Security is at the core of every Apple platform. The Mac notary service team is part of Apple Security Engineering and Architecture, and in this Q&A, they share their tips on app distribution and account security to help Mac developers have a positive experience — and protect their users.
When should I submit my new app for notarization?
Apps should be mostly complete at the time of notarization. There’s no need to notarize an app that isn’t functional yet.
How often should I submit my app for notarization?
You should submit all versions you might want to distribute, including beta versions. That’s because we build a profile of your unique software to help distinguish your apps from other developers’ apps, as well as malware. As we release new signatures to block malware, this profile helps ensure that the software you’ve notarized is unaffected.
What happens if my app is selected for additional analysis?
Some uploads to the notary service require additional evaluation. If your app falls into this category, rest assured that we’ve received your file and will complete the analysis, though it may take longer than usual. In addition, if you’ve made changes to your app while a prior upload has been delayed, it’s fine to upload a new build.
What should I do if my app is rejected?
Keep in mind that empty apps or apps that might damage someone’s computer (by changing important system settings without the owner’s knowledge, for instance) may be rejected, even if they’re not malicious. If your app is rejected, first confirm that your app doesn’t contain malware. Then determine whether it should be distributed privately instead, such as within your enterprise via MDM.
What should I do if my business changes?
Keep your developer account details — including your business name, contact info, address, and agreements — up to date. Drastic shifts in account activity or software you notarize can be signs that your account or certificate has been compromised. If we notice this type of activity, we may suspend your account while we investigate further.
I’m a contractor. What are some ways to make sure I’m developing responsibly?
Be cautious if anyone asks you to:
Sign, notarize, or distribute binaries that you didn’t develop.
Develop software that appears to be a clone of existing software.
Develop what looks like an internal enterprise application when your customer isn’t an employee of that company.
Develop software in a high-risk category, like VPNs, system utilities, finance, or surveillance apps. These categories of software have privileged access to private data, increasing the risk to users.
Remember: It’s your responsibility to know your customer and the functionality of all software you build and/or sign.
What can I do to maintain control of my developer account?
Since malware developers may try to gain access to legitimate accounts to hide their activity, be sure you have two-factor authentication enabled. Bad actors may also pose as consultants or employees and ask you to add them to your developer team. Luckily, there’s an easy solve: Don’t share access to your accounts.
Should I remove access for developers who are no longer on my team?
Yes. And we can revoke Developer ID certificates for you if you suspect they may have been compromised.
Learn more about notarization
Notarizing macOS software before distribution