Sigil for Mac & macOS 10.15 Catalina

[odamizu]

I started this discussion in a Catalina thread on the Apple forum and was asked to take it elsewhere.

Starting with macOS 10.15 Catalina, Apple is requiring app notarization by default: "Mac apps, installer packages, and kernel extensions that are signed with Developer ID must also be notarized by Apple in order to run on macOS Catalina."

Meanwhile, this discussion on MacRumors suggests Catalina's Gatekeeper can be overridden via System Prefs > Security or spectl to allow unsigned/unnotarized apps to run.

KevinH weighed in on the new notarization requirement thus:

Quote:

Originally Posted by KevinH

This is actually an important issue for Sigil. Right now I volunteer my time as a Sigil developer (all donations are disabled on our site). Sigil does not use the Mac App store as we have no interest in it. That said, Apple still charges me over $100 Canadian per year just to be able to digitally sign Sigil. They make no exceptions for open source developers.

According to a nastigram I received from Apple Developer Relations ... I must now rebuild and relink my app to enable their special runtime and then to declare "limits" of what the app can do and what files/folders it can access.

Given Sigil is an ebook editing environment, it needs to access Photos, Images, Audio, Video, xhtml files anyplace, etc. Sigil also embeds an entire Python 3.7.2 interpreter and allows full Plugins, I can not even begin to "narrow down" what a plugin should do nor limit it. So this "notarization" is a complete waste as any user added plugin could access whatever they want in python.

Then I must "submit" it for them to quote "notarize" it. As well as all previous releases of Sigil that I have signed.

So this is no trivial task.

Then to add insult to injury the Apple dev docs to do all of this are only provided for XCode IDE "novice" developers who need gui hand holding. No command line instructions were posted so no automating the build process with scripts can be done. We build Sigil across 3 platforms (Windows, Linux, and Mac) and build automation is crucial.

I asked Apple's Developer Relations (who said if I had questions I should ask them) for simple directions on how to do this without XCode and its nonsense baggage and my only response was that I should ask for help from other developers on their developer's forums.

So right now the chances of Sigil getting anything notarized by Apple for its new walled garden on macOS is about 0. And the day they prevent power users from running whatever apps they want, will be the last day I use a macOS. I will just go back to Linux.

The most silly thing about Apple's security model is that it completely ignores unix level security features. If I have a new app I either run it in a VM or create a non-admin account where there are no other files it can even access outside of what I place in that VM or non-admin account for it to use. So it (or me) can not delete my entire music library!

My2 cents ...

I replied:

Quote:

Originally Posted by odamizu

Thanks Kevin. Your 2 cents are always worth more like $2million to me.

If Catalina (and future macOS's) will run unsigned apps without notarization, would you be willing to continue developing Sigil without signing it?

Thank you

[KevinH]

See the related discussion I had with Kovid here:

https://www.mobileread.com/forums/sh...43#post3859243

His plan is a wait-and-see approach but the new "hardened runtime" requirement would be an issue for Calibre as well. To be notarized an app must use the Apple hardened runtime.

The only way to get Sigil to use the hardened runtime would be to ask for almost all of the entitlements (exceptions) as both Sigil and Calibre use python plugins which may load many python packages and associated shared libraries and modules, none of which we sign), we both use QtWebKit/QtWebEngine which means we use JIT compilation, javascripts, and areas of the stack are walked for garbage collection, etc. Access to user's Photos, Audio, and Video would be restricted. They do not want you to allow the user to run a debugger to help track down an error, they do not want you to use DYLD library path setting, and etc.

Basically, Apple views any 3rd party app as an "attack vector" for an uncaught virus or malware, instead of a real app. This makes no sense at all. If anyone gets physical access to your mac machine, you are screwed anyway. The silly thing is anyone can write a python plugin package that does anything it wants and a user could install that and run it via Sigil or Calibre or even from the command line, so this notarization is effectively shutting a barn door after all the animals inside have already fled.

So my plan is similar to Kovids. First wait and see what develops. The beta is allowing us both to run now since we are signed but that may change.

If that door closes, the problem will be figuring a way to actually get our apps to work with the "hardened runtime" if at all possible. If so, I will try for "notarization" but it might be impossible to actually pass that requirement even when asking for almost all of the exceptions.

If I can not get notarization to pass, then we come to a real problem. As long as Apple allows unsigned and unnotarized apps to be run, I will simply stop signing it (actually lessening security not increasing it) and keep releasing. If Apple ever prevents power users from installing and running the apps we want, I will simply stop being a Mac user. At that point, some other Apple volunteer developer would have to step up, redesign Sigil to curtail or limit its usefulness to fit the hardened runtime limits or development on macOS would stop.

[odamizu]

Quote:

Originally Posted by KevinH

... So my plan is similar to Kovids. First wait and see what develops. The beta is allowing us both to run now since we are signed but that may change.

If that door closes, the problem will be figuring a way to actually get our apps to work with the "hardened runtime" if at all possible. If so, I will try for "notarization" but it might be impossible to actually pass that requirement even when asking for almost all of the exceptions.

If I can not get notarization to pass, then we come to a real problem. As long as Apple allows unsigned and unnotarized apps to be run, I will simply stop signing it (actually lessening security not increasing it) and keep releasing. If Apple ever prevents power users from installing and running the apps we want, I will simply stop being a Mac user. At that point, some other Apple volunteer developer would have to step up, redesign Sigil to curtail or limit its usefulness to fit the hardened runtime limits or development on macOS would stop.

Thank you, KevinH.

If Apple insists on driving developers like you and KovidGoyal away, I will likely abandon Mac as well — words I thought I'd never say. The last non-Mac operating system I used was DOS. I have never used Windows or Linux, and the thought of leaving Mac is daunting and deeply unhappy-making.

[odamizu]

With regard to notarization, here are two interesting articles that may (or may not) include useful information if notarization is a no-go for Sigil: disabling Gatekeeper on Catalina and Catalina Security Explained

[odamizu]

Good news! Looks like all my worry about notarization is moot.

From Apple Support:

Quote:

How to open an app that hasn’t been notarized or is from an unidentified developer

In macOS Catalina and macOS Mojave, when an app fails to install because it hasn’t been notarized or is from an unidentified developer, it will appear in System Preferences > Security & Privacy, under the General tab. Click Open Anyway to confirm your intent to open or install the app.

The warning prompt reappears, and you can click Open.* The app is now saved as an exception to your security settings, and you can open it in the future by double-clicking it, just as you can any authorized app.

* If you're prompted to open Finder: control-click the app in Finder, choose Open from the menu, and then click Open in the dialog that appears. Enter your admin name and password to open the app.

[Vroni]

Did you already updated to catalina?

[odamizu]

Not yet. I've been trying to find time to install it on an external SSD for testing purposes. Hopefully this week.

(I don't plan to update my primary Mac any time in the foreseeable future because I have 32-bit apps I need.)

[DiapDealer]

Quote:

Originally Posted by odamizu

Good news! Looks like all my worry about notarization is moot.

From Apple Support:

Quote:

I really hope it turns out to be that simple. I mean it should be. Who in their right mind would make it so a developer couldn't write an app on their development machine and test it on another machine they own without having the app notarized? Forget distribution of opensource software: nobody would be able to write/compile their own program without signing it and notorizing it just to test it out on different hardware.

[odamizu]

This whole notarization thing has been rather murky from the start.

A lot of developer talk is over my head, but early discussion on the Internet suggested it would only apply once an app was signed or if it was downloaded from the Internet, or that Gatekeeper could be overridden using a Terminal command (spctl) or overridden the way Apple now confirms it can be — all of which would allow a developer to test on other machines they own without notarizing.

kovidgoyal said Gatekeeper is triggered by downloading with Safari here: https://www.mobileread.com/forums/sh...84#post3886884

In any case, I am hopeful this is now moot

[Vroni]

Quote:

Originally Posted by odamizu

Not yet. I've been trying to find time to install it on an external SSD for testing purposes. Hopefully this week.

(I don't plan to update my primary Mac any time in the foreseeable future because I have 32-bit apps I need.)

I replaced PiBaker last weekend. This was my last 32 bit App. Ok, one exception, i still have ADE 2.something to test ebpubs with that version. But usage is very rare.

[DNSB]

For what it's worth, I cloned my Mojave VM and updated the clone to Catalina over the weekend (long weekend here for Thanksgiving). Calibre 4.1 and Sigil 9.1.8 downloaded, installed and ran with the usual Mac query over trusting the application. Now I just need to clean out the remaining 32-bit apps.

[odamizu]

It does appear that the notarization requirement is not as stringent as Apple first implied, and KevinH and DiapDealer can leave Sigil unnotarized if notarization turns out to be too much of a pain in the behind

[DiapDealer]

I'm determined not to pay the extortion money they want to keep Windows from popping warnings about unknown publishers.

It's not really even the money at this point (though the prices ARE ridiculous--and getting more so). It's the hoops I would have to jump through and the documents I would have to provide just to be allowed to spend too much money on a certificate (assuming one doesn't want to get a fly-by-night cert). All just to eliminate a pop-up warning that can be easily dismissed. I'm not p(l)aying.

[odamizu]

Is Apple charging a fee for notarization?!

[BetterRed]

Apparently so, for popup Windows only