In 2012, Apple added Gatekeeper to Mac OS X (now macOS). When you try to run Mac software downloaded from the internet, Gatekeeper checks whether the software was signed with a valid Developer ID certificate. If not, then Gatekeeper refuses to run the software. Over the years, Gatekeeper has become more strict, recently adding a notarization requirement. On macOS Catalina, Gatekeeper not only checks whether the software was signed by a valid Developer ID certificate, it also "phones home" to check whether Apple has notarized the software, again refusing to run it if the check fails. Mac developers must sign up for the Apple Developer Program, sign a legal agreement, and pay an annual fee of USD $99 plus tax in order to obtain a Developer ID code signing certificate and upload software to Apple for notarization.
Can you distribute Mac software over the internet without signing it, thereby avoiding Developer ID and notarization entirely? Technically, currently, yes, although Apple has indicated that a future version of macOS may not allow unsigned code to run at all. Some people claim that Mac users can "just right click" to run unsigned software. But what does that mean exactly? Let's look at the user experience, in a series of screenshots. For illustration, I created an unsigned application, "MyGreatApp", uploaded it to my server, and then downloaded the app with Safari on macOS 10.15.6, the latest public version of the Mac operating system. (The experience is essentially the same on the beta version of macOS Big Sur, except the new iOS style alerts look even worse.) Here's what you see when you try to open the app normally (double click) in Finder:
This alert mentions the possibility of malware, and the default action is Move to Trash, so we're not off to a good start. Notice that there's no mention of right clicking. If the user happens to notice and click the question mark button — the smallest user interface element in the window! — then a help window opens:
The help document "helpfully" mentions malware in the title. Again, there is no mention of right clicking. But in the last sentence of the document, there's a link to another document "Open an app by overriding security settings":
Finally, we see the instructions to right click. Err, control click. When you control click the app in Finder, you see the contextual menu:
Now select Open in the contextual menu:
Another warning! Again with a scary message mentioning malware and loss of privacy. And again, Move to Trash is the default option. If you do click the Open button, though, it does work as advertised. You can "just" right click to run unsigned Mac software.
If you're a "pro" Mac user, and you already know and expect this procedure, then it's not that difficult. But if you're a Mac user who has never seen this before, the odds that you make it through to the end are near zero. Most users would be scared away, rightfully so. Apple is specifically, deliberately warning you about malware and exposing yourself, so who in their right mind would ignore the warning, if they didn't already know that it was "safe" to ignore?
As a Mac developer, it's nearly impossible to run a viable software business when this is the first-run experience of new customers. You'll never get any new customers! This is why every Mac developer I know signs up for Developer ID and ships only signed, notarized apps. It would be financial suicide to do otherwise. Technically, the option is there to "just right click", but practically it's not a viable distribution option for Mac developers. From a business perspective, there's no avoiding the Gatekeeper.
Thanks to Michael Tsai for pointing out that new Macs with Apple Silicon have stricter requirements for software signing. They will still run unsigned software compiled for Intel processors, but they will not run unsigned software compiled for Apple Silicon processors. However, they will run ad-hoc signed software, which doesn't require a certificate. According to the
man page for the
codesign command-line tool:
If identity is the single letter "-" (dash), ad-hoc signing is performed. Ad-hoc signing does not use an identity at all, and identifies exactly one instance of code. Significant restrictions apply to the use of ad-hoc signed code; consult documentation before using this.
Here's how you ad-hoc sign an app in Xcode:
I didn't test ad-hoc signing before, because I didn't realize there would be difference. After all, ad-hoc signing is specifically designed for running software "locally", in other words, on your own Mac, not on someone else's Mac. As far as I know, it's not intended for software distribution.
The Gatekeeper alert for an ad-hoc signed app is actually a bit more "pleasant", albeit more confusing:
Notice how there's no longer a Move to Trash button, which is progress! However, the alert claims that "This software needs to be updated", which is inaccurate.
If you open the contextual menu and select Open, you see this alert:
Again, you are now able to open the app, although the process is still quite confusing to the novice.
Given the choice between distributing an unsigned app and an ad-hoc signed app, I'd probably ship an ad-hoc signed app, because the alerts seem a little less scary. Nonetheless, in either case you're likely to lose most of your new potential customers at the first step. It should also be noted that I only tested ad-hoc signing with an Intel Mac running Catalina. I don't have an Apple Silicon Developer Transition Kit for testing.
I read a useful comment on Hacker News:
I don't see it mentioned in the article, but what gets me every time is that the "right-click" trick only works the second time you try to launch the app. The first time, right-click or not, MacOS won't let you launch the app.
In my testing on Catalina, this comment is correct. The first right click on an app will only display the first alert from my screenshots, with no Open button. The second right click will display the second alert from my screenshots, with the Open button. Also note that holding down the option key in the contextual menu makes no difference, although I seem to recall that it made a difference on earlier versions of macOS.