Keeping your computer safe from malicious software is no easy task. There are different approaches to solving this problem, many of which take the antivirus approach of scanning a machine looking for files with fingerprints that indicate malware. An alternative approach is that taken by Apple, which uses software called Gatekeeper to enforce code signing and verify downloaded applications before allowing them to run.
In the most recent version of macOS, 10.5 (code name Catalina), all software built after June 1, 2019, must be notarized by Apple in order for Gatekeeper to allow it to run. For applications distributed through the App Store, this is included as part of the submission process.
However, for third-party software, verification needs to be performed when the application starts. Whilst it is possible to turn Gatekeeper off, it is highly discouraged and would not be something an average user would do since it requires a relatively complex command-line incantation.
Although Apple relaxed the rules around this initially to give developers time to adapt, since February, applications that are not notarized will not run on Catalina.
Apple’s notary service is an automated system that scans software for malicious content and checks for code-signing issues. Assuming that no problems are identified, the notary service generates a digital ticket for you to attach to your software. The notary service also publishes that ticket online where Gatekeeper can find it.
The reason I’m writing about this in my blog is that this now impacts all OpenJDK distributions. Right now, since the last update to older versions was in January, the only builds directly affected by this are JDK 14. Since this was released on March 17, to run the latest Java on Catalina, binary distributions will need to be notarized.
The engineers at Azul have been aware of this and have made sure that all macOS executables in Zulu 14 are appropriately notarized. One thing that has caused some confusion that I saw on Twitter concerned the distinction between installers, executables and bundles.
- Installer packages provide a mechanism to perform all necessary tasks to install a software package on macOS. They are typically distributed in a disk image format (dmg file), which is one of the formats Azul provides for Zulu binaries. All Zulu installers are notarised so can be run without problem on Catalina.
- Executables are individual files that can be included in a software distribution. The java and javac executables in Zulu are good examples of this. All executables in the Zulu macOS distribution are correctly notarised so will run without problem on Catalina.
- Bundles are file system directories with a defined structure and file extension. In the case of Zulu, the installer will create a directory in /Library/Java/JavaVirtualMachines called zulu-14.jdk and copy all of the JDK files there. Currently, Azul has not configured this as a bundle, and it is not, therefore, notarized. The same will be true of the directory extracted from either the .zip or .tar.gz downloads. The plan is to make these directories full bundles (and notarise them) in April. This means that the directories will not show as being notarized. However, as all executables are notarized, there is no issue with using Zulu 14 as your preferred Java runtime.
As you can see, Azul is ensuring that Zulu provides the best possible distribution of OpenJDK. As it’s available completely free of charge, why not give it a try?