17 comments

[ 2.9 ms ] story [ 33.9 ms ] thread
I still don’t see why you would want your parents to run untrusted software on their devices, but you do you I guess.
DMA is about increasing competition of app stores. It is not about giving "freedom" to people. Notorization is an independent process from running an app store on Apple's platform.
The same thing exists on Windows, developers have to code sign their binaries. It's even worse in my experience because you have to use a token (usb key with cryptographic signing keys in it) and that's impractical if you want your ci/cd to run in a datacenter. At my company we had a mac mini with a windows VM and a code signing token plugged in just for the purpose of signing our macos and windows binaries.

Another solution that is not mentioned in the article is that users of both macos and windows should be able to easily integrate the certificate of a third-party editor, with a process integrated in their OS explaining the risks, but also making it a process that can be understood and trusted, so that editors can self-sign their own binaries at no cost without needing the approval of the OS editor. Such a tool should ideally be integrated in the OS, but ultimately it could also be provided by a trusted third-party.

You can see it in action. I have a M1 Ultra Mac Studio, an insanely powerful machine, and when building open source software, actual compilation flies but the autonomy step crawls because IIT has to build test binaries to test OS features and notarization slows that down dramatically.
Mandatory FLOSS and open hardware is SERIOUSLY the sole way we can evolve positively.
Suffered that back in the day with an Electron desktop app. Not to mention that the notarization and signing integration itself is completely broken. The first time you submit a binary it can take DAYS to process, and setting everything up to work properly with GitHub Actions CI/CD is absurdly time-consuming. It's ridiculous, and if you add this new notarial verification policy on top of that... In the end it's just Apple being Apple.
How can we trust software anymore? Open source projects are being sold to bad actors. Python default repos are full of malware. Originally blessed and trusted apps are being bought by software companies is dodgy countries. It seems like we can only trust big software companies like Microsoft and Oracle.
Can the fsfe also sur Google to try to prevent them to force the registration of all developer than want to install app on any Android phone outside of the play store?

Again, I would happily donate to such an initiative before it is too late!

I stopped prostituting myself for Apple a long time ago.

Glad more developers are seeing the light now.

FTA: “Apple’s complete review of apps – known as “notarisation” process - a mandatory step for distributing any software on its platforms, represents the very gatekeeping behaviour the DMA was written to prevent.”

Notarization doesn’t involve a complete review (https://developer.apple.com/documentation/security/notarizin...: “Notarization of macOS software is not App Review. The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly.”

I also expect Apple will argue that requiring code to be notarized is explicitly allowed under the DMA, based on section 6.7:

“The gatekeeper shall not be prevented from taking strictly necessary and proportionate measures to ensure that interoperability does not compromise the integrity of the operating system, virtual assistant, hardware or software features provided by the gatekeeper, provided that such measures are duly justified by the gatekeeper.”

So, the discussion would have to be on whether this is strictly necessary and proportionate, and whether Apple duly justified that.

I think “strictly necessary” is a bit at odds with defense in depth (https://en.wikipedia.org/wiki/Defense_in_depth_(computing)), where you explicitly add redundancy to improve security, so we’ll see how a judge rules that, but I can see them accepting it if Apple argues they’ll implement a similar feature on-device instead if they have to.

The submitted article is about iOS, not macOS. Apple unfortunately used the same word "notarization" on both platforms, but the processes are not even remotely similar. Perhaps the confusion was deliberate, but in any case, many commenters here are confused and mistakenly believe that iOS notarization is like macOS notarization.

iOS notarization is still manual review by Apple, but with fewer rules and restrictions.

https://developer.apple.com/help/app-store-connect/managing-...

> If you’ve opted into alternative distribution for customers in the European Union, you can choose to make your app version eligible for distribution on alternative app marketplaces or websites only by selecting to have it evaluated based on the Notarization Review Guidelines (a subset of the App Review Guidelines). Otherwise, App Review uses App Review Guidelines to evaluate your app version to make it eligible for distribution on the App Store, alternative app marketplaces, and websites if approved.

I suppose this kind of notarization across all digital platforms will have even more importance once the EU CRA (Cybersecurity Resiliency Act) takes full effect end of 2027.
Where are all these "Apple can do whatever they want on their platform" bootlickers?
In the end, it's the same for Windows too since you need to pay for a cert.
As an iOS user, I love this and you are free to hate me for it. It keeps my grandma safer from scams. This is why I bought her an iPhone.

I don't want to hear any of the usual "don't use sideloading if you don't like it". I don't want it to exist so nobody can talk my grandma into installing a fake bank app over the phone, like they did to her once when she had an android phone and stole all her money.

Yes this is not foolproof still, some scam apps might make it past notarization. Just like cover fees in clubs and gates in gated communities -- it does not keep all the riff-raff away, but it helps.

It is certainly shocking news that Apple has secretly developed a locked-down smartphone that only runs Apple-approved software, and that Apple is charging developer fees.

Next we'll hear that Nintendo has secretly developed a locked-down game console that only runs Nintendo-approved software, and Nintendo is charging developer fees.

It is surely a coincidence that 70% of Apple's iOS App Store revenue is from games.