Tag: Mojave

New Notarization requirements for macOS 10.14.5

At the 2018 Apple World Wide Developer Conference, a new feature of macOS was unveiled, called Notarization. To quote my macOS Mojave for Users, Administrators, and Developers book:

The concept of Notarized apps mimics the real-world concept of a notary. A notary witnesses the fact that a document has been signed by someone, or multiple parties. zed apps use a notary service that is hosted by Apple that verifies that the application is indeed signed by the developer.

The Notary service will also perform some additional checks on the application. These include security checks that verify the application is doing what it indicates as well as the check for private API usage, similar to Mac App Store apps. However, it should be noted that using the Notary Service is not the same as app review. These checks are merely security related and are only performed to notarize your application.

At the announcement of Notarization, Apple announced that Notarization would be available for developers in the summer of 2018, but would be required for all apps in a “future release”. With the release of macOS Mojave 10.14.5 there has been a step towards notarization being required, but this is just for some apps, not all apps. You will need to notarize your apps if the following applies:

  1. If you are a developer who is creating a Developer ID for the first time.
  2. If you are creating a new kernel extension.
  3. You are updating a kernel extension

Notarization is a security mechanism, not an App Store review. Instead, it is a way of being able to assure that malicious code cannot be injected into your app. Notarizing a macOS app provides more than just peace of mind for end users, but also for you as the developer. One of the additional benefits of Notarization is that the Notarization service will keep an audit trail of each release version of your app. Should the worst occur and your private signing key get compromised, and malicious software be released, you can work with Apple to revoke those apps that you did not authorize and then release a new version of your app.

These are just some first steps in requiring notarization. It would not surprise me if notarization will be required for all apps starting with the next release of macOS, macOS 10.15. This is even hinted at by Apple’s own page:

Beginning in macOS 10.14.5, all new or updated kernel extensions and all software from developers new to distributing with Developer ID must be notarized in order to run. In a future version of macOS, notarization will be required by default for all software.

The phrase “In a future release” most likely means with the next major release, macOS 10.15. Notarization, while it may seem inconvenient, the process can easily integrate into your workflow and will protect everyone involved. I am sure many developers will not like the fact that they will have to notarize apps, but ultimately it will make things better in the long run.

Source: Apple developer site.

macOS Mojave and Websites

Back in February, Apple announced some major changes to the fall release of macOS Server. One of the changes that they indicated was that many of the services would no longer be included in macOS Server. At the same time, some services would still be present but the user interface elements would be removed. One of the services that would no longer have a user interface is Websites.

macOS Server is used by many, including myself, as a development environment. Besides developers, there are also some companies that need to use Apple’s Profile Manager service, but they also need to use host an internal site, and they need to do all of this on the same machine. If you were running macOS Server running on High Sierra, this scenario was easy to setup and maintain. The same scenario is still possible on macOS Mojave, but it is not as easy. It will take some let us look at how to do this.

macOS bundles in a web server, the one chosen is apache. On macOS Mojave, it is version 2.4.34. This is the latest, as of this writing. The installation of apache is not any different than one you would install on other variations of Linux, which is a good. Even though apache is standard, there are some modifications that are made to accommodate the ability to use of other web-based services, and in particular Apple’s Profile Manager.

Default Configuration

Even under macOS Mojave with Server.app installed, there is a default configuration available. You can use this for your configuration, if you so choose. The default location for files is “/Library/WebServer/Documents/”. You can use this for configuration, the default alternative port is 8080. If this is all you need, then you can start putting files in the path above and navigate to http://127.0.0.1:8080, or another IP address on the machine and you can ignore the rest of this article. However, if you want to be able to make some additional configuration changes, read ahead.

Choosing a configuration

Before modifying any files, it is important to know that there are a variety of ways to configure apache. You could use a whole different IP address or you could just use a different port, on the same IP Address. This is the first item that you will need to determine. We will look at both approaches, because they are only slightly different.

The second thing that you will need to do is create a folder for the additional website. This is similar to how you would have done so with older versions of macOS Server. If you have an existing folder location, you can use that.

Once you have determined your approach and have created a folder, now we can start modifying the files. There is a standard apache configuration file, called httpd.conf. This is the primary configuration file for the apache service. The httpd.conf file is located at “/private/etc/apache2/httpd.conf”. You will need to open up the file with a text editor, either using terminal or a graphical text editor, like BBEdit.

Note:  macOS is Unix under the hood and can possibly require authentication when changing files. For this reason, it is best to use BBEdit for modifying files. BBEdit can handle this by providing an opportunity for entering in your password when saving the files.

Before modifying any file, you should make a backup copy of it. I always like to use the name of the file and its extension and put the date after file. Once you open this file you will need to make a couple of changes.

Making Changes

As mentioned, macOS Server takes into account the Profile Manager service. To accommodate this, there is a block of code that determines if macOS Server is using the default ports, which are 80 and 443. The following block is what is used to determine this.

<IfDefine SERVER_APP_HAS_DEFAULT_PORTS>
   Listen 8080
</IfDefine>
<IfDefine !SERVER_APP_HAS_DEFAULT_PORTS>
  Listen 80
</IfDefine>

This block checks to see if Server.app is installed and configured. If it is installed and configured, the default port of 8080 is used for alternative. However, if Server.app is not installed and configured, then port 80 is used. Here is where you need to enter in your configuration. If you only need to listen on a different port, you can enter in “Listen 8081” where 8081 is the port you want to use. If you want to specify an alternative IP address use “192.168.1.2:80”, where 192.168.1.2 is the IP address you want to use. As the last example shows, you can specify a port if you need to, which means you can combine the two and use something like “192.168.1.2:8081”.

The next step is to test to make sure it is working as expected. To do this, you will need to create a file in the directory you chose. The file should have something like this code,

<html>
   <head>
    <title>Test Page</title>
   </head>
   <body>
     <h2>This page is working</h2>
   </body>
</html>

After you have saved this file, you want to test your apache configuration. This is done by performing the following steps:

  1. Open Terminal
  2. Type in, or copy and paste the following command, without the quotes: “sudo apachectl configtest”. This command will check the syntax of your apache configuration and make sure everything works.

If there are no issues with your apache configuration, you need to restart apache. This is complete by doing the following steps:

    In the same terminal window, type in, or copy and paste the following command: “sudo apachectl restart”, without the quotes. This command will either start up, or restart, the apache service.

The last step is to open up Safari and browse to your new site. You should a page with the text “This Page is working”.

These are just the basic steps to be able to host both a website and profile manager on the same Mac running macOS Mojave. You can do some additional configuration, by configuring Virtual Hosts and enabling Modules. Again, this is the same version of Apache that is installed on linux, so there is a plethora of tips, tricks, and how to to guides available on the web.

Transition Guide

There is an entire Support Guide for transitioning some of macOS Server’s services to the built-in version of Apache. This is available on the Apple Developer site. The document also includes information on transitioning the SSL, if configured, on the site. This should help some people get started with configuring apache on macOS, while still keeping Profile Manager running.