Signing your apps for Gatekeeper
Gatekeeper on macOS helps protect users from downloading and installing malicious software by checking for a Developer ID certificate from apps distributed outside the Mac App Store. Make sure to sign any apps, plug-ins, or installer packages that you distribute to let Gatekeeper know they’re safe to install. You can also give people even more confidence in your apps running on macOS Mojave or later by submitting them to Apple to be notarized.
Prepare for distribution
A Developer ID certificate lets Gatekeeper verify that you’re a trusted developer when people download and open your app, plug-in, or installer package from outside the Mac App Store. Software signed with a Developer ID certificate can also take advantage of advanced capabilities such as CloudKit and Apple Push Notifications.
Generate your Developer ID certificate
You can generate your Developer ID certificate in Xcode or in the Certificates, Identifiers & Profiles section of your developer account. Please note that you must be the Account Holder of your development team in the Apple Developer Program in order to generate this cerificate.
Sign and test your app
In Xcode, you can enable the hardened runtime capability and declare entitlements for the functions your app requires. Then archive your app and test the user experience of launching your Developer ID-signed app using a Mac.
Build your apps for macOS and submit them to be notarized by Apple using the latest version of Xcode available on the Mac App Store.
Get your software notarized
Give people even more confidence in your software by submitting it to Apple to be notarized. This service automatically scans your Developer ID-signed software and performs security checks. When it’s ready to export for distribution, your software is assigned a ticket to let Gatekeeper know it’s been notarized.
Submitting with Xcode
Unpublished software. It’s easy to get unpublished software notarized with the export process or xcodebuild. Custom build workflows are supported by the xcrun notarytool command-line tool for uploading, and you can use xcrun stapler to assign the ticket to the package.
Published software. To submit software you’ve already published, upload it using the xcrun notarytool command-line tool. Several file types are supported, including ZIP, PKG, and DMG, so you can upload the same package you already distribute to users.
Viewing upload logs
In addition to checking for malicious software, the notary service catches common code signing problems that can prevent your software from installing properly. If notarization fails for your upload, check the status log for details.
If you notarize Mac software with the Apple notary service using the altool command-line utility or Xcode 13 or earlier, you’ll need to transition to the notarytool command-utility or upgrade to Xcode 14 or later. Starting November 1, 2023, the Apple notary service will no longer accept uploads from altool or Xcode 13 or earlier. Existing notarized software will continue to function properly.