Distributing Your Mac App Beyond the App Store

When it comes to distributing your Mac app, the Mac App Store is often the first place developers think of. However, there are many reasons why you might want to distribute your app outside of the App Store, such as avoiding Apple’s review process, reaching a broader audience, or maintaining more control over your app’s distribution.

In this post, we’ll explore the steps you need to take to distribute your Mac app beyond the App Store, including code signing, notarization, and alternative distribution methods.

TL;DR

1. Code Sign your app with a Developer ID certificate.
2. Create a DMG (disk image) for your app.
3. Notarize both the .app and the .dmg files.
4. Staple the notarization tickets to both files.
5. Zip the .app file for distribution.
6. Distribute your app via your website, email, or third-party platforms.

Code Signing

To distribute your Mac app outside the App Store, you need to sign it with a Developer ID certificate. This ensures that your app is trusted by macOS and can be installed by users without security warnings.

You can obtain a Developer ID certificate from the Apple Developer website. Once you have the certificate, you can sign your app using the codesign command in Terminal:

codesign --sign "Developer ID Application: Your Name (Team ID)" \
  --timestamp \
  --options runtime \
  /path/to/YourApp.app

If you are using XCode, you can set the signing options in your project settings to automatically sign your app during the build process and export it as a Developer ID signed app.

Create a DMG

After signing your app, create a DMG (disk image) file for distribution. A DMG provides a professional way to distribute your app and allows users to easily drag and drop your app into their Applications folder.

The easiest way is to use create-dmg, which creates a beautiful DMG with proper settings:

# Install create-dmg
npm install --global create-dmg

# Create the DMG
create-dmg YourApp.app

Notarize

Notarization is an additional security measure that Apple requires for apps distributed outside the App Store. It involves submitting your app to Apple for automated scanning to check for malicious content.

Before submitting, you need to compress your app into a ZIP file. You can do this using the following command:

cd /path/to/your/app
ditto -c -k YourApp.app YourApp.zip

Once your app is zipped, you can submit it for notarization using the xcrun notarytool command:

xcrun notarytool submit -p notarytool <file>

You can check the progress of your notarization request with:

xcrun notarytool history -p notarytool

Repeat the notarization process for the DMG file as well.

Staple

After your app has been notarized, you need to staple the notarization ticket to your app. This ensures that users can run your app even if they are offline. You can staple the ticket using the following command:

xcrun stapler staple YourApp.app

Repeat this step for the DMG file as well.

Conclusion

Distributing your Mac app outside the App Store gives you more control and flexibility, but it comes with additional responsibilities. Following Apple’s code signing and notarization requirements ensures that your users can install and run your app safely without security warnings.

The key takeaways are:

• Always sign your code with a valid Developer ID Application certificate
• Use the DMG format for professional, secure distribution
• Sign every component in the correct order: app first, then DMG
• Only notarize the outermost container (the DMG in this case)
• Staple the ticket to ensure offline installation works
• Test thoroughly on different Macs and scenarios before releasing

While the process may seem complex at first, it becomes straightforward once you understand the workflow. Consider automating these steps with a build script or CI/CD pipeline for consistent, repeatable releases.

Remember that Apple’s policies and tools evolve over time, so always check the official documentation for the latest requirements and best practices.