Notarization

Notarization is Apple’s automated security-review process for macOS apps distributed outside the Mac App Store, required since macOS 10.15 Catalina before Gatekeeper will let a new app launch.

The developer flow is specific. After signing the app with a Developer ID certificate issued by Apple, the developer uploads the signed build to Apple’s notary service using notarytool. Apple runs automated checks — malware scans, signature validation, hardened-runtime enforcement, entitlement review — and, if nothing is flagged, returns a notarization ticket. The developer staples that ticket to the app with stapler so Gatekeeper can verify the notarization offline, without a round-trip to Apple every launch. The whole pipeline usually finishes in minutes, not days.

On the user side, Gatekeeper checks the Developer ID signature and the notarization ticket the first time an app is opened. A notarized app launches normally. A non-notarized app — or one whose signature has been tampered with — is blocked with the “cannot be opened because Apple cannot check it for malicious software” dialog, and the only recovery is a right-click-open override that surfaces the risk to the user. macOS 15 Sequoia tightened this further: the ad-hoc bypass is no longer a casual click.

In macup, every daemon binary, helper tool, and desktop build we ship is Developer ID signed and notarized before it leaves our pipeline. You should never need the right-click-open workaround; if you do, stop and verify you downloaded from macup.app.