How to Notarize Mac Apps Easily: A Step-by-Step Guide

If you distribute a macOS app outside the Mac App Store, notarization is not a nice-to-have. It is part of the modern trust path for direct Mac distribution.

Notarization tells macOS that Apple scanned your Developer ID-signed software for known malicious content and attached a trust ticket that Gatekeeper can evaluate. The actual work can feel intimidating the first time, but the process is repeatable once you know the order.

What notarization actually does

Notarization is Apple’s automated security screening flow for Developer ID software distributed outside the Mac App Store. It does not review your app like App Review does. Instead, it checks the submitted build for known security issues and produces a ticket when the submission is accepted.

That ticket can be stapled to your app or disk image so macOS can verify the notarization result even when the user is offline.

What you need before starting

Before you try to notarize anything, make sure the basic foundation is ready:

• An active Apple Developer Program membership.
• A Developer ID Application certificate installed in Keychain Access.
• Xcode or Xcode Command Line Tools installed.
• An app bundle that launches locally before signing.
• A notarytool keychain profile or app-specific password.

Step 1: Sign your app bundle

Your app has to be signed before it can be notarized. Replace the certificate name and app path with your own values.

codesign --force --options runtime --timestamp --deep \
  --sign "Developer ID Application: Your Name (TEAMID)" \
  "YourApp.app"

The hardened runtime option is important for many modern macOS distribution flows. If your app needs specific capabilities, configure entitlements carefully instead of signing blindly.

Step 2: Package the app for submission

Apple’s notary service accepts archives such as ZIP files. A common approach is to zip the .app bundle while keeping the parent folder.

ditto -c -k --keepParent "YourApp.app" "YourApp.zip"

Step 3: Submit with notarytool

Submit the archive and wait for the result. The keychain profile should already be stored on your Mac.

xcrun notarytool submit "YourApp.zip" \
  --keychain-profile "DMGKit_Notary" \
  --wait

If the submission fails, inspect the returned log. Most failures are caused by unsigned helper tools, invalid entitlements, missing hardened runtime, or an unexpected binary inside the bundle.

Step 4: Staple the ticket

After approval, staple the notarization ticket to the app or final distributable.

xcrun stapler staple "YourApp.app"

If you are distributing a DMG, you may also staple the exported DMG after it has been signed and notarized.

Step 5: Verify Gatekeeper acceptance

Verification is the final sanity check before uploading your release.

spctl -a -vvv --type execute "YourApp.app"

For disk images, test on a clean Mac or a separate user account whenever possible. The goal is simple: no confusing warning, no broken mount, and no surprise trust issue after release day.

The easier DMGKit workflow

DMGKit is designed to turn this into a visual, repeatable release workflow. Instead of rebuilding commands every time, you configure your certificates and notary profile once, then export through a guided process.

• Design the installer window visually.
• Prepare signing and notarization settings.
• Export a polished DMG.
• Verify the release with DMGKit Inspector before publishing.

FAQ

Related guides