In our recent article, over 30 pro audio developers have issued statements advising users not to upgrade to macOS Catalina. As a result of extensive research, we have discovered at least two reasons why it might be some time before the software we use will become macOS Catalina compatible and it has to do with security.
Apple Tighten Security Yet Again
Each of the last few macOS updates has included improvements to security, which have had consequences for all users but especially pro audio and music users. Catalina is no exception. With macOS Catalina, there are two new hurdles to get past, both of which were optional requirements in macOS Mojave, but have become compulsory with macOS Catalina.
The first is “notarization” - a change to any ‘executable’ code like installers, applications, plug-ins, drivers etc. in which Apple uses a service to scan ‘executables’ for malicious code. Apple issues notarization tickets to developers to ‘staple’ to their installers, if they pass all of the requirements that macOS Mojave and Catalina will be looking for when they are first run.
The second is “hardened runtime”, a set of security requirements controlling how software on the macOS platform is granted access to your computer. It is a way that developers can set flags in the application’s signature indicating to the operating system what services and facilities it requires and should be given access to. If the application steps out of line for any reason, the operating system will overrule any requests that are supposed to be out of bounds.
In reality, these two are somewhat linked because Apple now doesn’t issue notarization tickets unless they also meet the hardened runtime requirements and only include a set of permissible entitlements (amongst other requirements).
To get a notarization ticket, a hardened runtime application may now need to explicitly request entitlements that would have just been assumed by default in the past, hence the need for changes in the affected software.
Why Has Apple Done This?
Consider what the aim of any malware is, it is designed to run code that hasn’t been given permission to run and that code then gets access to vital parts of your computer like your personal data or your microphone or camera all without your permission. These two new restrictions from Apple are designed to make it harder for malicious code to be able to run. However, the first thing you will notice is the macOS asking you for permission to do things even more often than it does now.
It Could Be The End Of The Line For Older Versions of DAW Software And Plugins
We are not talking about 32-bit code here, this is something different. Because all software developers are going to have to add compatibility for these new security systems into their code and installers for their software, it is more than likely that they will only take the time and trouble to do this work for the latest version of their software. This will mean than if you want to continue to run older software, then you should proceed with extreme caution. To be safe, we recommend that you do not upgrade to macOS Catalina, as the older versions of software and installers are unlikely to work satisfactorily with 10.15 when it is released.
Don’t Blame Apple - Blame The Hackers
If all of this annoys you then please don’t blame Apple or the software developers, blame the pirates and hackers, whose activities Apple and Microsoft are trying to protect us from.
The reason that DAWs are more problematic than most single-function software, is that to function, DAWs do all sorts of things in the background like running a variety of software libraries, as well as all your plugins and ask the OS for permission (often called entitlements) to allow these tasks to happen. That all seems perfectly reasonable? The problem is all these activities that a DAW does day in, day out, can sometimes look similar to an operating system’s security systems, as the sort of things hackers program malware to do. The key point here is although completely benign, some of what a DAW needs to do can trigger the tripwires that Apple and Microsoft now put into their operating systems to protect us from malicious code.
In addition, your DAW also has to handle (and to some extent predict) the entitlements that will be required by your plugins. For example, iLok protected plugins need certain entitlements to function that a DAW using plug-ins that are not protected by iLok usually would not need.
DAW plugins will also need entitlements (permission) to access various folders on your drives, for example, a VI needing to be given permission to access the folder where your samples are stored. All of this can look similar to suspicious activity the OS would expect to see from malicious code.
The outcome of all of this is that you will need updates, not only for your DAWs but also possibly your plugins too. Although this will somewhat depend on whether a DAW developer chooses to include the relevant entitlements like the one allowing unsigned binaries to be loaded. If this is the case, then we understand that older plugins should continue to work as long as they are fully 64-bit. It would appear that there will still be the option to right-click on older plugin installers and then click Open, bypassing some of the macOS security requirements, although it might be only a matter of time before Apple closes that loophole.
The key here is that a lot of the work in this area will need to be undertaken by the DAW manufacturers because if they don’t get the entitlements correct, users are going to become more and more frustrated until the DAW developers get this right.
The News For Drivers Appears More Serious
The news for drivers is not good. We understand that there will be no bypass option for drivers. Unverified drivers will simply not work with macOS Catalina. This means if you have older hardware that doesn’t get updated drivers and installers, you won’t be able to use it with macOS Catalina and there will be no ability to override this requirement.
This means that if you have older hardware, it is unlikely that developers are going to go through the verification process with Apple and so older hardware with older drivers are unlikely to work with macOS Catalina. If that is your situation, then you may not want to upgrade to macOS Catalina.
If you have to upgrade to macOS Catalina because you buying a new Apple computer then be ready to budget for, and to replace older software and hardware, so that everything you own is on the latest versions and macOS Catalina compatible.
Developers Will Now Have To Submit Installers To Apple For Verification
Because these changes are mandatory with the release of macOS Catalina (albeit with the right-click option to bypass and open anyway), it means that developers should now submit installers to Apple for verification, to check that they fulfil Apple’s requirements for how those installers need to be built, verifying the installer is built according to their standards. Apparently the process takes hours, rather than the multiple days or weeks that the App Store’s verification process can take, so it should be possible to get installers verified reasonably quickly.
Some developers have already started shipping fully notarized and stapled updates for their installers. For instance, when we downloaded a copy of Seventh Heaven v1.3.2 from the LiquidSonics website, macOS Catalina found a valid notarization ticket attached to it and opened it up as one would expect. LiquidSonics tell us that they have already made sure that their recent installers are already macOS Catalina compatible.
However, some of their older installers are still available on their website, so we can show an example of what happens when an older plug-in installer is not notarized. When it has been opened, Catalina will check if there is an associated notarization ticket attached to it (or if one is available on Apple’s servers). If not, this message is shown.
If you would like to open it anyway, you may think there is no way forward, but a simple right-click (or control+click) on the plug-in installer reveals a menu where the first option is ‘Open’.
This technique is the same as if you were trying to bypass the Gatekeeper check for an unsigned installer. The same check will be applied again, but this time you have the option to click ‘Open’ and proceed with the installation as usual.
If you are the lucky owner of a shiny new Mac and so have no option to run older versions of macOS, then this is a glimmer of hope. Some older 64-bit plug-ins (and even some DAWs) should work perfectly well when installed on Catalina in this way, even when the DAW has been updated with hardened runtime, assuming it includes appropriate entitlements (such as permission to load unsigned code). Even so, entering this zone, we strongly recommend that you should, as always, proceed with caution!
Case Study - Studio One From PreSonus
As we covered in our article PreSonus Publish macOS Catalina Advice About Studio One And 3rd Party Plugins - You Need To Read This, Presonus tell us that the .dmg installer file for Studio One 4, build 4.5.3 is now notarized and is compliant with Apple's security guidelines, which shows that DAW developers can be responsive and resolve these issues quickly. Although we have subsequently learnt that there was one entitlement not implemented correctly, which meant that VST plugins protected by iLok could not work, however, the good news is that was resolved in the 4.5.4 release. Now when you launch Studio One, it should simply open as designed, without requiring any changes to the security & permission settings on your Mac.
However, things are not so simple when it comes to 3rd party plug-ins PreSonus state in a Support Article…
“If you are trying to load 3rd-party plug-ins that were created after June 1, 2019, the plug-ins must be updated by their manufacturers to support the "Hardened Runtime" and "Notary Service." Older plug-ins can be loaded if their code has been properly signed.”
If you have the same issue with a number of your plug-ins we recommend that your first port of call should be the DAW developer and not the plugin developers. As we understand it, it is likely that the DAW developer will need to include appropriate entitlements especially as the problem is likely to be because it is an iLok protected plugin that the DAW doesn’t have the correct entitlement for.
Using An Older Version Of Studio One With macOS Catalina
If you do install a previous version of Studio One and you are running Mac OS 10.15 (Catalina), you will need to ctrl+click (or right-click) the .dmg installer file and choose to open as shown above. Once installed to your Applications folder by dragging the app into it, you can open the app and click 'Open' when the error pops up.
Alternatively, you can navigate to the System Preferences > Security & Privacy, unlock as an administrator, and hit "Open Anyway" to suppress the warning.
UPDATE - Apple Relax Notarization Requirements Slightly
Apple has announced that to make the transition easier on both developers and Mac users, notarization prerequisites have been pushed back until January 2020.
Developers can now have apps notarized that do not meet certain previous requirements, such as an app that uses an older SDK or the inclusion of components not signed by a developer ID, which should really give developers a temporary helping hand to get older software through the notarization checks.
How Long Will All This Take?
Exactly how this will impact the speed of macOS Catalina compatibility is unclear, but based on the 30 plus developers that have already published announcements advising users not to upgrade to Catalina we can only assume it is not going to be resolved overnight.
We understand that for developers who use custom installers, may have greater challenges to get these compliant with the new systems. For developers with a lot of plugins, it is also going to take some time. Developers we have spoken to, say that the process will take some time to get right and so those with a large inventory of plugins are going to need significant time to work through their catalogue to get all their products macOS Catalina compatible and their installers fully notarized.
We also don’t know exactly what will happen in January 2020, especially to those products that have been assigned tickets under the temporarily more permissive notarization prerequisites. Will they be no longer macOS Catalina compliant when Apple tightens up the requirements? We are assured that questions have been asked but at the time of writing, no answers have been forthcoming from Apple.
In addition, it would appear a lot of the work is down to the DAW developers like Avid and PreSonus to make sure that they include the appropriate entitlements for every iLok protected plugin. All told, macOS Catalina compatibility may take some time. You have been warned!