Belkadan Software

Developer IDs for Freeware

Hermit Crab was released without notarization from Apple, leading to a scary dialog when it’s downloaded and opened for the first time.

Why did I choose to do this? Well, Apple’s current approach to macOS security is roughly “you can run whatever you want on your own machine, but if you want other people to run your app, it must be notarized or distributed through the Mac App Store”. Many people think Apple’s policy here is bad, for various reasons; my particular objection is that both of these options require a Developer Program membership, which costs $99/year. And while I can afford a $99 fee to distribute my apps, not everyone can.

Of course I could charge for Hermit Crab, or monetize it with ads, or add a donation button, and hope to recoup the $99. That’s probably what Apple would prefer for me to do. But I got started with freeware, with Dockyard, Webmailer, and Keystone released while I was still a student. It was an amazing feeling to know that hundreds of people had downloaded my software, and that I’d made (some percentage of) their lives just a little bit better. Why limit that?

A few people have argued that the price supports Apple’s Developer Tools and Developer Relations organizations. This is certainly possible. So let’s look at what the $99 gives you (as a Mac developer): a Developer ID, access to beta OSs, support for some store-only frameworks, and two “technical support” requests—and of course, distributing your app on the app store. What if there were a $9.90 tier instead that gave you none of that except the Developer ID?

(Why not free? Well, because if they were free, a malware author might sign up for infinite Developer IDs and keep cycling through them. Putting some price on them decreases the appeal of that strategy, while still leaving them accessible to a motivated newcomer.)

My app is not trustworthy because I paid Apple $99; someone untrustworthy can do the same. If Apple wants to get rid of non-Mac-App-Store apps by default, they should do it. If not, though, that $99 buys me nothing but the absence of a scary dialog. And that’s not worth $99 to me.

Further elaboration on the security aspects of the policy

In the case of the app stores, Apple can make a security-minded argument: app store reviews protect users. Whether or not this is true is a matter of debate, but it is possible that malware could be stopped at the boundary of app review. But macOS isn’t like iOS: it can be configured to run arbitrary notarized apps as well as apps from the Mac App Store, and in fact that’s the default behavior in macOS Catalina. (It used to allow “run any apps” as a possible configuration too; that has now been relegated to a command-line utility, spctl.) Anyone who pays $99 can put their app online and get…well, still a dialog, but a less-scary dialog, with an actual "Open" button.

But doesn’t notarization perform the same function that app store review does, in protecting a user? Only to an extent. Notarization is an automated process, without human intervention, and so while it’s pretty likely Apple put in checks for obvious bad behavior, it won’t stop anyone who’s even a little determined. Heck, there are plenty of apps on the app store with sleazy-but-technically-not-banned behavior. If there’s any real security benefit, it would come from enforcing code signing, giving Apple a better way to uniquely identify an app as malware beyond pattern-matching its code or resources.

There are many ways that Apple has not shown respect for its current developers. Without a cheap Developer ID tier, though, Apple pushes away prospective Mac developers with one hand, and undermines its own security policy with the other.

Addendum: How did I make this decision?

I’d like to claim that I’m making a firm ideological stand, but I was on the fence about this up until the week before releasing the first version of Hermit Crab. Indeed, I probably would have simply given in and paid for a Developer ID, had it not been for the Hey app debacle a few weeks before that. While the situation on iOS is different from that on macOS, it made me hesitate enough about forking over the $99 to ask for feedback on Twitter.

Over half of the poll respondents recommended releasing without signing, though a few individual replies noted that they never installed unsigned software. A number of people qualified their statement based on the app in question being a developer tool, which means users are a little more likely to be familiar with Apple's security restrictions. I decided this was enough signal to make a principled stand without sacrificing a huge part of my audience.

Copyright © 2020 Jordan Rose