Monday, March 8, 2021

Distributing Mac Apps Without Notarization

Jeff Johnson:

Sometimes a developer needs to send a Mac app to a user for testing, and in that case it’s a pain to upload the app to App Store Connect first and wait for Apple to notarize the app before you distribute it. […] if you normally distribute your app exclusively in the Mac App Store, the app might not have enabled the hardened runtime, and you won’t be able to notarize the app for distribution outside the Mac App Store[…]

The easiest solution is to download the file in a way that doesn’t cause it to be quarantined. This can also be used to work around the recent problem that some users have been encountering where macOS falsely claims that a properly signed and notarized app is damaged.

In my opinion, using curl in this way is the easiest way to distribute a Mac app to a user without notarization. You still can and should sign your app with your Developer ID certificate, as Mac developers did for years before the notarization requirement. If the user wants some assurance about the downloaded app, they can run the codesign command to verify that the app was indeed validly signed with your Developer ID certificate.

I like to run curl like this:

cd ~/Downloads/ && curl -LO ''

The L handles redirects, and the O avoids having to repeat the filename. Johnson notes that if you download directly to the /Applications folder you can avoid a TCC prompt.


Update (2021-07-02): Howard Oakley:

This article is a demonstration of features in Big Sur which you might have thought would protect you, but because of their inconsistent behaviour could catch you out. This shows how you can download, install and run executable code, such as an app, which isn’t signed with a Developer ID, only an ad-hoc signature, without macOS warning you that the code is potentially dangerous.

3 Comments RSS · Twitter

Old Unix Geek

Useful advice... hope they don't get rid of curl.

Beatrix Willius

"You need to open the application with a right mouse-click". Every user of my test versions is able to do that. The users don't know quarantine, codesign or notarisation. The only know the error messages on "can't be tested on malicious software". But they can follow a simple instruction.

Your "simple instruction" is facile and incomplete.

Leave a Comment