Skip to content

Instantly share code, notes, and snippets.

Created August 29, 2022 21:47
Show Gist options
  • Save skyzyx/f4a5b467bd43d800611cb7f888798b71 to your computer and use it in GitHub Desktop.
Save skyzyx/f4a5b467bd43d800611cb7f888798b71 to your computer and use it in GitHub Desktop.

Notarization for macOS

Notarization and Gatekeeper

From the support document entitled “Safely open apps on your Mac”:

macOS includes a technology called Gatekeeper, that's designed to ensure that only trusted software runs on your Mac.

If you download and install apps from the internet or directly from a developer, macOS continues to protect your Mac. When you install Mac apps, plug-ins, and installer packages from outside the App Store, macOS checks the Developer ID signature to verify that the software is from an identified developer and that it has not been altered. By default, macOS Catalina also requires software to be notarized, so you can be confident that the software you run on your Mac doesn't contain known malware. Before opening downloaded software for the first time, macOS requests your approval to make sure you aren’t misled into running software you didn’t expect.

In macOS Catalina (10.15), notarization became a requirement for all apps — including those shipped outside the App Store.


notarytool describes itself as:

Notarization gives users more confidence that the Developer ID-signed software you distribute has been checked by Apple for malicious components. Notarization is not App Review. The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly. If there are no issues, the notary service generates a ticket for you to staple to your software; the notary service also publishes that ticket online where Gatekeeper can find it.

When the user first installs or runs your software, the presence of a ticket (either online or attached to the executable) tells Gatekeeper that Apple notarized the software. Gatekeeper then places descriptive information in the initial launch dialog to help the user make an informed choice about whether to launch the app.

We use the notarytool binary for handling the code-signing, and submitting a .zip file to Apple for the notarization process. This is all handled automatically as part of the GoReleaser process.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment