Update on our adoption of Notary Service and its debugging impact: With notarization, Nightly channel builds will not be debuggable unless the system is booted with system integrity protection (SIP)[1] disabled. In my earlier mail[2] to dev-platform about our adoption of the Notary Service, I indicated that Nightly channel builds would not be impacted by the debugging restrictions. Since that time we've learned that it is not possible to notarize an app unless the debugging restrictions are enabled hence notarizing official Nightly channel builds will prevent debugging of the app unless the system is booted with SIP disabled. As a result, our plan is to notarize Nightly channel builds in the same way we will for Beta and Release.
We could choose to skip notarization of the Nightly channel builds to allow for easier debugging, but then we lose the testing and validation we get from Nightly for notarization. Nightly's update cadence is also valuable for validating notarized updates. We could revisit this decision in the future and choose to opt-out of notarization for Nightly channel builds if we find the debugging restriction to be blocking important debugging efforts. That decision would also depend on how difficult installing non-notarized apps is in future macOS versions (which is unknown at this time) and how much extra complexity this adds to our release process. The feedback I received from Mac developers at Mozilla was that it was a rare occurrence to need to debug an official channel build. Developers are more likely debug their own builds (with a more debug-friendly build config.) Lastly, Apple recently updated their documentation[3] to say that in "macOS 10.14.5, all new or updated kernel extensions and all software from developers new to distributing with Developer ID must be notarized in order to run. In a future version of macOS, notarization will be required by default for all software." Thanks, Haik 1. https://support.apple.com/en-us/HT204899 2. https://lists.mozilla.org/pipermail/dev-platform/2019-January/023337.html 3. https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution On Mon, Jan 14, 2019 at 10:54 AM Stephen A Pohl <sp...@mozilla.com> wrote: > FWIW, I tend to debug local builds of these individual branches to make > my life easier, for example by turning optimization off etc. It has only > been a handful of times that I had to debug an official build. Having to > disable SIP to debug isn't ideal, but tolerable given how infrequently > this would be necessary. I'd be interested to hear if others have had to > debug official builds more frequently. > > -spohl > > On 1/11/19 6:36 PM, Haik Aftandilian wrote: > > Please take a look if you debug Firefox on macOS. > > > > Apple's notary service[1] is a new way to sign macOS applications that > has > > some security benefits[2] and provides a slight user experience > > improvement[3] when users download the application and run it for the > first > > time. Specifically, the dialog users have to click through to start the > > application is less of a warning. > > > > We are working on adopting the service on bug 1470607, but I wanted to > > share how this will affect debugging and get some feedback. If an > > application is "notarized", starting with macOS 10.14, the OS will > prevent > > debuggers from attaching to the application unless the user has disabled > > macOS system integrity protection (SIP)[4] which requires a reboot. This > > prevents debugging of the application with a debugger like lldb or gdb > on a > > default system. > > > > Assuming the debugging restriction will _not_ apply to the Nightly > channel, > > local builds, or automation builds, will this debugging > > restriction+workaround on official builds (Release, Beta, DevEd) be a > > problem for your workflow or in any way you can envision? > > > > Apple has stated that signing with the notary service will be required > in a > > future macOS version. I think we can assume that this means an > application > > that is not notarized will require special steps for first launch where > the > > user may also have to click through dire security warnings. Today, > > launching Firefox for the first time on Mac already requires clicking > > through one warning. The bug includes a screenshot[3] showing how it will > > change with notarized builds. > > > > Thanks, > > Haik > > > > 1. > > > https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution > > 2. Using the service A) submits the application to Apple to run malware > > checks on the binaries and B) requires setting some executable security > > flags known as Hardened Runtime. At present, Firefox mostly does not > > benefit from enabling Hardened Runtime for various reasons. Another > benefit > > relates to how a single version of the application can be revoked, > without > > having to revoke all versions signed with the same key. > > 3. https://bug1470607.bmoattachments.org/attachment.cgi?id=9036014 > > 4. https://support.apple.com/en-us/HT204899 > > _______________________________________________ > > dev-platform mailing list > > dev-platform@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-platform > > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
