Mojave’s new level of app security
How can I tell whether an app has been ‘Notarized’? Does it make any difference? Notarization is an extension to app security that’s voluntary in Mojave, aimed at giving stronger confidence that the apps you download from outside the Mac App Store aren’t malware. The signature system that was present already in prior systems was intended to do that, but most Mac malware is now signed using black– market developer certificates.
Notarization involves two steps: apps are ‘hardened’, before being submitted to Apple to check for malware.
Hardening forces an app to declare intent to use certain features, such as the intent to access your Mac’s camera. If an app doesn’t obtain an entitlement to do so, macOS won’t allow it access. This limits the potentially bad things apps can do, and, coupled with Mojave’s new privacy protection, stops apps from secretly accessing protected data without consent.
When you first open a downloaded app that has been notarized, you’ll see a new dialog as the app goes through Gatekeeper’s signature checks: the dialog’s icon lacks a yellow warning triangle, and it declares that Apple has checked the app for malware.
Notarized apps also have an extra certificate inside, which you can see if you Ctrl–click one in Finder and choose Show Package Contents. In Contents is a small file named CodeResources, as well as the normal _CodeSignature folder. You can also check using the spctl command in Terminal, or Taccy (free, eclecticlight.co).
When you first open a notarized app in Mojave, Gatekeeper’s dialog is different, as shown in the upper dialog here.