Do I need to notarize both the app and dmg image?

Question

I have an app that is signed, notarized and stapled, then archived into a zip file which is used as the object for my Sparkle updater.

I also distribute it on a DMG image for new users (and is the main download from my website). Can I just put the notarized/stapled app on a DMG, or do I need to go through a separate notarization and staple process for the DMG file?

Answer 1

You only have to notarize the app once:

1. Create a DMG file with the signed app.
2. Sign, notarize and staple the DMG file.
3. Open the DMG file and copy the app outside. Staple it and create an archive for Sparkle [1].

To confirm that the app is notarized run this command:

spctl -a -t exec -vv MyApp.app

And you'll see something like:

MyApp.app: accepted
source=Notarized Developer ID
origin=Developer ID Application: Name (ID)

(Notice how the source is "Notarized Developer ID")

You can also confirm that the ticket is stapled by running this command:

xcrun stapler validate MyApp.app

And you'll see this message:

Processing: /path/to/MyApp.app
The validate action worked!

Notarizing the DMG file is enough because the notarization service notarizes any app inside the disk image. From Apple documentation:

Alternatively, you can put apps, kernel extensions, and other software in a container, like a disk image, and notarize the container. The notary service accepts disk images (UDIF format), signed flat installer packages, and ZIP archives. It processes nested containers as well, like packages inside a disk image.

---

[1] You can use the DMG file for Sparkle too. No need for a second archive. From Sparkle documentation:

Sparkle supports updating from DMG, ZIP archives, tarballs, and installer packages, so you can generally reuse the same archive for distribution of your app on your website as well as Sparkle updates.