App signed and notarized successfully, but macOS flags it as malicious on other machines

Question

evgzap OP

Created 3d

Replies 4

Boosts 0

Participants 3

I’m facing an issue with my macOS app after code signing and notarization.

The app is signed with my Developer ID and notarized using xcrun notarytool. Everything works fine on the machine where the signing was done — Gatekeeper accepts it, no warning appears, and codesign/spctl checks pass.

However, when running the same .app on other Macs, users receive a Gatekeeper warning saying the app is "malicious software and cannot be opened". The signature is valid and the notarization log shows status: Accepted.

What I've tried:

Verified signature with codesign --verify --deep --strict --verbose=2
Checked notarization status via xcrun notarytool log
Assessed Gatekeeper trust with spctl --assess --type execute

Everything passes successfully on the development machine.

Why would the app be treated as malicious on other systems even after notarization?

I'm happy to share logs and technical details if needed.

Answered by DTS Engineer in 850263022

it sounds like you are skipping the stapling step.

That seems unlikely. Stapling is only required if the user runs the app on a Mac that doesn’t have access to Apple’s servers. I explain this in The Pros and Cons of Stapling.

7. Only after stapling, create the distribution image.

That’ll work, but my preference is to notarise the outermost container. So, if your ultimate plan is to distribute a disk image, create the disk image, sign it, notarise it, and then staple to the disk image.

There’s a lot more info about this stuff in:

Why would the app be treated as malicious on other systems even after notarization?

Gatekeeper and notarisation are separate things, and the fact that your code passes notarisation doesn’t guarantee that it’ll pass Gatekeeper.

Assessed Gatekeeper trust with spctl --assess --type execute

spctl is not a great way to test Gatekeeper compatibility. Rather, I recommend the approach in Testing a Notarised Product.

I have a bunch of suggestions for how to debug problems like this in Resolving Trusted Execution Problems. The majority of problems like this, where notarisation works but Gatekeeper still blocks the app, are caused by the issue explained in Resolving Gatekeeper Problems Caused by Dangling Load Command Paths.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

tomdesantis OP

3d

I have a similar issue with the difference that I don't pass spctl for some mysterious and arcane reason.

Have you stapled the notarized app with xcrun stapler staple?

Also how are you distirbuting the app? Compressing the app before sending (.dmg or .zip) might break the signature.

I'm really frustrated with Apple's Gatekeeper blocking my correctly notarized app. They should at least provide clear verbose errors to identify the origin of the problem. I spent more time trying to debug this than building my app...

0

Answer 2

evgzap OP

3d

The application is built with Electron. After building, I sign the .app bundle with my Developer ID and then notarize it using xcrun notarytool submit. The notarization returns as Accepted, and I then package the signed .app into a .dmg.

When testing the resulting .dmg on another Mac that is also signed into my developer account, everything works correctly — the app launches without issues.

I suspect this could be related to intermediate certificates not being correctly embedded or trusted on machines outside my development environment.

0

Answer 3

tomdesantis OP

3d

From you answer it sounds like you are skipping the stapling step.

Build the Electron .app.
Sign it (electron-osx-sign, hardened runtime, entitlements, etc.).
Notarise and WAIT for “Accepted”:
xcrun notarytool submit MyApp.app --wait
Staple the ticket into the bundle:
xcrun stapler staple MyApp.app ← Mandatory step you are missing (or use notarytool … --wait --staple)
Only after stapling, create the distribution image.

0

Answer 4

DTS Engineer OP

Apple

2d

Recommended

it sounds like you are skipping the stapling step.

That seems unlikely. Stapling is only required if the user runs the app on a Mac that doesn’t have access to Apple’s servers. I explain this in The Pros and Cons of Stapling.

7. Only after stapling, create the distribution image.

That’ll work, but my preference is to notarise the outermost container. So, if your ultimate plan is to distribute a disk image, create the disk image, sign it, notarise it, and then staple to the disk image.

There’s a lot more info about this stuff in:

Why would the app be treated as malicious on other systems even after notarization?

Gatekeeper and notarisation are separate things, and the fact that your code passes notarisation doesn’t guarantee that it’ll pass Gatekeeper.

Assessed Gatekeeper trust with spctl --assess --type execute

spctl is not a great way to test Gatekeeper compatibility. Rather, I recommend the approach in Testing a Notarised Product.

I have a bunch of suggestions for how to debug problems like this in Resolving Trusted Execution Problems. The majority of problems like this, where notarisation works but Gatekeeper still blocks the app, are caused by the issue explained in Resolving Gatekeeper Problems Caused by Dangling Load Command Paths.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0