Malware warnings on properly notarized apps

Question

Created 3d

Replies 6

Boosts 0

Participants 4

Hello,

I've been developing a mac app built with Electron Builder. In August, I was successfully notarizing my app and able to send it to testers without them receiving a malware warning. I took a two month break. When I came back in October, I am not able to distribute my app without the malware warning.

I can't for the life of me figure out what I could be missing, unless my developer account was flagged by Apple for some reason. All the diagnostics I run on my app package show that it is properly signed, notarized, and stapled.

Here are some diagnostics I have run on the app:

Command: codesign -dv --verbose=4 "/Volumes/Form Desktop 1/Form.app"

Output:
Executable=/Volumes/Form Desktop 1/Form.app/Contents/MacOS/Form
Identifier=co.Form.desktop
Format=app bundle with Mach-O thin (arm64)
CodeDirectory v=20500 size=763 flags=0x10000(runtime) hashes=13+7 location=embedded
VersionPlatform=1
VersionMin=720896
VersionSDK=917504
Hash type=sha256 size=32
CandidateCDHash sha256=cedcaef933c003c01b4d9ef6925a413fe6b4a585
CandidateCDHashFull sha256=cedcaef933c003c01b4d9ef6925a413fe6b4a585bf61e19751e8158775600b00
Hash choices=sha256
CMSDigest=cedcaef933c003c01b4d9ef6925a413fe6b4a585bf61e19751e8158775600b00
CMSDigestType=2
Executable Segment base=0
Executable Segment limit=16384
Executable Segment flags=0x1
Page size=4096
CDHash=cedcaef933c003c01b4d9ef6925a413fe6b4a585
Signature size=8973
Authority=Developer ID Application: Jacob LEELAND (92D98F49FU)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Nov 14, 2025 at 8:25:09 PM
Notarization Ticket=stapled
Info.plist entries=30
TeamIdentifier=92D98F49FU
Runtime Version=14.0.0
Sealed Resources version=2 rules=13 files=35090
Internal requirements count=1 size=176

RESULT: ✅ SIGNED WITH DEVELOPER ID
        ✅ NOTARIZATION TICKET STAPLED
        ✅ HARDENED RUNTIME ENABLED

----------------------------------------------------------------

Command: spctl --assess --verbose=4 --type execute "/Volumes/Form Desktop 1/Form.app"

Output:
/Volumes/Form Desktop 1/Form.app: accepted
source=Notarized Developer ID

RESULT: ✅ GATEKEEPER ACCEPTS APPLICATION

----------------------------------------------------------------

Command: xattr -l "/Volumes/Form Desktop 1/Form.app"

Output:
(No extended attributes)

----------------------------------------------------------------

Command: stapler validate "/Volumes/Form Desktop 1/Form.app"

Output:
Processing: /Volumes/Form Desktop 1/Form.app
The validate action worked!

RESULT: ✅ NOTARIZATION TICKET VALID
[signing-verification-report.txt](https://developer.apple.com/forums/content/attachment/45b41936-6e7a-4f4f-8e80-bc1e3136c84e)

code-block

I have attached a more complete diagnostic text file as well. I have tried notarizing the .dmg in addition to the app bundle, but no combination seems to work as far as I can tell.

I appreciate any help or point in the right direction. I've wasted many days of development time on this, lol.

Answered by DTS Engineer in 866554022

kthchew is right to highlight library validation. That’s by far the most common cause of this issue. See Resolving Gatekeeper Problems Caused by Dangling Load Command Paths for the details.

If that’s not it, see Resolving Trusted Execution Problems for a lot more suggestions on how to dig into issues like this.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

Etresoft OP

3d

What is "the malware warning"?

Are you referring to XProtect blocking the execution of your app?

Or is your app simply failing to launch after notarization? You said you're using Electron, so it sure sounds like some runtime error.

0

Answer 2

jacobApple OP

3d

The Malware warning is a popup reading:

"Form" Not Opened

Apple could not verify "Form" is free of malware that may harm your Mac or compromise your Privacy

One has to go into the "Privacy & security" settings to then allow the app to run and then verify it in a second popup with the user password or biometrics.

The app runs fine. There are no bugs.

0

Answer 3

Etresoft OP

3d

That's what I thought. In certain situations, namely the one you're in, the idea of a "successful" notarization isn't what you think it is.

Once you "successfully" notarized your app, you subject it to an additional layer of runtime checks at launch. If you're using any kind of 3rd party framework or environment to launch/run your app, then it will most likely fail to launch. You'll have to figure out why. Maybe you can just tweak your hardened runtime settings. Maybe you have to start from scratch. I can't tell from here.

1

Answer 4

jacobApple OP

3d

Yes, I'm hoping someone will have an idea. I can provide more diagnostic logs if it would help. As far as I can tell, I've followed all the procedures to sign and notarize the app as specified, and my terminal commands confirm that it is properly done.

0

Answer 5

kthchew OP

3d

Does your app have the com.apple.security.cs.disable-library-validation entitlement? I think the Electron build tools people tend to use put that entitlement on by default (perhaps it probably shouldn't), which sometimes causes Gatekeeper to complain like this.

Removing that entitlement, if you can, might solve the issue.

1

Answer 6

DTS Engineer OP

Apple

2d

Accepted Answer

Recommended

kthchew is right to highlight library validation. That’s by far the most common cause of this issue. See Resolving Gatekeeper Problems Caused by Dangling Load Command Paths for the details.

If that’s not it, see Resolving Trusted Execution Problems for a lot more suggestions on how to dig into issues like this.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1