Duke Seal

The Notoriety of Zulu on macOS

Mar 27, 2020 | 4 MIN READ

Keeping your computer safe from malicious software is no easy task.  There are different approaches to solving this problem, many of which take the antivirus approach of scanning a machine looking for files with fingerprints that indicate malware.  An alternative approach is that taken by Apple, which uses software called Gatekeeper to enforce code signing and verify downloaded applications before allowing them to run.

In the most recent version of macOS, 10.5 (code name Catalina), all software built after June 1, 2019, must be notarized by Apple in order for Gatekeeper to allow it to run.  For applications distributed through the App Store, this is included as part of the submission process. 

However, for third-party software, verification needs to be performed when the application starts.  Whilst it is possible to turn Gatekeeper off, it is highly discouraged and would not be something an average user would do since it requires a relatively complex command-line incantation.

Although Apple relaxed the rules around this initially to give developers time to adapt, since February, applications that are not notarized will not run on Catalina.

Apple’s notary service is an automated system that scans software for malicious content and checks for code-signing issues.  Assuming that no problems are identified, the notary service generates a digital ticket for you to attach to your software.  The notary service also publishes that ticket online where Gatekeeper can find it. 

The reason I’m writing about this in my blog is that this now impacts all OpenJDK distributions.  Right now, since the last update to older versions was in January, the only builds directly affected by this are JDK 14.  Since this was released on March 17, to run the latest Java on Catalina, binary distributions will need to be notarized.

The engineers at Azul have been aware of this and have made sure that all macOS executables in Zulu 14 are appropriately notarized.  One thing that has caused some confusion that I saw on Twitter concerned the distinction between installers, executables and bundles.

As you can see, Azul is ensuring that Zulu provides the best possible distribution of OpenJDK.  As it’s available completely free of charge, why not give it a try?

Category: Azul Zulu

Topics: JDK, macOS, OpenJDK, zulu

© Azul Systems, Inc. 2020 All rights reserved.