Notarization of kernel extensions not clearly documented

Originator:rsfinn
Number:rdar://49783279 Date Originated:2019-04-10
Status:Open Resolved:
Product:Developer Tools | Documentation Product Version:
Classification:Bug Reproducible:Always
 
Summary:
On the week of April 8, 2019, the Apple article "Notarizing Your App Before Distribution" <https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution> added the following text:

Important
Beginning in macOS 10.14.5, all new or updated kernel extensions and all software from developers new to distributing with Developer ID must be notarized in order to run. In a future version of macOS, notarization will be required by default for all software.

The rest of the documentation focuses on notarizing applications, with little to no discussion of the effect on kernel extensions.  For example, one of the documented steps in "Prepare Your Software for Notarization" is "Enable the Hardened Runtime capability"; however, the Capabilities tab does not appear for a kernel extension target.  It seems that this requirement may not apply to kernel extensions, but this is not made clear by the documentation.

Also, in "Customizing the Notarization Workflow", the note on custom installers implies that the payload must be packaged inside the installer to be notarized, and does not explain how to handle the case where components of the payload are downloaded from a secure server at installation time.  

The previous paragraph, stating "The notary service accepts disk images ... It processes nested software as well, like packages inside a disk image", seems to imply that one could submit a disk image that contains the various components to be notarized, including the installer and kernel extensions; if so, this should be clarified and/or made more explicit.

This issue is filed as a bug because it blocks the ability to comply with Apple's direction that kernel extensions be notarized to run in macOS 10.14.5, with the apparent result that unnotarized kernel extensions will stop functioning when that OS version is released.  There are already reports that unnotarized kernel extensions are not loading in beta releases of 10.14.5.

Steps to Reproduce:
In the role of a developer, observe the directive in "Notarizing Your App Before Distribution" that kernel extensions must be notarized in macOS 10.14.5, and refer to the Apple documentation for instructions on how this should be accomplished.

Expected Results:
The Apple documentation contains the necessary instructions for notarizing kernel extensions (as opposed to applications).

Actual Results:
The Apple documentation on notarization is unclear on how to obtain notarized kernel extensions.

Version/Build:
"Notarizing Your App Before Distribution" <https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution> and "Customizing the Notarization Workflow" <https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/customizing_the_notarization_workflow>, retrieved 2019-04-10

Comments

Official announcement from Apple

https://developer.apple.com/news/?id=04102019a

"We're working with developers to create a safer Mac user experience through a process where all software, whether distributed on the App Store or outside of it, is signed or notarized by Apple. With the public release of macOS 10.14.5, we require that all developers creating a Developer ID certificate for the first time notarize their apps, and that all new and updated kernel extensions be notarized as well. This will help give users more confidence that the software they download and run, no matter where they get it from, is not malware by showing a more streamlined Gatekeeper interface.

Learn how to get your software notarized" (https://developer.apple.com/developer-id/)


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!