Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Apple Notary Service and Debugging Impact
167 views
Skip to first unread message
Haik Aftandilian
Jan 11, 2019, 6:36:25 PM1/11/19
to dev-platform
Please take a look if you debug Firefox on macOS.
Apple's notary service[1] is a new way to sign macOS applications that has
some security benefits[2] and provides a slight user experience
improvement[3] when users download the application and run it for the first
time. Specifically, the dialog users have to click through to start the
application is less of a warning.
We are working on adopting the service on bug 1470607, but I wanted to
share how this will affect debugging and get some feedback. If an
application is "notarized", starting with macOS 10.14, the OS will prevent
debuggers from attaching to the application unless the user has disabled
macOS system integrity protection (SIP)[4] which requires a reboot. This
prevents debugging of the application with a debugger like lldb or gdb on a
default system.
Assuming the debugging restriction will _not_ apply to the Nightly channel,
local builds, or automation builds, will this debugging
restriction+workaround on official builds (Release, Beta, DevEd) be a
problem for your workflow or in any way you can envision?
Apple has stated that signing with the notary service will be required in a
future macOS version. I think we can assume that this means an application
that is not notarized will require special steps for first launch where the
user may also have to click through dire security warnings. Today,
launching Firefox for the first time on Mac already requires clicking
through one warning. The bug includes a screenshot[3] showing how it will
change with notarized builds.
Thanks,
Haik
1.
https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution
2. Using the service A) submits the application to Apple to run malware
checks on the binaries and B) requires setting some executable security
flags known as Hardened Runtime. At present, Firefox mostly does not
benefit from enabling Hardened Runtime for various reasons. Another benefit
relates to how a single version of the application can be revoked, without
having to revoke all versions signed with the same key.
3. https://bug1470607.bmoattachments.org/attachment.cgi?id=9036014
4. https://support.apple.com/en-us/HT204899
Apple's notary service[1] is a new way to sign macOS applications that has
some security benefits[2] and provides a slight user experience
improvement[3] when users download the application and run it for the first
time. Specifically, the dialog users have to click through to start the
application is less of a warning.
We are working on adopting the service on bug 1470607, but I wanted to
share how this will affect debugging and get some feedback. If an
application is "notarized", starting with macOS 10.14, the OS will prevent
debuggers from attaching to the application unless the user has disabled
macOS system integrity protection (SIP)[4] which requires a reboot. This
prevents debugging of the application with a debugger like lldb or gdb on a
default system.
Assuming the debugging restriction will _not_ apply to the Nightly channel,
local builds, or automation builds, will this debugging
restriction+workaround on official builds (Release, Beta, DevEd) be a
problem for your workflow or in any way you can envision?
Apple has stated that signing with the notary service will be required in a
future macOS version. I think we can assume that this means an application
that is not notarized will require special steps for first launch where the
user may also have to click through dire security warnings. Today,
launching Firefox for the first time on Mac already requires clicking
through one warning. The bug includes a screenshot[3] showing how it will
change with notarized builds.
Thanks,
Haik
1.
https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution
2. Using the service A) submits the application to Apple to run malware
checks on the binaries and B) requires setting some executable security
flags known as Hardened Runtime. At present, Firefox mostly does not
benefit from enabling Hardened Runtime for various reasons. Another benefit
relates to how a single version of the application can be revoked, without
having to revoke all versions signed with the same key.
3. https://bug1470607.bmoattachments.org/attachment.cgi?id=9036014
4. https://support.apple.com/en-us/HT204899
Stephen A Pohl
Jan 14, 2019, 1:54:13 PM1/14/19
to dev-pl...@lists.mozilla.org
FWIW, I tend to debug local builds of these individual branches to make
my life easier, for example by turning optimization off etc. It has only
been a handful of times that I had to debug an official build. Having to
disable SIP to debug isn't ideal, but tolerable given how infrequently
this would be necessary. I'd be interested to hear if others have had to
debug official builds more frequently.
-spohl
> _______________________________________________
> dev-platform mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
my life easier, for example by turning optimization off etc. It has only
been a handful of times that I had to debug an official build. Having to
disable SIP to debug isn't ideal, but tolerable given how infrequently
this would be necessary. I'd be interested to hear if others have had to
debug official builds more frequently.
-spohl
> dev-platform mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
Haik Aftandilian
Apr 11, 2019, 3:08:09 AM4/11/19
to Stephen A Pohl, dev-platform
Update on our adoption of Notary Service and its debugging impact:
With notarization, Nightly channel builds will not be debuggable unless the
system is booted with system integrity protection (SIP)[1] disabled. In my
earlier mail[2] to dev-platform about our adoption of the Notary Service, I
indicated that Nightly channel builds would not be impacted by the
debugging restrictions. Since that time we've learned that it is not
possible to notarize an app unless the debugging restrictions are enabled
hence notarizing official Nightly channel builds will prevent debugging of
the app unless the system is booted with SIP disabled. As a result, our
plan is to notarize Nightly channel builds in the same way we will for Beta
and Release.
We could choose to skip notarization of the Nightly channel builds to allow
for easier debugging, but then we lose the testing and validation we get
from Nightly for notarization. Nightly's update cadence is also valuable
for validating notarized updates. We could revisit this decision in the
future and choose to opt-out of notarization for Nightly channel builds if
we find the debugging restriction to be blocking important debugging
efforts. That decision would also depend on how difficult installing
non-notarized apps is in future macOS versions (which is unknown at this
time) and how much extra complexity this adds to our release process.
The feedback I received from Mac developers at Mozilla was that it was a
rare occurrence to need to debug an official channel build. Developers are
more likely debug their own builds (with a more debug-friendly build
config.)
Lastly, Apple recently updated their documentation[3] to say that in "macOS
10.14.5, all new or updated kernel extensions and all software from
developers new to distributing with Developer ID must be notarized in order
to run. In a future version of macOS, notarization will be required by
default for all software."
Thanks,
Haik
1. https://support.apple.com/en-us/HT204899
2. https://lists.mozilla.org/pipermail/dev-platform/2019-January/023337.html
3.
https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution
With notarization, Nightly channel builds will not be debuggable unless the
system is booted with system integrity protection (SIP)[1] disabled. In my
earlier mail[2] to dev-platform about our adoption of the Notary Service, I
indicated that Nightly channel builds would not be impacted by the
debugging restrictions. Since that time we've learned that it is not
possible to notarize an app unless the debugging restrictions are enabled
hence notarizing official Nightly channel builds will prevent debugging of
the app unless the system is booted with SIP disabled. As a result, our
plan is to notarize Nightly channel builds in the same way we will for Beta
and Release.
We could choose to skip notarization of the Nightly channel builds to allow
for easier debugging, but then we lose the testing and validation we get
from Nightly for notarization. Nightly's update cadence is also valuable
for validating notarized updates. We could revisit this decision in the
future and choose to opt-out of notarization for Nightly channel builds if
we find the debugging restriction to be blocking important debugging
efforts. That decision would also depend on how difficult installing
non-notarized apps is in future macOS versions (which is unknown at this
time) and how much extra complexity this adds to our release process.
The feedback I received from Mac developers at Mozilla was that it was a
rare occurrence to need to debug an official channel build. Developers are
more likely debug their own builds (with a more debug-friendly build
config.)
Lastly, Apple recently updated their documentation[3] to say that in "macOS
10.14.5, all new or updated kernel extensions and all software from
developers new to distributing with Developer ID must be notarized in order
to run. In a future version of macOS, notarization will be required by
default for all software."
Thanks,
Haik
1. https://support.apple.com/en-us/HT204899
2. https://lists.mozilla.org/pipermail/dev-platform/2019-January/023337.html
3.
https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution
Boris Zbarsky
Apr 11, 2019, 10:44:39 AM4/11/19
to
On 4/11/19 3:07 AM, Haik Aftandilian wrote:
> With notarization, Nightly channel builds will not be debuggable unless the
> system is booted with system integrity protection (SIP)[1] disabled.
Do you know whether sampling via Activity Monitor's "Sample Process"
> With notarization, Nightly channel builds will not be debuggable unless the
> system is booted with system integrity protection (SIP)[1] disabled.
option or via Instruments will still work?
-Boris
Haik Aftandilian
Apr 11, 2019, 1:19:29 PM4/11/19
to Boris Zbarsky, dev-platform
work and I've done some limited testing with Instruments which seemed to
work. I would expect this to be a requirement and to still be supported,
but I'll ask if our Apple contact can confirm this.
And I can send you a notarized Nightly build if you'd like to test a
particular sampling/instrumentation.
Thanks,
Haik
0 new messages