Certificates & identities

Developer ID Application certificate

An Apple-issued certificate that signs Mac apps distributed outside the Mac App Store, so Gatekeeper and notarization can verify them on first launch.

Developer ID certificateDeveloper ID Application

Developer ID Application is the certificate type Mac developers use when they distribute apps outside the Mac App Store. It is a separate signing identity from the Apple Distribution certificate used for the App Store, and it has very different rules: it is issued only to Apple Developer Program teams (not personal teams), and it is what Gatekeeper checks before letting a downloaded app launch on a user's Mac.

Where you see it

Apps shipped from your own website, GitHub Releases, Homebrew, Sparkle auto-updates, or any direct download.
Internal Mac tools distributed inside an organization without using MDM-managed enterprise distribution.
Notarytool submissions: every notarized Mac app must be signed by a Developer ID Application certificate first.

Pairs with two other things

Developer ID Installer: A separate Apple-issued certificate that signs the .pkg installer wrapping a Developer ID Application-signed binary. Required if you distribute as a .pkg.
Notarization: After signing with Developer ID Application, you submit the build to Apple's notary service. Notarization is what removes the 'unidentified developer' warning and lets Gatekeeper green-light the app.

Keep reading

Related terms

Apple Distribution certificate

An Apple-issued certificate that signs builds for TestFlight, the App Store, Ad Hoc distribution, and Mac App Store submission.

Read definition

Code signing certificate

Umbrella term for any Apple-issued certificate used to sign a binary, installer, or push token. Covers Apple Development, Apple Distribution, Developer ID, APNs, Pass Type ID, and Mac Installer certificates.

Read definition

Notarization

Apple's automated malware scan and signature attestation for Mac apps distributed outside the App Store. Required for Gatekeeper to launch a downloaded app without warnings on modern macOS.

Read definition

Hardened runtime

A macOS code signing option that opts a binary into stricter runtime protections (no unsigned memory execution, library validation, no code injection) and is a prerequisite for notarization.

Read definition

PKCS#12 / .p12 file

A password-protected file format that bundles a certificate and its matching private key together. The standard way to move an Apple signing identity between machines.

Read definition

Next step

Help articles on this topic

Create and revoke Apple Developer certificates

Issue a new iOS or macOS certificate from a CSR and revoke certificates without breaking dependent profiles.

6 min readRead article

Rotate an expiring signing certificate without breaking releases

A safe sequence for swapping a soon-to-expire certificate for a new one across every dependent provisioning profile.

5 min readRead article

Upload a private key for a certificate created outside HexSign

Pair a private key with a certificate you originally issued in the Apple Developer portal (or another tool) so HexSign can export .p12 bundles for it.

4 min readRead article

Notice a definition that has drifted? Email support@hexsign.io and we'll update it. Browse the full glossary or jump to the help center.

Certificates & identities

Developer ID Application certificate

An Apple-issued certificate that signs Mac apps distributed outside the Mac App Store, so Gatekeeper and notarization can verify them on first launch.

Developer ID certificateDeveloper ID Application

Where you see it

Apps shipped from your own website, GitHub Releases, Homebrew, Sparkle auto-updates, or any direct download.
Internal Mac tools distributed inside an organization without using MDM-managed enterprise distribution.
Notarytool submissions: every notarized Mac app must be signed by a Developer ID Application certificate first.

Pairs with two other things

Developer ID Installer: A separate Apple-issued certificate that signs the .pkg installer wrapping a Developer ID Application-signed binary. Required if you distribute as a .pkg.
Notarization: After signing with Developer ID Application, you submit the build to Apple's notary service. Notarization is what removes the 'unidentified developer' warning and lets Gatekeeper green-light the app.

Keep reading

Related terms

Apple Distribution certificate

An Apple-issued certificate that signs builds for TestFlight, the App Store, Ad Hoc distribution, and Mac App Store submission.

Read definition

Code signing certificate

Read definition

Notarization

Apple's automated malware scan and signature attestation for Mac apps distributed outside the App Store. Required for Gatekeeper to launch a downloaded app without warnings on modern macOS.

Read definition

Hardened runtime

A macOS code signing option that opts a binary into stricter runtime protections (no unsigned memory execution, library validation, no code injection) and is a prerequisite for notarization.

Read definition

PKCS#12 / .p12 file

A password-protected file format that bundles a certificate and its matching private key together. The standard way to move an Apple signing identity between machines.

Read definition

Next step

Help articles on this topic

Create and revoke Apple Developer certificates

Issue a new iOS or macOS certificate from a CSR and revoke certificates without breaking dependent profiles.

6 min readRead article

Rotate an expiring signing certificate without breaking releases

A safe sequence for swapping a soon-to-expire certificate for a new one across every dependent provisioning profile.

5 min readRead article

Upload a private key for a certificate created outside HexSign

Pair a private key with a certificate you originally issued in the Apple Developer portal (or another tool) so HexSign can export .p12 bundles for it.

4 min readRead article

Notice a definition that has drifted? Email support@hexsign.io and we'll update it. Browse the full glossary or jump to the help center.