Calling time on High Sierra
Saturday, August 8, 2020 6:45 AM
For many years, Apple has operated a policy whereby it provides full support for the current major release of macOS, plus security updates for the two previous major releases. Although many of us have searched for this policy in writing and been unable to find it, that is the way that macOS support works. Under that practice, at present Apple provides full updates for macOS 10.15, and security updates for 10.14 and 10.13. When Big Sur is released, between September and November this year, it will take the lead with full updates, with security updates only for 10.15 and 10.14. Thus, on the release of Big Sur, macOS High Sierra will become unsupported.
The major new feature of High Sierra was of course the first release version of APFS. The last version of APFS released in the 10.13.6 update was 748.51.0, which had no support for Fusion Drives. The current version in Catalina 10.15.6 is 1412.141.1, which gives you an idea of how much it has changed. For instance, High Sierra has no support for the firmlinks on which 10.15 and 11.0 startup Volume Groups depend, and it looks likely that Big Sur’s backups to APFS may also depend on features in APFS which aren’t compatible with High Sierra.
There’s one situation in which High Sierra can be an advantage: if your Mac starts up from an internal hard disk. It’s officially the last version of macOS which is able to boot from an HFS+ volume. If your Mac is stuck having to do that, then you won’t be able to upgrade to Mojave without suffering a significant performance hit, resulting from the severe fragmentation which APFS seems to produce. One way to address this is to start up in Mojave or later from an external SSD. Some enthusiasts have apparently managed to get Mojave to boot from HFS+, but that’s unsupported and likely to break.
For many High Sierra users, another attraction of staying put is Mojave’s privacy protection. For the great majority of users, this needn’t be as much of a pain as has often been claimed. Setting up many apps for the first time can get tedious, but once they are registered with the right access in the Security & Privacy pane, few cause further trouble.
Notarization and security
Staying with High Sierra, though, loses you a lot. Its security knows nothing about notarization, only whether software is signed, and once an app has passed through Gatekeeper checks (only if it’s quarantined), it’s never checked properly again. If it manages to get onto your Mac without the quarantine flag set, then it won’t ever get thoroughly checked. Catalina is considerably more protective, with every launch of every app bringing a check by XProtect, and the added protection provided by hardening and notarization.
We still don’t know how effective hardening and notarization will prove in protecting our Macs, but it appears that High Sierra can’t even check them. You can test this using the previous version of ArchiChect, 2.3, and in Terminal. Drag and drop an app or Installer package onto ArchiChect running on High Sierra, and you should find that it’s unable to check whether the item has been notarized.
Alternatively, use the command
spctl -a -vv -t install itemname
for command tools, Installer packages, etc., or
spctl -a -vv itemname
for an app. In High Sierra, I’m told that you’re unlikely to see any information about notarization status of that item.
Apple has stated its intention to use revocation of notarization as a fine-grained tool instead of the more global revocation of a whole certificate, as a means of blocking specific releases where necessary. As far as I’m aware this hasn’t occurred yet, but if Apple were to block app launch through its control over ticket validation, then Macs running High Sierra would appear to be oblivious.
Apple has had ample time to retrofit support for notarization checks to High Sierra, but to the best of my knowledge hasn’t done so, and is hardly likely to do so before discontinuing its support.
Apple isn’t alone in supporting just the current and two previous releases. Adobe, Microsoft and other major software vendors now operate similar policies. If you don’t upgrade from High Sierra by the autumn/fall, you may well find that your apps are also unsupported and no longer updated.
It’s possible that High Sierra may receive one further security update before support is discontinued. This happened last year (2019), when the last security update for Sierra shipped on 26 September. That was unusual, though, and occurred because Catalina didn’t ship until early October, and Apple needed another Supplemental Update for Mojave.
Once its last Security Update has been delivered, Apple is most unlikely to ever patch vulnerabilities discovered in High Sierra. Ever. That means they’ll remain open to exploits from then on – good enough reason to start planning your way up and out.
If your using a Mac from 2011 or older then you have no choice, you either stay with High Sierra 10.13.6 or upgrade your hardware to a 2014 or newer.