If you develop software for macOS — whether it’s a simple utility app, a desktop productivity tool, or a complex enterprise program — code signing is not just a security checkbox. It’s an absolute requirement.
Apple’s entire ecosystem is built around trust. The operating system, Gatekeeper, and Notarization systems all rely on digital signatures to verify that your software really comes from you, hasn’t been tampered with, and meets Apple’s security policies.
Without a valid code signature, your Mac app won’t install cleanly. Users will see scary warnings like “This app can’t be opened because it is from an unidentified developer” — or worse, the system will block your app entirely.
So where does DigiCert fit into this? While Apple provides its own Developer ID Certificates, many Mac developers use DigiCert Code Signing Certificates too — especially if they’re building cross-platform apps, signing browser plugins, distributing enterprise tools, or maintaining consistent security policies across Windows and macOS.
This guide will explain how DigiCert Code Signing works for Mac developers, when you need it, how it interacts with Apple’s notarization process, and the best practices to keep your app secure and trusted by every Mac user.
Why Code Signing is Essential on macOS
Unlike some operating systems where unsigned apps can still be installed easily, macOS is very strict. Apple’s Gatekeeper — the security feature that checks apps when users download them — looks for:
-
A valid code signature from a trusted identity.
-
A Developer ID issued by Apple or a certificate trusted by the system.
-
Whether the app has been notarized by Apple for modern macOS versions.
If your app fails any of these checks, the user will see a bright red warning that your software may be dangerous. Many people simply won’t proceed — they’ll look for an alternative that doesn’t look suspicious.
Apple Developer ID vs. DigiCert Code Signing: What’s the Difference?
If you build apps for distribution to end-users through direct downloads (not the Mac App Store), Apple requires you to sign your app with a Developer ID Application Certificate, issued directly by Apple via your Apple Developer account.
But that’s not the whole story.
Many Mac developers also use a third-party certificate authority like DigiCert for additional layers of trust and flexibility:
-
✅ Cross-Platform Signing: If your app is also available for Windows or Linux, you may want a single, reputable CA to issue all your code signing certificates. DigiCert’s root is trusted by all major OS platforms, so you don’t have to juggle multiple authorities.
-
✅ Enterprise & Internal Distribution: For custom enterprise software distributed internally (not through the App Store), many companies prefer DigiCert for unified certificate management and compliance.
-
✅ Browser Plugins & Cross-Browser Trust: If your Mac app installs plugins or extensions that need to be trusted by browsers like Chrome, Safari, or Firefox, a DigiCert Code Signing Certificate can simplify multi-platform trust.
-
✅ Unified SmartScreen & Gatekeeper Trust: If your software needs to bypass Microsoft SmartScreen and Apple Gatekeeper, using a well-known CA like DigiCert helps build reputation and consistency.
How macOS Gatekeeper Works with Code Signing
Gatekeeper is macOS’s system for verifying that an app:
1️⃣ Comes from a trusted developer (Developer ID signature).
2️⃣ Hasn’t been modified after signing (signature integrity).
3️⃣ Is notarized by Apple (for macOS Catalina and later).
When you sign your app bundle (.app or .pkg), you’re embedding a cryptographic signature that says:
“This software came from me. Here’s proof.”
If Gatekeeper sees a valid signature, the user can run your app without overriding system security settings. If the signature is missing or broken, the app won’t run by default — the user has to use Control-click + Open, which most everyday users won’t bother with.
Notarization: A Required Extra Step
Starting with macOS Catalina (10.15), Apple added another layer: Notarization.
Even if your app is signed, Gatekeeper now checks whether the app has been notarized by Apple. Notarization is an automated scan where you upload your signed app to Apple. They run security checks (malware scanning, known threats) and attach a notarization ticket.
If your app isn’t notarized, Gatekeeper may block it outright — especially if the user’s security settings are set to default.
How DigiCert Code Signing Fits Into macOS Notarization
Here’s how DigiCert works in this context:
-
You sign your app with your DigiCert Code Signing Certificate if you want consistent identity across platforms.
-
You then notarize the signed app with Apple.
-
Apple verifies your signature as part of the notarization process.
-
If you only have DigiCert and not an Apple Developer ID, your notarization may fail — so for public distribution, you’ll still need an Apple Developer ID Application Certificate.
-
For internal or cross-platform builds, DigiCert helps maintain consistency — especially if your build process signs Windows
.exeor.msifiles too.
So in practice, many Mac developers use both:
-
An Apple Developer ID Certificate for App Store or public Gatekeeper distribution.
-
A DigiCert Code Signing Certificate for consistency across Windows/macOS, enterprise signing, or internal tools.
How to Sign and Notarize a macOS App
Here’s the typical process — in narrative steps:
1️⃣ Build Your App Bundle
You build your .app or .pkg using Xcode or your preferred toolchain. Double-check that your bundle ID, version, and entitlements are correct.
2️⃣ Sign Your App
Use the codesign command in Terminal to sign your app.
For example:
If you’re using DigiCert for internal signing, you’d reference the DigiCert identity installed in your keychain.
3️⃣ Verify the Signature
Run:
Check for errors — they can break notarization.
4️⃣ Submit for Notarization
Use xcrun altool or Xcode Organizer to upload your signed app to Apple for notarization:
Wait for Apple to approve. They’ll send an email if the notarization passes or fails.
5️⃣ Staple the Notarization Ticket
Once approved, “staple” the ticket to your app:
This attaches Apple’s notarization proof so Gatekeeper can verify it offline.
6️⃣ Test the Final Build
Run:
This confirms Gatekeeper recognizes your signature and notarization.
Best Practices for Mac Code Signing with DigiCert
✔️ Always Timestamp:
Use a trusted timestamp server so your signature remains valid even after your cert expires.
✔️ Use Secure Key Storage:
For OV, secure your private key. For EV, store your signing key on a hardware token.
✔️ Renew Early:
Keep your certificates renewed ahead of expiry to avoid failed builds or broken trust chains.
✔️ Combine with Developer ID:
For public macOS apps, always maintain your Apple Developer ID — DigiCert complements but does not replace Apple’s notarization requirements.
✔️ Automate Where Possible:
Integrate signing and notarization into your CI/CD pipeline for smooth releases.
Conclusion
Code signing is non-negotiable for Mac developers — it’s how you prove your identity, protect your users, and ensure your apps run without warnings or blocks.
A DigiCert Code Signing Certificate gives you extra flexibility: you can sign cross-platform installers, Windows apps, drivers, and internal enterprise tools while keeping your software reputation strong and your release process secure.
For most Mac developers, the best approach is both:
-
Use Apple’s Developer ID for Gatekeeper trust and notarization.
-
Use DigiCert to unify your signing across all platforms and projects.
Build once, sign correctly, protect your brand — and make sure your users can install your software without fear.
FAQs
Can Mac developers use DigiCert Code Signing Certificates to sign Mac apps?
Yes, you can use DigiCert Standard or EV Code Signing Certificates to digitally sign your Mac applications and tools. However, if you want your app to run smoothly on Gatekeeper-enabled Macs or distribute it through the Mac App Store, you will need an Apple Developer ID certificate. DigiCert certificates are useful for internal distribution, enterprise scenarios, or some third-party workflows.
What are the main steps to sign a Mac app with a DigiCert certificate?
First, install your DigiCert code signing certificate into macOS Keychain. Then, use the codesign tool in Terminal to sign your application by specifying the certificate’s common name. Finally, verify the signature with the codesign -v command.
How do I install my DigiCert code signing certificate on a Mac?
You install the certificate by importing it into Keychain Access. If provided as a .pfx file, simply double-click and follow the prompts, entering the password if needed. The certificate should appear under “My Certificates” in Keychain.
What should I do if I get a “CSSMERR_TP_NOT_TRUSTED” error during signing?
This indicates your Mac is missing an intermediate certificate. Find the “Issuer Common Name” of your certificate in Keychain, download the matching DigiCert intermediate certificate, and install it on your machine. Try signing again once that’s done.
What are the special requirements for EV code signing on Mac?
EV code signing requires your certificate and private key to be stored on secure hardware, such as a USB token. You must install any required drivers and connect the token to your Mac each time you sign code.
Will apps signed with DigiCert certificates always be trusted by Gatekeeper?
No. Gatekeeper only trusts apps signed with Apple-issued Developer ID certificates. Apps signed with DigiCert certificates are best for enterprise or limited-distribution use but won’t receive Gatekeeper’s “trusted developer” treatment for the general public.
Can DigiCert integrate with Apple’s notarization process?
To use Apple’s notarization, you need an Apple Developer ID certificate, not a DigiCert one. DigiCert certificates are not valid for submitting binaries to Apple’s notarization service.
How do I handle code signing for .pkg installer files in addition to .app files?
For installer packages, you’ll need the Apple Developer ID Installer certificate. Signing .pkg files with DigiCert certificates is not generally supported for distribution outside enterprise workflows—use Apple’s tools and certificates for widespread Mac user trust.
What is DigiCert Code Signing for Mac developers?
DigiCert Code Signing for Mac developers is a process that ensures your software or app is securely signed with a valid digital certificate. This certificate verifies the authenticity of your code and helps prevent tampering, making your application trustworthy for users and systems like Apple’s Gatekeeper.
Can DigiCert Code Signing be used for macOS and iOS apps?
Yes, DigiCert Code Signing certificates can be used for both macOS and iOS apps. For macOS apps, you can use the code signing certificate to sign application bundles, while for iOS apps, the certificate is used in conjunction with Xcode to sign and distribute apps through the App Store or ad-hoc distribution.
Do I need DigiCert Code Signing for apps distributed outside the Mac App Store?
Yes, even for macOS apps distributed outside the Mac App Store, you need DigiCert Code Signing to ensure that your app is recognized as legitimate by Apple’s Gatekeeper. Without it, users may see a warning that the app is from an unidentified developer, which can prevent them from opening the app.
Can I use DigiCert Code Signing for notarizing my macOS app?
Yes, DigiCert Code Signing is required to notarize your macOS app. Notarization is a process that Apple uses to scan your app for malicious content and ensure that it complies with their security standards. A notarized app that is properly signed with a valid certificate from DigiCert will avoid Gatekeeper warnings when installed.
What is the difference between a DigiCert Code Signing certificate and Apple’s Developer ID?
While Apple’s Developer ID is used for signing apps that are distributed outside the Mac App Store, DigiCert Code Signing certificates provide the same functionality, but with additional security and reputation benefits. DigiCert EV Code Signing certificates offer stronger validation, helping your app pass Apple’s notarization and Gatekeeper checks more smoothly than standard certificates.
How long does it take to get a DigiCert Code Signing certificate for Mac apps?
The process of obtaining a DigiCert Code Signing certificate typically takes a few hours to a few days, depending on the type of certificate (Standard vs. EV) and the completion of the required validation steps. EV Code Signing certificates may take longer due to the extensive verification process.
