Avatar Description
Rubi
  • Jun 24, 2024
  • 4 min read

Guide to Sign, Notarize and Staple Your Go App for outside Mac App Store distribution

If you're distributing your Mac app outside the App Store, you'll need to sign and notarize it to ensure it runs smoothly on users' machines. This guide will walk you through the process.

Understanding Signing and Notarizing

a lock

Before we dive into the process, it's crucial to understand what signing and notarizing are and why they're important for your Mac app.

What is Code Signing?

Code signing is a security technology that uses a cryptographic signature to verify the authenticity of your app. It proves that the app comes from a known developer (you) and hasn't been tampered with since it was signed.

What is Notarization?

Notarization is an automated process where Apple checks your app for malicious content and code-signing issues. It's an additional layer of security introduced by Apple in macOS Catalina (10.15) and later.

Why Sign and Notarize?

If you don't sign and notarize your Mac app:

Users will see Gatekeeper warnings when trying to open your app.

Your app may be seen as less trustworthy.

On macOS Catalina and later, your app will be blocked by default.

You may lose access to certain macOS features and APIs.

Distribution becomes more difficult as platforms may flag your app as potentially dangerous.

There's no protection against tampering of your app.

By signing and notarizing, you provide a smoother, more trustworthy experience for your users and comply with Apple's security requirements.

Prerequisites

An Active Apple Developer account (Copy the Apple Team ID)

Xcode installed on your Mac

Your app (ex: Lokal.app or Mac App Package) ready for distribution

Bundle ID, we will guide this later

Developer ID Application and Developer ID Installer, we will guide this later

App Specific Password, we will guide this later

Creating App Bundle ID:

Go to Certificates, Identifiers & Profiles

Click on Identifiers on the left sidebar

Click New Identifier Icon (+)

Select for App IDs, Continue

Select for App Type, Continue

Write your Description, Your Bundle ID and check for necessary capabilities

Done, my Bundle ID is so.lokal.app

Creating "Developer ID Application" and "Developer ID Installer" Certificate

Go to Certificates, Identifiers & Profiles

Click on Certificates on the left sidebar

Click New Certificate Icon (+)

Scroll to middle of the page and select "Developer ID Application" or "Developer ID Installer", Continue

Generate Developer ID Certificate

On this part, you need to have a certificate signing request, this is act like Private key while the generated certificate are the Public Key

Remember to backup your certificate signing request as you will not be able to sign an app without the same certificate signing request

If you lose your certificate signing request file, you need to generate a new CSR and create a new Developer ID Certificate (just happened to me yesterday because I had to downgrade from Sequoia to Sonoma)

Download The Certificate

Click two times on the cert file to Install it on Key Chain

If your certificate is not valid, you may need to click on it multiple times and change the Trust to "Always Trust"

Creating App-Specific Password

Notary tool requires you to log-in using your Apple account, the App-Specific Password are required to authorize you as owner of the account

Visit Manage Your Apple ID, you may need to login

Click on Sign-In and Security on the left sidebar

Click on App-Specific Passwords

Click + Icon, then you may need to enter the Label and re-login into your apple account.

After your had all the prerequisites, we continue to sign and notarize our app

Sign-in your Lokal.app

For more convenient way to sign your app, you may need to export the Name of the certificate on environment variable

Sign-in your .App package

During this time there is will be a pop-up for password authorization, this is normal.

Generate Installer .pkg and Sign the .pkg

During this time there is will be a pop-up for password authorization, this is normal.

Notarize the generated .pkg file

IMPORTANT, if this is your first-time ever notarizing a file, Your notarization progress may be stuck, but DON'T PANIC, cancel the notarization process instead (by pressing control^+C), on my case, I just leave it for two days, then It's just working fine, in fact, someone even said run your notarize when its daytime on California.

Staple the notarized .pkg file

While this is optional, here the reason you might want to stable your pkg file:

Offline Verification: Stapling allows macOS to verify that your app has been notarized even if the user's device is offline.

Improved User Experience: Without stapling, macOS would need to check with Apple's servers every time the app is launched, which could cause delays.

Gatekeeper Approval: A stapled ticket ensures that Gatekeeper immediately recognizes your app as notarized, allowing it to run without warnings.

The staple and validate action worked!

Tools Construction Workflow

Was this post helpful?

Related articles