Notarization Process for macOS installers

Notarization for macOS installers is a security measure implemented by Apple to verify the legitimacy and safety of software distributed outside the Mac App Store. It essentially gives users more confidence that the app they’re about to install hasn’t been tampered with and is free from malware. 

From a packaging perspective, notarization is necessary if the end customer intends to allow users to install packages created by Apptimized manually. If the package has been notarized, users won’t encounter any warnings or need to approve the installation through the “Security” tab in the macOS system. 

Example of a warning that appears when launching a .pkg installer without notarization:

How it works

  1. The developer submits the installer package or disk image to Apple. 
  2. Apple scans the package for malicious code and suspicious content. 
  3. If the scan passes, Apple issues a “ticket” that verifies the app’s legitimacy. 
  4. When users try to install the notarized app, Gatekeeper (macOS’s built-in security system) checks for the ticket. 
  5. If the ticket is present and valid, Gatekeeper allows the installation to proceed without warnings. 

What is needed for the notarization process? 

  1. An active subscription for the Apple Developer Program (https://developer.apple.com/). 
  2. Latest Xcode. The minimum requirement is Xcode 14 (could be downloaded from the App Store). 
  3. Generated an app-specific password (https://support.apple.com/en-us/102654). 

Let’s take a deeper look at the notarization process. 

First, a package installer should be signed. To obtain the necessary certificate, it is needed to enroll in the Apple Developer Program and to download it from the admin portal. The specific certificate required is the “Developer ID Installer”. 

Command for signing the installer is: 

productsign –sign “Developer ID Installer: Company Name XXXXXXX” ./Chrome.pkg ./Chrome_Signed.pkg 

To verify that installer is signed, users may use the next command: 

pkgutil –check-signature /PathToTheFile/Chrome_Signed.pkg 

How to notarize installer? 

The Apple notary service will no longer accept uploads from Xcode 13 or earlier or from altool as of November 1, 2023. Users must switch to the notarytool command-line utility or update to Xcode 14 or later if they notarize their Mac software with the Apple notary service using the altool command-line utility or Xcode 13 or earlier.

This is how the notarization command will appear:

xcrun notarytool submit /PathToTheFile/Chrome_Signed.pkg –apple-id <apple-account-email> –team-id <teamid> –password <password> –verbose 

  • <apple-account-email> – the Apple ID login username you use with Developer ID services. 
  • <teamid> – Team ID, that could be found at https://developer.apple.com/account#MembershipDetailsCard 
  • <password> – App-Specific Password, created here – https://appleid.apple.com/account/manage 

For checking notarization status, here is the following command: 

xcrun notarytool info <UUID> –apple-id <apple-account-email> –team-id <teamid> –password <password> 

  • UUID is a 36-character string that uniquely identifies a specific notarization request. Users can get it at the notarization request. Example of UUID (id value from the screenshot): 
  • The values for <apple-account-email>, <teamid> and <password> will be the same as those used in the submit command. 

The output of the command should look like this in case of successful notarization: 

The next step is stapling. Stapling refers to the process of associating the notarization information with the application or installer package. After an application or installer has been notarized by Apple, stapling is an additional step that “attaches” the notarization ticket to the software package.

Command for stapling is: 

xcrun stapler staple /PathToTheFile/Chrome_Signed.pkg 

The result of command execution should be the message: “The staple and validate action worked!” 

And that’s all the required actions! The installer has been successfully notarized and stapled, so it’s ready to be installed manually without any issues on any machine. 

Please get in touch with our Support team if you have any questions or if you need assistance or Schedule a Demo with our experts.

Go to the Apptimized platform to make a package request. Select the necessary priority and, if you have one, provide a reference for a packaging expert.

schedule a call button

More News from Apptimized

The Main Difference Between macOS Applications on Intel and ARM Architectures

With all advantages and extensive functionality, macOS has recently risen…

Packaging process in 4 simple steps: Apptimized packaging experts tips & use case

Application packaging is a core component of a company’s software management strategy…

2020 year in review for Apptimized: application logistic provider

Packaging process in 4 simple steps: Apptimized packaging experts tips & use case

Application packaging is a core component of a company’s software management strategy and involves binding the set of files, registry and components to create customized software installations targeted for automated deployment.  

The issues of software management have become a regular one on many companies’ agendas. Multiple technologies and approaches are implemented to resolve such issues, application packaging being one of the most notable among them. 

Download the eBook to learn more about Application packaging workflow

Apptimized packaging experts have prepared the optimally useful application packaging content in one convenient eBook. The steps, tips, tools recommendations, process guides, and use case insights are assembled all in one place. Whether you are a packaging expert or just getting started with application packaging there is something to benefit for everyone. 

What is application packaging? 

Application packaging is a set of activities that allows you to structure applications depending on packaging technology.  A package includes additional settings and scripts for software to silently install on many devices in one click without any interaction from the user. This package could be remotely installed with the help of deployment systems such as SCCM, Intune, DMS console, etc. 

Packaging applications is required for a company to implement for many reasons, but mostly because of the following: 

  • Increasing the administration efficiency of infrastructure in terms of continuously growing volumes 
  • Reducing the compatibility issues 
  • Implementing new capabilities not previously available with legacy installations 
  • Optimizing the support costs (i.e., end-user support, software-related support) 
  • Implementing the corporate standards and requirements for software management 
  • Implementing an automated approach to software deployment 
  • Reducing business disruptions caused by the ongoing software updating process 
  • Mitigating security issues 

What application packages formats exist? 

The most common packaging formats are MSI, MSIX, App-V, CloudHouse, ThinApp, Intunewin. 

Check details about Application Packaging Environment – Apptimized Workspace and create  MSI, MSIX, App-V, Intunewin packages:

Regardless of the application package format the file contains installation information for a certain installer to address custom requirements (i.e., files to be installed, installation locations, installation scripts). 

How to package application? 

Application packaging is a time-consuming process and commonly individual for every company. This complex task requires conformity with application versions, installation prerequisites, tools and, of course, post-configuration actions. 

Regardless of the application type and its complexity, the packaging process must cover the following key milestones: 

Standard application package delivery format is zip archive with the following folder structure: 

  • Package documentation (i.e., packaging instructions, discovery documentation, etc.) 
  • Package delivery folder (i.e., a set of files needed for the deployment: MSI, MST, CAB, SFT, wrapper etc.)  

For further information, please contact us here or call us on +44 (0)1184 050044. 

More News from Apptimized

Software Portfolio: how to take care of app updates in SMB & Enterprises

Thursday, September 9th 2021, 4:00 PM UTC (+1.00) (11:00 AM…

The Main Difference Between macOS Applications on Intel and ARM Architectures

With all advantages and extensive functionality, macOS has recently risen…

CloudHouse your apps with Apptimized

Apptimized is pleased to announce that we have partnered with…

CloudHouse your apps with Apptimized

Apptimized is pleased to announce that we have partnered with CloudHouse Technologies and can now support and deliver CloudHouse containerization alongside MSI, App-V, ThinApp, iOS and all major packaging and technology formats.

Same Cost – More Opportunities

Apptimized customers are now able to process CloudHouse Containers for the same low fixed cost as MSI, App-V, ThinApp and iOS application packages.

Save Your Time with CloudHouse Containers

With Cloudhouse Containers, apps only need to be packaged once in containers that handle application runtime, isolation, and full redirection.

As a result, enterprises can complete Windows 10 or Citrix XenApp migration projects successfully, reduce end user computing infrastructure by up to 50 percent, and IT teams spend less time packaging apps and managing compatibility issues.

For more information about CloudHouse, visit their website here.

To find out how Apptimized can support your CloudHouse project, contact us here or give us a call on +44 (0) 1184 050044.

More News from Apptimized

Apptimized will be at Microsoft Build 2018

Apptimized are coming to Build! Apptimized are going to be…

Application Packaging Engineer Course

Update! Due to high interest from candidates even after the…

Intune packaging with Apptimized

Every company needs to keep personal and corporate data secure…

Notice: Undefined offset: 3 in /usr/www/users/apptim/wp-includes/class-wp-query.php on line 3671

Notice: Undefined offset: 4 in /usr/www/users/apptim/wp-includes/class-wp-query.php on line 3671

Notice: Undefined offset: 5 in /usr/www/users/apptim/wp-includes/class-wp-query.php on line 3671

Notice: Undefined offset: 6 in /usr/www/users/apptim/wp-includes/class-wp-query.php on line 3671

Notice: Undefined offset: 7 in /usr/www/users/apptim/wp-includes/class-wp-query.php on line 3671

Notice: Undefined offset: 8 in /usr/www/users/apptim/wp-includes/class-wp-query.php on line 3671

Notice: Undefined offset: 9 in /usr/www/users/apptim/wp-includes/class-wp-query.php on line 3671