In macOS Sequoia, Apple has added another stumbling block to launching software that has not gone through Apple’s baseline vetting process for apps. Generally, this can be a good thing, preventing naive users from accidentally installing malware or privacy-invading software. However, for users who rely on software created by people who don’t work within the lines painted by Apple and its App Store, here’s what you need to know.
The Gatekeeper feature in macOS is something you never see called by that name. It’s designed to ensure that only certain apps can run on your Mac, even though macOS can execute any correctly constructed software for the platform. The only visible control is in System Settings > Privacy & Security > Security, where you can choose one of two options from the “Allow applications from” menu: App Store, or App Store & Known Developers.
There’s a third category that Apple eliminated from this list in macOS years ago. (The menu used to appear as radio buttons in a different System Preferences pane.) Those are apps where the programmer chose not to pay the annual fee for an Apple Developer account, or they have such an account but didn’t run the app through a vetting system Apple uses that’s a big step below the App Store’s review process.
When a developer submits an app to an App Store, Apple uses a combination of automatic and human review to ensure that the app doesn’t contain malware or software code from third parties that it doesn’t allow and that it more or less does what it says it does without being misleading. That process is full of human error and inconsistencies, but it has mostly led to safe apps in the App Store, even if some are scammy in their pricing intent or misleading about how useful they are.
Mac developers can choose, instead, to have Apple notarize and sign an app. Notarization is the company’s process for checking for malware and for software libraries (bundles of code shared among apps) that could be swapped out for other components. If the app passes those automated tests, Apple uses a cryptographic process to sign it, which ensures the app can’t launch if it’s been modified since passing those tests. (Notarization was an optional step at one point, made mandatory in 2020; all apps signed since then have also been notarized.)
Some developers prefer not to engage in that step. They don’t want to pay the annual developer fee, use components that Apple doesn’t notarize for macOS, or don’t want Apple to have a say-so on whether their software can run. Those unsigned apps can still run on your Mac. I’ve found fewer over the years, but they still exist and generally come from specialized academic and research fields.
Foundry
In System Settings, you can choose to open an unsigned app despite Apple’s warning.
Foundry
Here’s what to do to launch such an app in Sequoia:
- Double-click the app.
- You’re warned that the app may contain malware or compromise your privacy. The only options are Done and Move To Trash. Click Done.
- Open System Settings > Privacy & Security.
- At the bottom of the settings list, you should see a message like “‘App name’ was blocked to protect your Mac.” If you want to open it, click Open Anyway.
I urge you to continue to exercise a high level of vigilance around unsigned apps as you entirely rely on the developer to protect your security and privacy. However, few apps like that have enough reach that any malware practitioner would have an interest in exploiting a weakness.
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently, along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to [email protected], including screen captures as appropriate and whether you want your full name used. Not every question will be answered; we don’t reply to emails, and we cannot provide direct troubleshooting advice.