New Notarization requirements for macOS 10.14.5
At the 2018 Apple World Wide Developer Conference, a new feature of macOS was unveiled, called Notarization. To quote my macOS Mojave for Users, Administrators, and Developers book:
The concept of Notarized apps mimics the real-world concept of a notary. A notary witnesses the fact that a document has been signed by someone, or multiple parties. zed apps use a notary service that is hosted by Apple that verifies that the application is indeed signed by the developer.
The Notary service will also perform some additional checks on the application. These include security checks that verify the application is doing what it indicates as well as the check for private API usage, similar to Mac App Store apps. However, it should be noted that using the Notary Service is not the same as app review. These checks are merely security related and are only performed to notarize your application.
At the announcement of Notarization, Apple announced that Notarization would be available for developers in the summer of 2018, but would be required for all apps in a "future release". With the release of macOS Mojave 10.14.5 there has been a step towards notarization being required, but this is just for some apps, not all apps. You will need to notarize your apps if the following applies:
- If you are a developer who is creating a Developer ID for the first time.
- If you are creating a new kernel extension.
- You are updating a kernel extension
Notarization is a security mechanism, not an App Store review. Instead, it is a way of being able to assure that malicious code cannot be injected into your app. Notarizing a macOS app provides more than just peace of mind for end users, but also for you as the developer. One of the additional benefits of Notarization is that the Notarization service will keep an audit trail of each release version of your app. Should the worst occur and your private signing key get compromised, and malicious software be released, you can work with Apple to revoke those apps that you did not authorize and then release a new version of your app.
These are just some first steps in requiring notarization. It would not surprise me if notarization will be required for all apps starting with the next release of macOS, macOS 10.15. This is even hinted at by Apple's own page:
Beginning in macOS 10.14.5, all new or updated kernel extensions and all software from developers new to distributing with Developer ID must be notarized in order to run. In a future version of macOS, notarization will be required by default for all software.
The phrase "In a future release" most likely means with the next major release, macOS 10.15. Notarization, while it may seem inconvenient, the process can easily integrate into your workflow and will protect everyone involved. I am sure many developers will not like the fact that they will have to notarize apps, but ultimately it will make things better in the long run.
Source: Apple developer site.