Lots has been written about the Apple Notarization process. The process of applying digital signatures to *.app packages, contents and DMG installer files. All sounds good in theory but my god the execution is insane.
I swear Apple hates me as a developer.
On Windows I sign my installer with a standard SSL code signing certificate. I can buy this from any decent Certificate Authority and use it in my build process. I think this cert was around $60.
On Apple …
I had to sign up for an Apple Developer account. I did this, had to wait 2.5 weeks to be approved via my DUNS number. Part of this process involved a telephone call from Apple!! Yes, a TELEPHONE CALL.
“Hi, is this xxxxx from xxxx”
“Are you authorised to sign agreements on behalf of xxxx”
I mean … WTAF Apple? That is not an approval process, it’s asking a random person on the end of the phone a question.
Then, one you have your ID Certs you have to implement the signing. It’s pretty simple in terms of code but wow. What a stupid approach they have taken.
You have to upload your bits for notarisation. Yes UPLOAD.
So for every build I do, but GitLab runner has to sit there, waiting for the upload to complete (1.3Gb upload) and then sit there waiting for a response, FOR EVERY BUILD.
I mean, this is computing 101 – no single point of failure. Apple has tied my build infrastructure to theirs, right now, my builds are failing due to Apples services being down and out of action.
Also, this has tied every single automated build process targeting macOS ON THE ENTIRE PLANET to their notarization service. It’s utter madness.
Now this has been a bit of a nightmare for me. Not only the cost of having a developer account (£79 pa) but there are minimal benefits really. Particularly when their notarization process utterly fails to work …
Yup, you read that right. It approved very well known and understood malware. The very thing it’s designed to prevent.
Many of my fellow developers are equally annoyed at this process. In fact it’s annoyed so many in the games industry they’re dropping macOS support entirely. This isn’t good for the eco-system.
All the additional costs are pushed onto the developer and as can be seen from the article above. It’s failing to perform.
Impacts on Builds
So the impact on builds isn’t trivial. As I stated above, there is now a process inserted into my build that has significant external dependencies – Apple. This process isn’t fast. Apple itself says that it *should* take less than an hour.
So my latest application produces a 1.3Gb application and already takes nearly an hour to compile. Now I have a (circa)1 hour process tagged onto the end that involves someone else’s infrastructure and probably around an hour where my build runner is sat waiting for Apples servers to do something. All the while any additional builds just sit there blocked building up a queue.
It’s failed twice this morning due to Apples servers, so what’s that – 4 hours of essentially what can only be described as downtime in real terms.
Thanks for absolutely nothing Apple. Actually, not nothing, thanks for the headaches and involuntary downtime.
Supporting your platform is an utter pain in the ass.