Please take a look if you debug Firefox on macOS. Apple's notary service[1] is a new way to sign macOS applications that has some security benefits[2] and provides a slight user experience improvement[3] when users download the application and run it for the first time. Specifically, the dialog users have to click through to start the application is less of a warning.
We are working on adopting the service on bug 1470607, but I wanted to share how this will affect debugging and get some feedback. If an application is "notarized", starting with macOS 10.14, the OS will prevent debuggers from attaching to the application unless the user has disabled macOS system integrity protection (SIP)[4] which requires a reboot. This prevents debugging of the application with a debugger like lldb or gdb on a default system. Assuming the debugging restriction will _not_ apply to the Nightly channel, local builds, or automation builds, will this debugging restriction+workaround on official builds (Release, Beta, DevEd) be a problem for your workflow or in any way you can envision? Apple has stated that signing with the notary service will be required in a future macOS version. I think we can assume that this means an application that is not notarized will require special steps for first launch where the user may also have to click through dire security warnings. Today, launching Firefox for the first time on Mac already requires clicking through one warning. The bug includes a screenshot[3] showing how it will change with notarized builds. Thanks, Haik 1. https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution 2. Using the service A) submits the application to Apple to run malware checks on the binaries and B) requires setting some executable security flags known as Hardened Runtime. At present, Firefox mostly does not benefit from enabling Hardened Runtime for various reasons. Another benefit relates to how a single version of the application can be revoked, without having to revoke all versions signed with the same key. 3. https://bug1470607.bmoattachments.org/attachment.cgi?id=9036014 4. https://support.apple.com/en-us/HT204899 _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
