How can I share a developer-signed app through my website?

Question

Created 1w

Replies 3

Boosts 0

Participants 2

In the past, I used to export a developer-signed test version of my macOS app in Xcode, create a zip archive from the Finder, upload it to my website and share the link to the testers. The last time I did this with macOS 14 the tester was still able to download the test app and run it.

But it seems that with macOS 15 the trick to open the context menu on the downloaded app and click Open to bypass the macOS warning that the app couldn't be checked when simply double-clicking it, doesn't work anymore. Now I'm always shown an alert that macOS couldn't check the app for malware, and pushes me to move it to the bin.

In this StackOverflow topic from 10 years ago they suggested to use ditto and tar to compress and uncompress the app, but neither worked for me.

How can I share macOS apps that I signed myself with testers without physically handing them a drive containing the uncompressed app?

Answered by DTS Engineer in 813582022

macOS 15 removed control-click > Open as a mechanism to bypass Gatekeeper. The current process continues to be documented on our customer website in Safely open apps on your Mac

IMPORTANT For development-signed app, this won’t work if the app uses restricted entitlements, that is, entitlements that must be authorised by a provisioning profile. A development provisioning profile is limited to a specific set of Macs. See TN3125 Inside Code Signing: Provisioning Profiles for all the gory details on that topic.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

1w

Accepted Answer

Recommended

macOS 15 removed control-click > Open as a mechanism to bypass Gatekeeper. The current process continues to be documented on our customer website in Safely open apps on your Mac

IMPORTANT For development-signed app, this won’t work if the app uses restricted entitlements, that is, entitlements that must be authorised by a provisioning profile. A development provisioning profile is limited to a specific set of Macs. See TN3125 Inside Code Signing: Provisioning Profiles for all the gory details on that topic.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

Nickkk OP

1w

Thanks, I wasn't aware that you can allow apps to run from the Privacy section of the System Settings. It's kind of hidden, but I guess that's the point to discourage users from doing so?

Still, there's the question: why is this warning shown for my developer-signed app, only after uploading and downloading it again from my website?

0

Answer 3

DTS Engineer OP

Apple

1w

only after uploading and downloading it again from my website?

Because:

User-level tools, like a web browser, quarantine their downloads.
When you launch a quarantined app, Gatekeeper takes a good look at it [1].
The default system policy only allows Mac App Store and correctly notarised Developer ID apps.

When you build and run code locally, it’s not quarantined so Gatekeeper doesn’t get involved [2].

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Gatekeeper can also be invoked with non-quarantined apps, but that’s a more subtle story.

[2] Again, it’s more subtle than that because Xcode registers the app with Execution Policy framework.

0