{
	"id": "c349a4e0-2374-4be3-aa33-8e8e2c5689bf",
	"created_at": "2026-04-06T00:08:35.277521Z",
	"updated_at": "2026-04-10T13:11:51.770806Z",
	"deleted_at": null,
	"sha1_hash": "a5ed60d58725542ca4f72b7d63e2f25ef5a79956",
	"title": "How notarization works",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 124828,
	"plain_text": "How notarization works\r\nPublished: 2020-08-28 · Archived: 2026-04-05 19:09:19 UTC\r\nIn Catalina and Big Sur, notarization is no longer a bonus: for some types of software like extensions and most\r\nplug-ins, it’s essential. The only two general exceptions are software supplied through Apple’s App Store, and\r\nApple’s own software, including the whole of macOS itself. You can still run apps and command tools which\r\nhaven’t been notarized, but if they’ve been downloaded from the Internet or moved to your Mac using AirDrop\r\n(which also sets a quarantine flag) it’s getting progressively more difficult to do so. In Big Sur, it’s no longer just a\r\nmatter of opening the unnotarized app in the Finder.\r\nNotarization\r\nWhen a developer notarizes their software, they have to build it to comply with Apple’s rules, which include\r\nsigning it fully and correctly, and ‘hardening’ the runtime. They can’t submit the app or command tool as it stands,\r\nthough: it has to be packaged in a way that’s acceptable to the Notary Service. That includes disk images (in UDIF\r\nformat), signed flat Installer packages (as explained here), and Zip archives (as used by Xcode to notarize apps).\r\nThe notarization is then specific to the app or executable contained within that.\r\nThe Notary Service checks the submission for malware. If none is found, signatures are in order, and other\r\nrequirements are met, Apple adds its cryptographic hash and other details to its notarization database, and issues a\r\n‘ticket’, which the developer can download and ‘staple’ (attach) to the software.\r\nTickets can’t be stapled to single-file Mach-O executables, but they can be stapled to Installer packages containing\r\nthem. They’re most commonly stapled to an app or bundle in the file named CodeResources inside the bundle.\r\nHowever, because its details are recorded in Apple’s database, the ticket doesn’t have to be present for the app to\r\nbe recognised as having been successfully notarized.\r\nThese procedures are straightforward for simple apps built in Xcode. The more complex the app, with helpers and\r\nplug-ins particularly, the more difficult these become. This may involve separate notarization of components,\r\nassembly into the whole, and notarization of that. For smaller developers, this is very demanding: please show\r\nunderstanding if they encounter problems.\r\nFirst run\r\nWhenever you run an app, command tool, or other executable code, macOS looks to see if it has a quarantine flag\r\nset. If it finds one, Gatekeeper looks for a notarization ticket. If that’s stapled to the bundle, its validity is checked\r\nby sending a cryptographic hash to Apple’s servers. If there’s no ticket, and no record of one in your Mac’s local\r\nsecurity database, Gatekeeper sends the cryptographic hash to Apple’s servers to see if they have a ticket on\r\nrecord. This checking has been documented in Catalina by Jeff Johnson, even for unsigned shell scripts.\r\nIf Gatekeeper finds a valid ticket for that hash, either locally or on Apple’s servers, and the signature is good,\r\nXProtect checks that the code contains no known malware, and you’re invited to proceed with running the app.\r\nhttps://eclecticlight.co/2020/08/28/how-notarization-works/\r\nPage 1 of 3\n\nIf the app or code hasn’t been notarized, then the normal process is stopped, and you’re informed of the failure.\r\nYou can then opt to bypass the notarization check if you wish.\r\nFirst run notarization checks can impose significant delays on opening apps, which some users have complained\r\nabout. They might complete more quickly when the notarization ticket has been stapled to the app, but the main\r\npurpose of delivering a stapled ticket with software is to enable Gatekeeper to check the ticket when Internet\r\nhttps://eclecticlight.co/2020/08/28/how-notarization-works/\r\nPage 2 of 3\n\naccess isn’t available. Any repeat checks may use cached results of previous checks recorded in the local security\r\ndatabase, avoiding further delay.\r\nMystery notarization\r\nOccasionally, you may come across old software which couldn’t have been notarized when it was released, but\r\nwhich now behaves as if it has been notarized: put it through app first run with a quarantine flag set, and you’ll see\r\nthe same dialog as for a notarized app. This is because, since its original release, that software has been notarized,\r\nand possibly not even by its original developer, as I explained here.\r\nApple has operated schemes which encouraged developers to retrospectively notarize older versions of their\r\nproducts, and still encourages them to do so whenever possible. Because notarization can also be performed by\r\nthird parties, as well as the developer, it’s quite possible that the developer isn’t even aware. There’s nothing\r\nsinister in this, however spooky it might seem at the time.\r\nFinally, if you do encounter any problems with the notarization of software, please contact its developer, as\r\nthey’re the only ones that can fix it. But appreciate that they may well have been struggling to solve their\r\nnotarization problems for quite some time. Sometimes it isn’t straightforward at all.\r\nSource: https://eclecticlight.co/2020/08/28/how-notarization-works/\r\nhttps://eclecticlight.co/2020/08/28/how-notarization-works/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://eclecticlight.co/2020/08/28/how-notarization-works/"
	],
	"report_names": [
		"how-notarization-works"
	],
	"threat_actors": [],
	"ts_created_at": 1775434115,
	"ts_updated_at": 1775826711,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a5ed60d58725542ca4f72b7d63e2f25ef5a79956.pdf",
		"text": "https://archive.orkl.eu/a5ed60d58725542ca4f72b7d63e2f25ef5a79956.txt",
		"img": "https://archive.orkl.eu/a5ed60d58725542ca4f72b7d63e2f25ef5a79956.jpg"
	}
}