Apple’s macOS security model has evolved significantly over the past few releases—and application notarization is now a mandatory requirement for most third‑party software distributed outside the Mac App Store.
For software publishers, this change impacts how installers are built, signed, tested, and delivered. In this post, we’ll explain:
- What macOS notarization is and why Apple requires it
- How notarization affects installers and update workflows
- How InstallAnywhere simplifies notarization for macOS installers
What Is Apple Notarization?
Notarization is an automated security check performed by Apple on macOS applications and installer packages. When you submit your software for notarization, Apple scans it for:
- Known malware
- Malicious behavior
- Suspicious code‑signing issues
Once approved, Apple issues a notarization ticket that confirms your software meets Apple’s security requirements.
When a notarized app is launched, macOS Gatekeeper verifies this ticket—either online or offline—before allowing the software to run without warnings.
Key point: Notarization does not replace code signing. Your application and installer must still be properly signed with a valid Apple Developer ID certificate.
Why Apple Requires Notarization
Apple introduced notarization to protect users from malware distributed outside the Mac App Store, while still allowing developers to distribute software independently.
Without notarization, users may see blocking dialogs such as:
“Apple cannot check this app for malicious software.”
Or the installer may fail to launch entirely on newer macOS versions.
From Apple’s perspective, notarization:
- Improves macOS ecosystem security
- Reduces malware propagation
- Preserves user trust in downloaded software
From a software publisher’s perspective, notarization is now non‑optional for professional macOS distribution.
What Needs to Be Notarized?
Depending on how you distribute your software, the following artifacts typically require notarization:
- .app bundles
- Installer packages (.pkg)
- Disk images (.dmg)
- Command‑line tools distributed to end users
If your installer contains embedded binaries, helper tools, launch agents, or frameworks, those components must also be correctly signed—or notarization will fail.
The macOS Notarization Workflow (High Level)
At a high level, the notarization process includes:
- Code sign your application and installer with a Developer ID certificate
- Submit the signed artifact to Apple’s notarization service
- Wait for automated analysis by Apple
- Staple the notarization ticket to the installer or app
- Distribute the notarized installer to customers
While conceptually simple, real‑world installer projects often involve dozens—or hundreds—of files that must be handled correctly.
How InstallAnywhere Simplifies macOS Notarization
InstallAnywhere is designed to help software publishers navigate Apple’s notarization requirements without building custom scripts or fragile workflows.
With InstallAnywhere, you can:
Automate Code Signing
InstallAnywhere supports signing:
- Installer packages
- Embedded applications
- Helper tools and binaries
All from a centralized build configuration.
Streamline Notarization Submission
InstallAnywhere integrates notarization into the installer build process, reducing manual steps and errors.
Ensure Gatekeeper Compatibility
Installers built with InstallAnywhere are designed to pass Gatekeeper checks on modern macOS versions, minimizing end‑user friction.
InstallShield
Create native MSIX packages, build clean installs, and build installations in the cloud with InstallShield from Revenera.
Scale with CI/CD Pipelines
InstallAnywhere works seamlessly in automated build environments, helping teams notarize every macOS build consistently.
Best Practices for macOS Installer Notarization
To avoid last‑minute release delays, consider these best practices:
- Sign every executable file, not just the main app
- Use modern signing tools and avoid deprecated components
- Test installers on clean macOS systems with Gatekeeper enabled
- Integrate notarization early in your build pipeline
- Monitor Apple’s macOS security updates
Final Thoughts
Apple’s notarization requirements are here to stay—and they continue to evolve. For software publishers distributing outside the Mac App Store, notarization is a core release requirement, not an optional step.
By using a purpose‑built installer solution like InstallAnywhere, teams can:
- Reduce notarization failures
- Simplify macOS release processes
- Deliver a smoother experience for end users
