switch to 64-bit. And we were done in 2016…”
  • John Goering: “A WWDC slide from a more civilized time in Apple’s history.” (Image)
  • Armin Briegel: “System Image Utility is gone from macOS Catalina. It is not possible to build a NetBoot or NetInstall nbi based on Catalina. (You can probably hack one together, this is not meant as a challenge.) No currently sold Mac model is able to NetBoot. NetBoot is dead.”

macOS Catalina

Bugs and Security

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

To Listen

Support

There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

New Book: Moving to zsh

You might have seen this coming. My next book will be called “Moving to zsh” and will cover the new default shell on macOS and how to switch to it from bash.

It is based on the series of blog posts that I posted from June through August, but reworked and expanded with more detail and more topics. Like my other books, I plan to update and add to it after release as well, keeping it relevant and useful.

The book is progressing nicely, but not yet ready. I have put it up for pre-order on the Apple Books Store.

There is a lot of interest on the topic since the release of Catalina and I wanted to let everyone know, that after the blog series, a hands-on training class, and my presentation at MacSysAdmin, I still have more to add to the topic. I set the expected release date to December 31, 2019. “Before the end of the year.” (Like the Mac Pro.) I have hope that it will be done sooner than that, but we will see.

When I have more information, you will, as always, read about it here.

Packaging Book Update: v1.10

I have updated my book “Packaging for Apple Administrators”!

It contains lots of fixes, some new parts and updates with regards to macOS Catalina.

This book is now nearly three years old and if you bought it at the very beginning you have gotten eight updates for free!

(Historic sidenote: v1.1 was just a quick fix to remove some placeholder text, so that was the first version on the iBooks Store.)

If you have already purchased the book, you can go to Apple Books application on your Mac and choose ‘Check for available Downloads…’ from the ‘Store’ menu. In iOS tap on your iCloud account icon next to ‘Reading Now’ and then choose ‘Updates.’

Changes in this version (you can also find this in the book in the ‘Version History’ section):

  • added a note on the spkg command line tool for Suspicious Package
  • updated the list of Considerations for Installation Scripts with regards to packages used in Recovery and zsh
  • updated script code across various scripts to match my updated coding standards
  • added a note on zsh in About this Book
  • changed the sample script in the Payload-Free Packages section to enable Screen Sharing instead of SSH because of changes in macOS Catalina security
  • added information on Notarization to Packages and Gatekeeper
  • added a note on the new Catalina read-only system volume in Testing the Package
  • fixed some mis-spellings and inconsistencies
  • fixed some broken links in Recommended Reading
  • changed to new ‘Apple Books’ nomenclature
  • fixed a dead link in ‘Installation Scripts’

Go get it in the Books store!

Weekly News Summary for Admins — 2019-10-11

Release week! (again)

macOS 10.15 Catalina was released this Monday.

You may be terrified of dialog fatigue or excited about new features like Sidecar. You may be waiting for some critical third party to fix their installers or not planning to upgrade for a year anyway.

Whether you are holding back the update or diving in right away, this means a lot of extra work and learning for MacAdmins. Thanks to all the MacAdmins on Twitter, Slack, and weblogs for helping and sharing information.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

On Scripting OS X

macOS 10.15 Catalina

Adobe and Catalina

MacAdmins on Twitter

  • Jerry Olla: “Need to be able to see Wi-Fi connection details in iOS? Install the “Wi-Fi for iOS” diagnostic profile”
  • Tom Bridge: “Quick PSA based on some feedback from friends: Do NOT notarize someone else’s software, your Developer ID might end up in hot water.”
  • Robert Hammen: “Want to block macOS Catalina from showing up in Software Update preferences on macOS Mojave? sudo /usr/sbin/softwareupdate --ignore "macOS Catalina" prevents it from appearing! Credit to @wegotoeleven”
  • Pepijn Bruienne: “And for those interested in implementing Watch-based auth in macOS 10.15 themselves, take a look at this newly added ACL as part of the Keychain Services API
  • William Smith: “MacAdmins, if you’ve told your technicians to use the Command-Option-R method to boot into Internet Recovery mode on your Macs to reinstall macOS, be aware this will now install Catalina not Mojave.”
  • Erik Schwiebert: “Mac Office 16.29 and later are fully supported on the new macOS 10.15 Catalina! Version 16.31 (due out in mid-November) will drop support for macOS 10.12 Sierra.”
  • Eric Holtam: “Confirmed by @ClassicII_MrMac – a bricked T2 that failed previous DFU bridgeOS restores can be revived.”
  • Jason Broccardo: “Which OSes are offered 10.15 in the GUI Software Update: – 10.10: 10.13 is offered – 10.11: untested – 10.12: 10.15 not offered in SU or App Store>Updates – 10.13: 10.15 not offered in SU or App Store>Updates – 10.14.x: 10.15 offered in SU GUI but not CLI”
  • Rosyna Keller: “I wanted to clarify a few things that have caused some confusion about the Jan 2020 date. 1. All software created after June 1st, 2019 must still be notarized for Catalina. 2. A notarization ticket issued before Jan 2020 still remains valid forever.”
  • John C. Welch: “Yeah, the auth dialogs in Catalina can be annoying. Anyone got a better method besides “pretend your mac isn’t under constant attack and hope for the best” aka “hopes and prayers” or “get cissp certified before you’re allowed to use a computer”?” (Thread)
  • Nikolaj Schlej: “macOS Catalina brings a small, but important update to Mac Firmware Password mechanism: you can now opt-out (and back in) from password reset mechanism used by AppleCare. It makes FW password harder to reset, use it on your own risk!”

Bugs and Security

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

To Watch

To Listen

Just for Fun

Support

There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Notarization for MacAdmins

Apple introduced Notarization in macOS Mojave. Since its introduction Apple has kept increasing the use of notarization checks in macOS. For macOS Catalina, Apple has been very vocal saying that Notarization is a requirement for distribution of Applications outside of the Mac App Store.

This has left many MacAdmins confused and concerned. A large part of the work as a MacAdmin consists of (re-)packaging applications, configuration files and scripts so they can be distributed in an automated fashion through a management system, such as Jamf Pro, Munki, Fleetsmith, etc.

Do MacAdmins need to notarize all the package installers they create as well? Do MacAdmin need to obtain an Apple Developer ID? How should MacAdmins deal with notarized and non-notarized applications and installers from third parties?

This post is an attempt to clarify these topics. It’s complicated and long, bear with me…

Signed Applications

Apple’s operating systems use cryptographic signatures to verify the integrity and source of applications, plug-ins, extensions, and other binaries.

When an application, plug-in, extension, or other binary (from now on: “software”) is signed with a valid Apple Developer certificate, macOS (or iOS, tvOS, and watchOS) can verify that the software has not been changed or otherwise tampered with since it was signed. The signature can verify the source of the signature, i.e the individual Developer account or Developer team whose Developer identity was used to sign the software.

If the contents of the software were changed for some reason, the verification fails. The software can be change by accident or with malicious intent, for example to inject malicious code into an otherwise beneficial piece of software.

Since Apple issues the Developer IDs, they also have the option of revoking and blacklisting certificates. This usually happens when a Developer ID has been abused to distribute malware. The Malware Removal Tool or MRT is the part of the system that will identify and block or remove blacklisted software.

App Store Distribution

Applications distributed through Apple’s App Stores have to be signed with a valid Developer ID. A developer needs to have valid subscription ($99 per year for individuals and $299 for organizations) to obtain a certificate from Apple.

When a developer submits software to an App Store on any Apple system, the software will be reviewed by Apple to confirm whether it meets the various guidelines and rules. This includes a scan for malware.

App Store applications also have to be sandboxed, which means they can only access their own data (inside the “sandbox”) and not affect other applications, services, or files without certain “entitlements” and, in many cases, user approval.

App Store rules and regulations and sandbox limitations preclude many types of applications and utilities. On iOS, tvOS and watchOS, they are the only way for developers to distribute software to end users.

Apple provides a method for Enterprises and Organizations to distribute internal software directly without going through the App Store and App Store review. This should be limited to distribution to employees and members of the organization (such as students of a university or school). This method has infamously been abused by Facebook and other major companies which lead to Apple temporarily revoking their certificates. (We will not discuss Enterprise App Distribution in this post.)

There is also much criticism about how realistic Apple’s rules and guidelines are, how arbitrary the review process is, and whether the sandbox restrictions are useful or unnecessarily draconic. A lot of this criticism is valid, but I will ignore this topic in this post for the sake of simplicity and brevity.

Software downloaded from the App Store is automatically trusted by the system, since it underwent the review and its integrity and source can be verified using the signature. In the rare case that some malicious software was missed but the review process, Apple can revoke the Developer certificate or blacklist the software with the Malware Removal Tool.

Distribution outside of the Mac App Store: Gatekeeper and Quarantine

As mentioned before, iOS, tvOS, and watchOS applications have to distributed to end users through the App Store, be signed with a valid Developer ID and under go the review.

Because the Mac existed a long time before the Mac App Store, software vendors have many ways of distributing software. Originally software was sold and delivered on physical media (Floppy Disks, CDs, and DVDs), but we with the rise of the internet, users could simply download software from the developer’s or vendor’s website or other, sometimes dubious, sources.

Apple has (so far) accepted and acknowledged that these alternative means of software distribution and installation are necessary on macOS. To provide an additional layer of security for the end user in this use case, Apple introduced Gatekeeper in OS X 10.8 Mountain Lion.

When a user downloads a software installer or archive from the internet it is ‘quarantined.’ When the user attempts to install or launch the software for the first time, Gatekeeper will evaluate the software. There are many steps in this evaluation, and Howard Oakley explains the process in much detail in this post.

You can see the quarantine flag with the xattr command:

% xattr ~/Downloads/somefile.pkg
com.apple.macl
com.apple.metadata:kMDItemWhereFrom
com.apple.quarantine

You can delete the quarantine flag with xattr -d com.apple.quarantine path/to/file. Usually, there is no real need to.

The first step of the evaluation is verifying the software’s signature, Developer ID, integrity. When encountering an unsigned piece of software the user will be presented with a warning dialog.

Users with administrator privileges can bypass Gatekeeper by choosing “Open” from the context menu instead of double-clicking to open. Gatekeeper can be completely disabled with the spctl command, though this is not recommended.

The Developer signature provides a way to verify the source and integrity of a piece of software, but since the distribution happens outside of Apple’s control, a malicious developer could still put any form of malicious code in the signed software to keep Gatekeeper happy. As long as the malware avoids widespread detection it will look good to Gatekeeper and the end user. Even when the malware is detected by Apple and the Developer ID is revoked, it is not hard for a malicious developer to obtain or steal a new Developer ID and start over.

Enter Notarization

Apple needed another layer of security which could scan software for known malware and enforce a certain set of security rules on third party software, even when it is distributed outside of the Mac App Store.

Note: I find the effort Apple is putting in to Gatekeeper and Notarization quite encouraging. If Apple wanted to restrict macOS to “App Store only” distribution in the near future, this effort would not be necessary. This shows that Apple still acknowledges the important role that independent software distribution has for macOS.

To notarize software, a developer has to sign it with their Developer ID, and upload it to Apple using Xcode or the altool command. Then Apple notarization workflow will verify that the software fulfills certain code requirements and scans for certain malware. The exact details of what is considered malware are unknown. However, we do know that the process is fully automated and, unlike the App Store approval process, does not involve human reviewers.

If the software has passed the notarization process the result will be stored on Apple’s servers. When Gatekeeper on any Mac verifies the software it can confirm the notarization status from Apple’s servers. Alternatively, a developer can ‘staple’ a ‘ticket’ to the software, which allows Gatekeeper to confirm the notarization status without needing to connect to Apple.

When Gatekeeper encounters a quarantined software that is notarized, it will show the familiar Gatekeeper dialog with an additional note that:

“Apple checked [the software] for malicious software and none was detected.”

Since 10.14.5, When Gatekeeper encounters signed software that is not notarized it will show the standard dialog but with an additional yellow warning sign.

As with the previous Gatekeeper checks for a valid signature an administrator user can override the check by choosing ‘Open’ from the context menu instead of double-clicking to open.

In Mojave notarization was enforced in Gatekeeper checks for kernel extensions and in 10.14.5 for software with new Developer IDs, which where created after June 2019.

Starting with Catalina, all software needs to be notarized to pass Gatekeeper when the first launch or installation is initiated by a user.

However, the warning can still be overridden by an administrator user using the context menu.

What can be Notarized

As of now, the following pieces of software can be notarized:

  • Application bundles
  • Kernel Extensions
  • Installer Packages (pkg), Disk images (dmg) and zip archives

When you are building other types of software, such as command line tools, you can (and should) place them in one of the archive formats. The preferred choice for MacAdmins should be an installer package (pkg) since it will also place the binary in the correct location in the file system with the correct access privileges.

What cannot be Notarized

You should not notarize a binary or application that you did not sign! The Developer ID used to sign a binary (application or command line tool) should be the same as the Developer ID used to submit the software for notarization.

Apple has loosened the requirements for notarization until Jan 2020 to give developers some extra time to adapt. Once the requirements return to the full restrictions an attempt to notarize third party software with a different Developer ID will fail. (Existing notarizations will remain valid after that date.)

Installer command

When you install software using the installer command from the Terminal or a script, it will bypass quarantine and the Gatekeeper check.

This is also true when you install software using a management system such as Jamf Pro, Munki, Fleetsmith, etc.

Software you re-package as a MacAdmin for distribution through management systems does not need to be notarized.

Given this and the limitations on notarizing third party software above, you should very rarely need to notarize as a MacAdmin.

Example: Re-packaging third party software from dmg

A lot of applications for macOS are distributed as disk images. The normal end user workflow would be to mount the dmg after downloading, and then copying the application from the dmg to the /Applications folder.

There are two steps where Gatekeeper might trigger: when you mount the disk image and when you launch the application after copying for the first time. To pass both these checks, a developer should prudently notarize both the disk image and the application. Google Chrome for example does exactly that, avoiding the Gatekeeper warning.

We can verify this with the spctl command:

% spctl -a -vv -t install ~/Downloads/googlechrome.dmg
/Users/armin/Downloads/googlechrome.dmg: accepted
source=Notarized Developer ID
origin=Developer ID Application: Google, Inc. (EQHXZ8M8AV)

% spctl -a -vv -t execute "/Volumes/Google Chrome/Google Chrome.app"
/Volumes/Google Chrome/Google Chrome.app: accepted
source=Notarized Developer ID
origin=Developer ID Application: Google, Inc. (EQHXZ8M8AV)

Unfortunately, some management systems don’t understand “Apps in disk images” as a distribution method. For these systems MacAdmins need to re-package the application into a pkg. You can do that quickly with pkgbuild:

% pkgbuild --component /Volumes/Google\ Chrome/Google\ Chrome.app --install-location /Applications/ GoogleChrome.pkg
pkgbuild: Adding component at /Volumes/Google Chrome/Google Chrome.app
pkgbuild: Wrote package to GoogleChrome.pkg

or use quickpkg.

This new installer package will be neither signed nor notarized:

% spctl -a -vv -t install GoogleChrome.pkg                          
GoogleChrome.pkg: rejected
source=no usable signature

When you send this installer package to another Mac with AirDrop, the receiving system will attach the quarantine flag. And when you double click it, you will get the Gatekeeper warning. However, when you can still install it using the installer command in Terminal, which bypasses the Gatekeeper system, just as your management system will:

% installer -pkg ~/Downloads/GoogleChrome.pkg -tgt /

Alternatively, you can choose “Open” from the context menu in Finder to bypass Gatekeeper. However, this is not something you want to teach your end users to do regularly.

Firefox can be downloaded as a disk image as well as a installer package. While the application inside both is notarized, neither the disk image nor the installer package are. The disk image mounts with no issues, but when you try to open the installer pkg by double-clicking you will get the expected notarization warning. Nevertheless, the pkg will work fine after importing to your management system.

Edge cases

There are some cases where notarization would be useful for MacAdmins but might not even be possible. I met a MacAdmin working at a university at MacSysAdmin last week. They need to re-package a VPN client with customized configuration files to be installed on student-owned machines.

There is really no solution without the students running into the notarization warning. Teaching the users how to bypass Gatekeeper is not a good solution.

In these cases you have to work with the software vendor and Apple to find a workable solution.

Summary

Notarization is a new security layer introduced by Apple in Mojave. The restrictions imposed on non-notarized software increase in Catalina.

When an Application is installed or launched for the first time by the user (by double-clicking) Gatekeeper will verify the signature and notarization status and warn the user if any are missing.

Developers should sign and notarize their applications and tools.

Mac Administrators should not notarize applications and tools from third parties.

Applications and packages installed through management systems bypass Gatekeeper and do not need to be notarized.

Conclusion

Apple is loudly messaging that notarization is absolutely required for applications in Catalina. While this message makes sense for the developers building the software, it does not apply to administrator who re-package third party software for distribution through management systems.

MacAdmins should join Apple in demanding signed and notarized binaries and installer packages from developers.

However, MacAdmins can also continue their current workflows for re-packaging and distribution.

Links