A few pictures from 2020: 3. The living

(Previously: A few pictures from 2020: 2. Cinefilm. Following: A few pictures from 2020: 4. Deepest black)

Mandarin duck, Kensington Gardens
In March I discovered that the jammed Minolta Auto-Rokkor 55mm lens I’d just cleaned and lubricated was lovely for portrait-distance shots. But I didn’t use it as much as I should have, because I also discovered I’d reassembled it with the wrong focus at infinity, so it was only good for portrait-distance shots. I never did fix that. Anyway, the nice duck above was one of those shots.

In May I discovered that, if you walked along the sketchy bit of land between the Westbourne Bridge and Royal Oak tube stations just beyond Paddington and peered down over the wall toward the tracks at the right time of day, you would find a family of foxes playing. I came back with a long lens (cheap Soviet Jupiter-11) and took these, a sequence of photos I really love. This was such a joy during a pretty bleak time.


I took the Jupiter lens again to the park in September to try to get a photo of magpies in flight. I do like magpies: they’re beautiful and they move in a very interesting way. They’re quick and sudden, they hop a lot, and they never exactly take off — they just hop and hop and, at the moment they want to take flight, suddenly the last hop turns out to have been liftoff.

There’s a superstition that it’s bad luck to see a lone magpie, but I decided a few years ago that I would always look at a magpie, and appreciate it.

But they’re really hard to photograph in motion, because they move in such unexpected ways. Here’s as good as I managed, a group giving way to an approaching dog:

Magpies scattering as a dog approaches

A crow is simpler in motion. Here’s a crow taking off from the ground. Um, or I think it might actually be a raven. I am not very good at this. It’s much bigger than a magpie and takes a relatively long time to get airborne – but isn’t it fantastic!


A few pictures from 2020: 2. Cinefilm

(Previously: A few pictures from 2020: 1. Keep Going. Following: A few pictures from 2020: 3. The living)

A company called Silbersalz35 sells 35mm cartridges loaded with various sorts of motion-picture film, at a price including processing and scanning. The films have to be developed with the ECN-2 chemical process, so the inclusion of processing matters, as most still film processing labs don’t have ECN-2 facilities.

The Silbersalz 200T film is (I believe) Kodak Vision3 200T cinefilm. The T stands for tungsten: it’s colour-balanced for studio use and has a cold colour if used in natural light without filters, as I did.

I really like the look of these, but they are hard to display online next to digital photos. The typical bright, contrasty, heavily sharpened modern digital image makes these naturalistic images almost invisible when seen on the same page.

* * *

A tennis court next to the West Cross Route in west London. Closed when I took this in May. The buildings in the background are, I think, halls of residence for Imperial College under construction.

White City across the West Cross Route tennis court

Scaffolding on Craven Road, near Paddington station.

Craven Road

Here’s the Bakerloo Line station entrance at Paddington in February. A couple of days later it will be closed permanently, to be replaced by something fancy at an unspecified later date.

Paddington Bakerloo Line entrance

This film is really nice for photographing people – I take a lot of photos of family but I’m reluctant to make them public online, so here’s one of me (taken by my wife) on the 15th of March, very close to the official UK it’s-all-over pandemic date.


Smithfield Market, in May, with construction for the Museum of London at the back.

At Smithfield

Paddington Station in May. I felt very conspicuous taking this.

Paddington station

A few pictures from 2020: 1. Keep Going

(Following: A few pictures from 2020: 2. Cinefilm)

At the start of January 2020, I hopped on a bus to the North Circular to take a couple of photos of bleak, slightly alarming empty urban scenes. Had I known how redundant that would seem later in the year, I might not have bothered. Though it may have been the last time I took a bus for fun.

A distinctive disused storage company in Neasden. Prominent from the North Circular, I’ve always rather liked it.


A rotting board path along the back of the industrial estate in Neasden Recreation Ground ultimately leads to a small pier in the reservoir. I used to go for walks by the reservoir here when I lived near Brent Cross, but I had no recollection of this path. Is the text sinister or welcoming? On the 5th of January I thought sinister, but from this end of the year it feels like an encouraging message from the future.

Keep Going

* * *

Just over two months later, we’re in west London in late March. The weather is bright and the shops are colourful and shiny. But this is bustling Portobello Road and it isn’t really supposed to look like this.

Portobello Road

Other streets nearby are equally peaceful.

Queensway (Key Workers)

Devonshire Terrace

* * *

Getting photos in the park without lots of people in them is a trickier prospect. I’m very fond of the cluster of small oak trees in the bit of Hyde Park known as “the cockpit”, where a roundish ramped area slopes down to the Serpentine. This is a damp June day.

Path and oak, Hyde Park

Or a sunny one in October.

Oaks, Hyde Park

* * *

One industry that seems to have been at least at normal levels all year is construction; here a worker adjusts some fencing on the “cube” building site next to Paddington station.

Building site, Paddington

A Note on a Revox A700 Repair

We have a Revox A700 reel-to-reel tape recorder in our home. We sort of ended up with it, in a story I won’t tell here.

This thing is rather amazing as a device. It came out at the end of 1973, I think, and was madly ambitious as a consumer product. It had all sorts of fancy things: a quartz-clocked capstan motor, servo-controlled spool motors whose speed is continually adjusted based on feedback from tape tension sensors, an optical tape-present sensor, true VU meters, two custom dedicated integrated circuits (in a consumer tape recorder! in 1973!), one for timing adjustment and one for the control logic. It supports three tape speeds (3.75, 7.5, and 15 inches per second) and has a high-quality audio preamp and headphone amp. Its service manual is over 200 pages long. It weighs a massive 24 kg, draws over 100 watts even when not playing anything, and gets very hot.

(For those unfamiliar, Revox was the consumer brand of the Swiss studio electronics company Studer, named after its founder Willi Studer. Revox tape recorders were similar internally to Studers but with more limited I/O and track counts. But when the A700 came out it was in some ways more advanced than any Studer, with much of the electronic stuff turning up in studio gear only later.)

When an A700 is working, it can sound fantastic, although using one is a nutty endeavour at the best of times. I very seldom switch ours on, and then only to play tapes of playlists chosen with my kids that have been recorded to tape from Spotify on my phone. It’s quite calming to have those reels slowly rotating in the background as the music plays, but there’s really no other purpose to it now. It is a massive, heavy, beautifully designed, expensively constructed device that can still perform its job perfectly well and yet is totally obsolete.

The A700 also isn’t all that reliable. It’s a bit like a miniature version of having a classic Ferrari. Ours has had a succession of repairs over the last few years: blown suppression caps (a bit of a fire hazard, replace all the RIFA capacitors), blown motor start/run capacitor (symptom: take-up spool rotates gently backwards instead of insistently forwards: the spool motors are AC motors and rely on big capacitors to achieve momentum), blown something-I-didn’t-understand-and-have-now-forgotten on one of the control boards. Fortunately we haven’t yet had a blown integrated circuit. The failures we’ve had have all been in generic parts, not unobtainable custom ones. Although there are still rather a lot of generic parts in this machine.

In the past when something has broken on this machine I’ve called out a professional to look at it, so it has been expensive as well as impractical. But with the coronavirus going on, when our Revox stopped in the middle of a tape, lit up all the buttons, and refused to start again, it didn’t feel like a good time to be trying to call out an experienced senior repair fellow. And yet, with the coronavirus going on and our horizons shrinking fast, I suddenly really wanted the old Revox not to have broken down. And so these six paragraphs of introduction lead to the much briefer story:

Fuse F6

This is where the magic of the old-school forum-based pre-social-network World Wide Web comes in. I open the back of the Revox and find that fuse F6 on the panel next to the distribution board has blown. I search for “revox a700 fuse f6 blown” and I find this magnificent post:

“This is a blown capacitor 2200µF (FRAKO), C24 plus blown rectifier, D6 on Board.1.067.160 or 161.

“Replace all 4 2200µF (FRAKO capacitors) on this board plus rectifier D6 (by a stronger one e.g. B100C1000).

“Regards, Mart.”

So specific! The capacitor and rectifier numbers don’t actually match up with those on our board, but with the help of a service manual I can see which ones they’re referring to.

This is the power supply board from the A700. The Frako capacitors are, apparently, famous for failing in short-circuit and blowing up other things on the board. This one seems to have only blown up the adjacent rectifier.

I don’t much enjoy soldering, but I de-soldered and tested the four big capacitors and found that the second one (the smallest, a 2200µF 16V cap) had failed. I ordered some replacement caps and rectifiers (the rectifiers are the round black things beneath the big capacitors: the green rectangular chunk is also a rectifier, but I hoped I wouldn’t have to deal with that). I also got replacements for the three smaller Frako capacitors on the board, which unfortunately I could only get with radial wiring: two wires into the bottom of the capacitor rather than one at each end.

When the replacements arrived, I soldered in the new capacitors, but I hesitated over the rectifiers. I’d tested the three round ones with the diode tester on my multimeter and they all showed the right forward voltage. I would really prefer not to have to change those, as they’re quite fiddly. So I put the board back in, slotted in a new fuse, turned on the power… and the fuse blew again.

Gritting my teeth, I desoldered and replaced the three round rectifiers, something that took me longer than I would like to admit, then put the board back and tried again, and it works!

The original 2200µF capacitors are rated at 40V, 16V, and 2x 25V respectively. I ordered replacements at similar ratings, and only afterwards realised I could have bought and fitted four higher-rated caps for 40V or above (they’re smaller nowadays anyway) and they would have fitted fine. The higher voltage-rated ones also have better temperature tolerance, with a 105 degree max instead of 85. But I’m new to this kind of thing.

Anyway: that’s all. I really just wanted to record my thanks to Mart, the author of the reply I quoted above, and also to Kurt, who asked the question. This exchange is from 2014, which is recent enough to give hope that the searchable, stable, forum-style Web might still be alive somewhere.

Notes on the Minolta SR-1 (Model B)

Minolta SR-1 model A (left) and B (right) from the back

A few months ago I published an epic about the first version of the Minolta SR-1 camera: Notes on the Minolta SR-1 (Model A). Released in 1959, that was the first in a series of 35mm film SLRs that Minolta branded the SR-1, a line that continued until 1971. This post will be about the model B: pointing out some differences from the model A within the camera, then some remarks about replacing the mirror and the leather cover.

The revisions have unofficial names that various sources seem to accept:

  • Model A (1959): a cut-down version of the SR-2 from 1958, with the fastest shutter speed (1/1000 sec) removed
  • Model B (1960): made the speed selection dial simpler to use: with a model A you have to lift the dial to turn it, but with a model B you can just flick it around
  • Model C (1961): introduced a fully-automatic aperture, so that the aperture returned to fully-open (ready for focusing) immediately after taking the shot, rather than only when the film was wound on
  • Model D (1962): added a mount for a clip-on light meter on the front of the camera
  • Model E (1963): moved the film counter from left to right of the top of the body (as seen from behind), restyled the advance lever, and introduced a larger mirror
  • Model V (1965): redesigned the body to a squarer shape, and made various minor functional changes. Unlike these other model letters, the Model V designation was official
  • SR-1s (1967): reintroduced the 1/1000 sec fastest shutter speed

Although these look like incremental updates, it turns out that quite a bit changed within the camera from one model to the next.

I think the logic is: The SR-1 was always the label for Minolta’s “entry-level” 35mm SLR, and it was always a cut-down version of some “premium” model. But as they kept releasing new premium models, they also kept updating what the SR-1 was a cut-down version of, so that they could use the same manufacturing process for both cameras.

  • Model A (1959): cut-down version of the SR-2 (1958)
  • Model B (1960): cut-down version of the SR-3 (1960), which added a light meter attachment on the front (not yet included in the SR-1)
  • Model C (1961): cut-down version of the SR-3 (1961), which was revised that year to introduce the fully-automatic aperture (the SR-1 has that feature but still omits the light meter attachment)
  • Model D (1962): inherits the light meter attachment from the SR-3, effectively replacing that model; the SR-3 is dropped, and the premium model becomes the new SR-7 with built-in light meter
  • Model E (1963): cut-down version of the SR-7 (1962), omitting the built-in light meter and using the attachment instead
  • Model V (1965): cut-down version of the SR-7 Model V (1965), omitting the built-in light meter and using the attachment instead
  • SR-1s (1967): cut-down version of the SR-7 Model V; finally has the same feature set as 1961’s high-end SR-3

So the changes on the inside reflected Minolta’s current camera design even when they made little difference to the external working of the camera.

Anyway, here’s my survey. The same disclaimer as before applies: I don’t know what I’m doing, just learning as I go, so please don’t follow anything I say and ruin your own camera. Once again, I bought two examples of this camera (both non-working this time) and dug in.

Survey of features

Refer to my earlier article for a description of the SR-1 model A. I can only see three external changes in the model B.

Model A (above) and B (below)

The most significant one is the speed selection dial, which is slightly smaller, turns without being lifted first (and does so with a very satisfying click), and lists the speeds in the opposite order, which I believe means switching from the same order as used by Nikon to that of Pentax and Canon.

Apart from that, the viewfinder now has a bayonet attachment fitting on it, and has changed from black to silver; and the tripod mount on the base of the camera is a little thicker and stronger-looking. Oh, and one of the screws on the bottom has moved a few millimetres.

There is one other change that’s only visible when the camera doesn’t have a lens attached: the aperture lever within the lens mount now has a curved cutout and travels along a circular section rather than in a straight line.

The camera has the same dimensions as its predecessor and is about 10g lighter, a negligible difference.

What’s under the top cover

So the outside is almost unchanged, with only a few near-cosmetic updates. On the inside, the first surprise comes when the top cover is lifted:

Light meter attachment block, on the inside of the camera only

The attachment block for the external light meter, a feature that wouldn’t appear in the SR-1 until two years later, is already there! It’s on the left, beneath the SR-1 wording. It even has a corner shaved off so that the original SR-1 cover still fits over it.

The rest of the top is more familiar. The rear cover release, rewind knob, and exposure counter on the left are all unchanged. The winding gear and base plate on the right are essentially the same. Sadly the shutter button plate, the bit that actually gets pressed down by the shutter button and that was so convenient to be able to access when testing, has gone into hiding behind the light meter mount.

(I haven’t dug in under the winding base plate, but I suspect they may have removed the cutout and pin in one of the gears, which prevented double exposures by holding up the shutter button until winding is complete, since there is now a mechanism for this in the base of the camera.)

The speed dial of course has been redesigned, but it uses the same arrangement of levers, and the slow-speed gear (both the driving axes and the gear itself, in the bottom of the camera) is the same.

There are a couple of nice improvements around the viewfinder and prism. The first is that the prism no longer has a foam seal glued directly onto its silvering, so it doesn’t suffer from the corrosion that afflicted both of my model A cameras.

The second is the addition of three height-and-level adjustment screws for the focusing screen beneath the prism. One of these can be seen in the picture below, just in front of the viewfinder eyepiece mount. (The others are at left and right of the front edge of the box.)

These screws allow correction of any focus mismatch between the viewfinder and film plane, by slightly raising or lowering the viewfinder focusing screen so that the distance from there, via the mirror, to the rear of the lens matches that from the film plane.

Although this seems nice to have, an awkward corollary is that both of my model B cameras arrived with the viewfinder focus slightly out (when checked using a ground glass placed in the film plane), whereas the model A cameras were both spot on. However, it is extremely handy if you ever need to replace the mirror, since a replacement might not be of identical thickness.

What’s under the bottom cover

This is where it gets peculiar. The only major user-visible change was the design of the speed dial, and the mechanism for that is on the top of the camera, so we’ve seen it already. What can have changed down here?

SR-1 model B (above) and A (below)

Almost everything! The model A (the one at the bottom, with SR 2 stamped on its base plate) is all linear motions, sliders and fairly simple levers driven from a single big rotary wheel on the left. The model B (above, with SR C on its base plate) is all exotic custom pivoted forms; everything rotates instead of sliding. Correspondingly, there is far more use made of angular wire springs rather than wound linear ones. The shutter springs and their adjusters are unchanged, and so is the motor drive attachment on the right (which is useless, as no motor drive was ever released) but I think every other part is different.

This really boggled my mind when I saw it. In software development terms, I had expected this camera to be a “consolidation release” of bugfixes and maintenance improvements. Instead it’s been rewritten in Javascript.

There are some peculiar decisions here, as well. To use another software term, there are several violations of the principle of separation of concerns:

  • See that screw beneath the bottom of the tripod mount, the one with a wire spring wrapped around it? Well, the only thing keeping the spring wrapped around it is… the tripod mount itself. Remove the tripod mount and the spring just pops off. If you remove the tripod mount for access to something else and then fire the shutter, the spring flies across the room. It’s an important spring as well, as it drives the aperture lever.
  • See the flat copper spring attached to the base plate under the top of the tripod mount? That latches the aperture open. The only thing holding it on to the base of the camera is one of the screws designed to attach the slow-speed gear, on the other side of the base, and the receiving thread for that screw is in the slow-speed gear block. Remove the slow-speed gear, for cleaning say, and you no longer have any way to hold this spring in place and can no longer latch the aperture open. And if you try to fire the shutter, the other spring flies across the room again, because you also had to remove the tripod mount to get at the slow-speed gear fixing screws.

Surely these should not have passed code review.

The angled wire springs can sometimes end up in the wrong place, as well. An example is just about visible in the picture above: left of the tripod mount, the end of a small wire spring pokes up next to the shutter trip lever. That spring is erroneously pulling the shutter trip lever downwards (in the plane of this picture), when it’s supposed to be sprung upwards. With the spring in this position the shutter doesn’t wait for the mirror to open before it fires, so your photo gets cut off by the mirror. The fix is to poke the spring back under the lever, but how did it get here in the first place, and could it happen again?

The camera that had that problem also had a mis-adjustment of its new double-exposure prevention mechanism. This is a little combination of levers and plates over on the top left of the picture above, next to where the shutter axis pokes out of the bottom plate. A sprung plate fits into a notch in the shutter axis; the winding action pushes it aside, so the shutter can be pressed, and when the shutter fires it springs back again. The mechanism has an adjustable eccentric, and if its adjustment screw is wrongly set, it doesn’t push aside far enough, preventing the shutter from being pressed at all. (When I bought this camera, it was described as not working because of a stuck shutter button.)

So even though the overall design is more elegant, these changes don’t seem to be all good. A couple of outcomes are more promising: the winding lever is a bit smoother to turn because it doesn’t have to push these long-travel linear sprung sliders, and the flash sync contact mechanism looks simpler than that in the model A, although I haven’t so much as tested this feature on any of these cameras.

If I had to guess why these changes were made (and I do have to guess: I have no idea) I’d say it’s because Minolta were looking ahead to the following year’s revision of the SR-3 and the corresponding SR-1 model C, with their fully-automatic aperture, a mechanism that presumably could never be driven from the model A’s linear sliders. But I don’t own a model C.

Replacing a mirror

One of these cameras arrived with a very tarnished mirror:

It looks particularly bad in this photo because I’m focusing on the mirror surface, which of course is not in focus when you actually use the viewfinder. In practice the mirror was still just about usable, if cloudy.

On the off-chance that the silvering was just marked, or at least that some of the marks were just marks and not actual damage, I tried a series of increasingly aggressive cleaning solutions: water, alcohol, acetone, silver cleaner. Surprisingly, none of them made it any worse, but none of them helped either. I decided to replace the mirror.

SLR mirrors are silvered on the front, unlike a typical mirror, which has the silver on the back with a coat of paint behind it and the glass in front to protect it. Front silvering avoids a ghost image from light reflecting off the front of the glass, such as you’ll see if you look into your bathroom mirror at 45 degrees from the perpendicular.

SLR mirrors come in all sorts of sizes, so you can’t easily buy a matching replacement (this one is 34x25mm, with 3mm or so snipped off the front corners; newer cameras have larger mirrors). They’re also thin (this one is 1.37mm) and the thickness matters when focusing, although this camera’s adjustable focusing screen means we only need it to be “almost” right.

I found a supplier of individual small front-silvered optical mirrors (Knight Optical), though I would have to cut one down to size. But I also read in a forum somewhere that you can make a front-silvered mirror from the mirror in a cheap make-up compact, by flipping it around and using solvent to remove the paint from the back and reveal the silvered surface. That sounded intriguing.

I bought a glass-cutting tool and a couple of double-sided make-up mirrors from Tiger for £1 each to experiment with. These are made of two thin (1.2mm) round mirrors back-to-back, with a cardboard spacer in between, in a metal frame. One of the mirrors is magnifying, so no use to us, but the other is flat.

The mirrors are backed by white paint, which doesn’t dissolve in paint thinner but does in acetone. Soaking and gentle rubbing with cotton wool took a while, but worked, and left a pleasingly shiny silvered (well, aluminised) surface. The picture above shows one of the magnifying mirrors, which I used to test the solvent, along with two of my attempts at cutting out the right shape from the non-magnifying mirror. I measured, marked, cut, and sanded these mirrors (use protective eyewear and a dust mask! … if you can find one) before removing the paint.

The old mirror in the camera is stuck down onto its flap with three points of glue, whose positions are helpfully marked by raised spots on the back of the flap. Prising the mirror gently away with a small screwdriver was enough to separate it from the flap.

Below is the old mirror, on the left, next to the new, on the right, reflecting a lamp. This time I’ve focused on the lamp rather than the mirror surface. You can see that the old one, though cloudy, works a lot better than you might expect, but the new one is still much clearer.

You can take a perfectly good picture with a cloudy viewfinder, and a scratch or mark on your SLR mirror certainly isn’t the end of the world. It mostly just looks bad on the camera when you look at it with the lens off.

I attached the new mirror at the same gluing points as the old, re-fitted it, then adjusted the viewfinder focus, and the result is really very nice. I’ll be interested to see how, if at all, it weathers the years.

Replacing the leather cover

Replacing the mirror wasn’t a complete success. I seriously messed up part of this adventure: I ripped the leather cover beyond repair when opening the front to get to the mirror box. The leather on this camera is the same as that on the model A, that is, thin and easily torn. In my post about the model A I said that the texture on the leather was good at hiding small tears: that’s true, but there are limits.

The leather on this camera was particularly well stuck down, and I soon discovered that, although you can loosen the glue with a squirt of isopropyl alcohol, that also softens the leather and makes it much more liable to tear.

So as well as replacing the mirror, I set out to replace the leather cover. I already had a sheet of pre-glued “lizard ocher” leather from Aki-Asahi, which I had ordered, just in case, at the same time as the fabric I used to replace the model A shutter curtain. Aki-Asahi sell a lot of pre-cut leathers for particular cameras, but they don’t have one for the SR-1.

I measured up and made a template for the SR-1 covers, both front and back, then cut them out with a Stanley knife. An SVG file of the template can be found here. Loaded into Inkscape and printed with a properly configured printer, it should come out with the correct dimensions. The hardest part by far is cutting the circular hole on the back for the film speed reminder dial.

I don’t entirely approve of putting an inauthentic new cover on a fine old camera like this, and it’s a bit on the cheesy side as well, but I have to confess I quite like the result anyway. Since I had already replaced the mirror in this one with a home-made version, I probably have to think of it as a somewhat personalised object already.

This camera also had a non-working slow-speed gear, which just needed cleaning, and a loose mirror box and viewfinder, due to having somehow lost one of the screws attaching the mirror box to the bottom plate. With these fixed, it’s working again, as is the other camera which came to me with a stuck shutter. In both cases the faster shutter speeds still need a bit of adjustment, and I haven’t yet run any film through them.

On macOS “notarization”

I’ve spent altogether too long, at various moments in the past year or so, trying to understand the code-signing, runtime entitlements, and “notarization” requirements that are now involved when packaging software for Apple macOS 10.15 Catalina. (I put notarization in quotes because it doesn’t carry the word’s general meaning; it appears to be an Apple coinage.)

In particular I’ve had difficulty understanding how one should package plugins — shared libraries that are distributed separately from their host application, possibly by different authors, and that are loaded from a general library path on disc rather than from within the host application’s bundle. In my case I’m dealing mostly with Vamp plugins, and the main host for them is Sonic Visualiser, or technically, its Piper helper program.

Catalina requires that applications (outside of the App Store, which I’m not considering here) be notarized before it will allow ordinary users to run them, but a notarized host application can’t always load a non-notarized plugin, the tools typically used to notarize applications don’t work for individual plugin binaries, and documentation relating to plugins has been slow in appearing. Complicating matters is the fact that notarization requirements are suspended for binaries built or downloaded before a certain date, so a host will often load old plugins but refuse new ones. As a non-native Apple developer, I find this situation… trying.

Anyway, this week I realised I had some misconceptions about how notarization actually worked, and once those were cleared up, the rest became obvious. Or obvious-ish.

(Everything here has been covered in other places before now, e.g. Apple docs, KVRaudio, Glyphs plugin documentation. But I want to write this as a conceptual note anyway.)

What notarization does

Here’s what happens when you notarize something:

  • Your computer sends a pack of executable binaries off to Apple’s servers. This may be an application bundle, or just a zip file with binaries in it.
  • Apple’s servers unpack it and pick out all of the binaries (executables, libraries etc) it contains. They scan them individually for malware and for each one (assuming it is clean) they file a cryptographic hash of the binary alongside a flag saying “yeah, nice” in a database somewhere, before returning a success code to you.

Later, when someone else wants to run your application bundle or load your plugin or whatever:

  • The user’s computer calculates locally the same cryptographic hashes of the binaries involved, then contacts Apple’s servers to ask “are these all right?”
  • If the server’s database has a record of the hashes and says they’re clean, the server returns “aye” and everything goes ahead. If not, the user gets an error dialog (blah cannot be opened) and the action is rejected.

Simple. But I found it hard to see what was going on, partly because the documentation mostly refers to processes and tools rather than principles, and partly because there are so many other complicating factors to do with code-signing, identity, authentication, developer IDs, runtimes, and packaging — I’ll survey those in a moment.

For me, though, the moment of truth came when I realised that none of the above has anything to do with the release flow of your software.

The documentation describes it as an ordered process: sign, then notarize, then publish. There are good reasons for that. The main one is that there is an optional step (the “stapler”) that re-signs your package between notarization and publication, so that users’ computers can skip ahead and know that it’s OK without having to contact Apple at all. But the only critical requirement is that Apple’s servers know about your binary before your users ask to run it. You could, in fact, package your software, release the package, then notarize it afterwards, and (assuming it passes the notarization checks) it should work just the same.

Notarizing plugins

A plugin (in this context) is just a single shared library, a single binary file that gets copied into some folder beneath $HOME/Library and loaded by the host application from there.

None of the notarization tools can handle individual binary files directly, so for a while I thought it wasn’t possible to notarize plugins at all. But that is just a limitation of the client tools: if you can get the binary to the server, the server will handle it the same as any other binary. And the client tools do support zip files, so first sign your plugin binary, and then:

$ zip blah.zip myplugin.dylib
adding: myplugin.dylib (deflated 65%)
$ xcrun altool --notarize-app -f blah.zip --primary-bundle-id org.example.myplugin -u 'my@appleid.example.org' -p @keychain:altool
No errors uploading 'blah.zip'.

(See the Apple docs for an explanation of the authentication arguments here.)

[Edit, 2020-02-17: John Daniel chides me for using the “zip” utility, pointing out that Apple recommend against it because of its poor handling of file metadata. Use Apple’s own “ditto” utility to create zip files instead.]

Wait for notarization to complete, using the request API to check progress as appropriate, and when it’s finished,

$ spctl -a -v -t install myplugin.dylib
myplugin.dylib: accepted
source=Notarized Developer ID

The above incantation seems to be how you test the notarization status of a single file: pretend it’s an installer (-t install), because once again the client tool doesn’t support this use case even though the service does. Note, though, that it is the dylib that is notarized, not the zip file, which was just a container for transport.

A Glossary of Everything Else

Signing — guaranteeing the integrity of a binary with your identity in a cryptographically secure way. Carried out by the codesign utility. Everything about the contemporary macOS release process, including notarization, expects that your binaries have been signed first, using your Apple Developer ID key.

Developer ID — a code-signing key that you can obtain from Apple once you are a paid-up member of the Apple Developer Program. That costs a hundred US dollars a year. Without it you can’t package programs for other people to run them, except if they disable security measures on their computers first.

Entitlements — annotations you can make when signing a thing, to indicate which permissions, exemptions, or restrictions you would like it to have. Examples include permissions such as audio recording, exemptions such as the JIT exemption for the hardened runtime, or restrictions such as sandboxing (q.v.).

Hardened runtime — an alternative runtime library that includes restrictions on various security-sensitive things. Enabled not by an entitlement, but by providing the --options runtime flag when signing the binary. Works fine for most programs. The documentation suggests that you can’t send a binary for notarization unless it uses the hardened runtime; that doesn’t appear to be true at the moment, but it seems reasonable to use it anyway. Note that a host that uses the hardened runtime needs to have the com.apple.security.cs.disable-library-validation entitlement set if it is to load third-party plugins. (That case appears to have an inelegant failure mode — the host crashes with an untrappable signal 9 following a kernel EXC_BAD_ACCESS exception.)

Stapler — a mechanism for annotating a bundle or package, after notarization, so that users’ computers can tell it has been notarized without having to contact Apple’s servers to ask. Carried out by xcrun stapler. It doesn’t appear (?) to be possible to staple a single plugin binary, only complex organisms like app bundles.

Quarantine — an extended filesystem attribute attached to files that have been downloaded from the internet. Shown by the ls command with the -l@ flags, can be removed with the xattr command. The restrictions on running packaged code (to do with signing, notarization etc) apply only when it is quarantined.

Sandboxing — a far more intrusive change to the way your application is run, that is disabled by default and that has nothing to do with any of the above except to fill up one’s brain with conceptually similar notions. A sandboxed application is one that is prevented from making any filesystem access except as authorised explicitly by the user through certain standard UI mechanisms. Sandboxing is an entitlement, so it does require that the application is signed, but it’s independent of the hardened runtime or notarization. Sandboxing is required for distribution in the App Store.