Developer ID
For software and applications that are downloaded from places other than the Mac App Store, developers can get a Developer ID certificate and submit their software for notarization by Apple. Digitally signing software with a unique Developer ID and including a notarization ticket from Apple lets Gatekeeper verify that the software is not known malware and has not been tampered with. Applications can also take advantage of advanced capabilities such as CloudKit and push notifications.
Preparing Developer ID apps
To distribute your Mac software with Developer ID, you'll need to be a member of the Apple Developer Program or Apple Developer Enterprise Program, obtain a Developer ID certificate, and submit your app to be notarized by Apple. You’ll also need to create a Developer ID provisioning profile for apps using advanced capabilities such as CloudKit.
Managing Developer ID certificate and provisioning profile expiration
Apps signed with a Developer ID are evaluated by GateKeeper when a customer installs your application. If your application utilizes a Developer ID provisioning profile to support advanced capabilities, then that profile is also evaluated, both at app installation time and at every app launch. It's helpful to understand how the expiration of your Developer ID certificate and Developer ID provisioning profile will impact you and your users.
Developer ID certificates are valid for 5 years from the date of creation and Developer ID provisioning profiles generated prior to February 22, 2017*, are valid until your Developer ID certificate expires.
- For apps that don't utilize a Developer ID provisioning profile
Gatekeeper will evaluate the validity of your Developer ID certificate when your application is installed. As long as your Developer ID certificate was valid when you compiled your app, then users can download and run your app, even after the expiration date of the certificate. However, you'll need a new certificate to sign updates and new applications. - For apps that utilize advanced capabilities with a Developer ID provisioning profile
Gatekeeper will evaluate the validity of your Developer ID certificate when your application is installed and will evaluate the validity of your Developer ID provisioning profile at every app launch. As long as your Developer ID certificate was valid when you compiled your app, then users can download and run your app, even after the expiration date of the certificate. However, if your Developer ID provisioning profile expires, the app will no longer launch. - For installer packages signed with a Developer ID Installer certificate
Gatekeeper will evaluate the validity of your Developer ID Installer certificate when your installer package is run. Your installer package will only launch if your Developer ID Installer certificate is valid. Installer packages signed with a Developer ID Installer certificate that has expired must be re-signed with a valid Developer ID Installer certificate in order to run.
Any Developer ID app signed with a certificate that has been revoked can no longer be installed nor launch if it's already installed.
Technical notes
- About Gatekeeper
- macOS Code Signing in Depth
- Notarizing macOS Software Before Distribution
- Customizing the Notarization Workflow
- Resolving Common Notarization Issues
- Entitlements Troubleshooting