Chef Software on macOS Catalina

After today (Feb 3, 2020), Apple requires notarization for all software installed on macOS Catalina. Chef has been working to make sure our software is compatible with these required changes and we expect little to no customer impact. You will see these changes roll out starting today for Chef Workstation.

Our other Chef products will include these changes in their next scheduled release, according to their respective normal release cadence. You can also find the upcoming changes in each product’s current channel if you want to get a head start in testing.

This kind of change can be hard to test for all usage scenarios. There are three areas you may see an impact if we have missed something:

  1. Installation - You may see a gatekeeper warning like this:

  • If you do encounter this gatekeeper warning, you will be unable to install, or upgrade that version without work-arounds.
  1. Custom gems loaded in your install through chef gem install - We now sign and enable the hardened runtime for all binaries and libraries that we ship, which is a requirement for notarization. MacOS will verify these signatures and may prevent loading of unsigned code that has been added after install.

  2. Custom gems that load native extensions - The hardened runtime also signs the memory space of a running application, and if the application tries to access unsigned memory, the process will be killed. Gems with native bindings sometimes load that code into an unsigned way. We encountered this situation when testing chef install and berks install.

If you run into any problems, please reach out on our Chef Community Slack or contact your Chef Software support representative.

If you are interested, Apple previously detailed updates to the notarization process that takes effect today, February 3rd, 2020. You can also read about the notarization requirements and process here.