Distribution & release

Notarization

Apple's automated malware scan and signature attestation for Mac apps distributed outside the App Store. Required for Gatekeeper to launch a downloaded app without warnings on modern macOS.

Apple notarizationNotary servicenotarytool

Notarization is the process where Apple's notary service scans a signed Mac app for malware and known signing problems, then attests that it is okay to launch. It is required for any app distributed outside the Mac App Store on modern macOS. An app that is signed but not notarized still launches, but the first-launch experience is a 'cannot verify the developer' warning that nukes conversion.

What it takes to notarize

A Developer ID Application certificate signing the binary.
Hardened runtime enabled on every binary in the bundle.
A timestamped signature (`codesign --timestamp`).
No prohibited entitlements (the `com.apple.security.cs.*` family is restricted).
An App Store Connect API key or app-specific password to submit through notarytool.

The flow with notarytool

bash

# Submit and wait for the result
xcrun notarytool submit MyApp.zip \
  --key AuthKey_ABC123.p8 \
  --key-id ABC123DEFG \
  --issuer 12345678-90ab-cdef-1234-567890abcdef \
  --wait

# Staple the ticket onto the bundle so Gatekeeper can verify offline
xcrun stapler staple MyApp.app

Why stapling matters

Without stapling, Gatekeeper has to make a network call to Apple to fetch the notarization ticket on first launch. Stapled apps carry the ticket inside the bundle, so they pass Gatekeeper checks even if the user is offline.

Keep reading

Related terms

Hardened runtime

A macOS code signing option that opts a binary into stricter runtime protections (no unsigned memory execution, library validation, no code injection) and is a prerequisite for notarization.

Read definition

Developer ID Application certificate

An Apple-issued certificate that signs Mac apps distributed outside the Mac App Store, so Gatekeeper and notarization can verify them on first launch.

Read definition

Code signing

The process of attaching a cryptographic signature to a binary so the operating system can verify who built it and that nothing has changed since. Required for every app shipped on Apple platforms.

Read definition

App Store Connect API key

A three-part credential (Key ID, Issuer ID, and .p8 private key) Apple issues to authenticate non-interactive access to the App Store Connect API. The modern replacement for sharing Apple ID passwords.

Read definition

Next step

Help articles on this topic

Rotate an expiring signing certificate without breaking releases

A safe sequence for swapping a soon-to-expire certificate for a new one across every dependent provisioning profile.

5 min readRead article

Create and revoke Apple Developer certificates

Issue a new iOS or macOS certificate from a CSR and revoke certificates without breaking dependent profiles.

6 min readRead article

Notice a definition that has drifted? Email support@hexsign.io and we'll update it. Browse the full glossary or jump to the help center.

Distribution & release

Notarization

Apple's automated malware scan and signature attestation for Mac apps distributed outside the App Store. Required for Gatekeeper to launch a downloaded app without warnings on modern macOS.

Apple notarizationNotary servicenotarytool

What it takes to notarize

A Developer ID Application certificate signing the binary.
Hardened runtime enabled on every binary in the bundle.
A timestamped signature (`codesign --timestamp`).
No prohibited entitlements (the `com.apple.security.cs.*` family is restricted).
An App Store Connect API key or app-specific password to submit through notarytool.

The flow with notarytool

bash

# Submit and wait for the result
xcrun notarytool submit MyApp.zip \
  --key AuthKey_ABC123.p8 \
  --key-id ABC123DEFG \
  --issuer 12345678-90ab-cdef-1234-567890abcdef \
  --wait

# Staple the ticket onto the bundle so Gatekeeper can verify offline
xcrun stapler staple MyApp.app

Why stapling matters

Keep reading

Related terms

Hardened runtime

A macOS code signing option that opts a binary into stricter runtime protections (no unsigned memory execution, library validation, no code injection) and is a prerequisite for notarization.

Read definition

Developer ID Application certificate

An Apple-issued certificate that signs Mac apps distributed outside the Mac App Store, so Gatekeeper and notarization can verify them on first launch.

Read definition

Code signing

The process of attaching a cryptographic signature to a binary so the operating system can verify who built it and that nothing has changed since. Required for every app shipped on Apple platforms.

Read definition

App Store Connect API key

Read definition

Next step

Help articles on this topic

Rotate an expiring signing certificate without breaking releases

A safe sequence for swapping a soon-to-expire certificate for a new one across every dependent provisioning profile.

5 min readRead article

Create and revoke Apple Developer certificates

Issue a new iOS or macOS certificate from a CSR and revoke certificates without breaking dependent profiles.

6 min readRead article

Notice a definition that has drifted? Email support@hexsign.io and we'll update it. Browse the full glossary or jump to the help center.