Preventing gatekeeper warnings

Hello Everyone,

I have been making an app for OSX and would like to know how to prevent gatekeeper from showing a warning on a different Mac computer.

Are the right steps to: 1) sign the app, 2) zip the app, and 3) sign the zipped app?

Thanks :slight_smile:

@samRowlands might know

1 Like

Maybe… Not sure…

1 Like

App Wrapper makes it easy to apply the steps in order to allow your application to run on other Macs.

Glossing over the finer details, the process goes more like.

  1. Wrap the application, signing it in process.
  2. Create the archive, ZIP, signed PKG or signed DMG.
  3. Submit the application to Apple for approval of distribution.
  4. Staple the Apple approval to the archive (Zip requires more work because it doesn’t support the needed attributes, XIP does, but Apple only supports Apple’s own apps in XIP archives).
1 Like

Don’t forget notarisation, which is also mandatory in Catalina and later.

1 Like

Thank you Sam, this helps alot. I’ll dig into it a little more. This looks like a possible fit for App Wrapper :slight_smile:

Ah yes, good point. Thank you.

Don’t worry, AppWrapper handles this too :slight_smile:

1 Like

I didn’t know this about AppWrapper. Thanks Tim :slight_smile:

I realize I may not be explaining this correctly as I summed it up as “Submit the application to Apple for approval of distribution”. The Notarization process is similar to the  App Store submission process (which App Wrapper also handles).

You’re right. I was merely answering about the steps mentioned.

As we are on the subject, here’s an assumption I have I would like if you could confirm.
When I code sign and notarise an app in App Wrapper, a new copy is created in the “Wrapped application” folder. My assumption is, as Apple checks for the BundleID/checksum of the app, that the original app has the same BundleID (and, I’d expect, the same checksum, as long as I don’t use trimming options that make effects), so I could take the original app (rather than the one in the “wrapped application” folder), make a dmg from this one, notarise this dmg and both versions of the app (the original and the one in the “wrapped application” folder) could be transmitted to “anyone” and used fine.
Or is the app actually modified?

The file is actually modified. This is called “stapling”.

Thank you.
Time to read about that.

When you code sign an application bundle, not only is there extra meta data added into the contents, but the actual mach-o files get modified also. In order to Notarize, you must use the Hardened Runtime attribute for code signing, which in turn forces time stamping, so for each file that is signed, the underlying Apple API connects to Apple. At the very least it is to obtain a time-stamp from Apple, but as it’s all closed off, it could be submitting the UUIDs of each executable also.

And yes, once App Wrapper has received confirmation from Apple that the application has been approved, it calls Apple’s Stapler service, which in turn modifies the archive for PKG and DMG, and for Zip it extracts the Zip, modifies the Application and then re-zips it.

Stapling is not required as the approval is stored online, and if the macOS has internet access it will check the online ticket. However if it doesn’t it can fall back to the stapled ticket.


Thank you. I see the picture better now.

1 Like