Gatekeeper is the part of macOS that decides whether an app is allowed to launch. When a user opens an app for the first time, Gatekeeper verifies that it is signed with a valid Developer ID certificate, that Apple has notarized it, and that nothing has modified it since signing. Pass, and the app opens with at most a one-time confirmation. Fail, and the user sees a warning that the app is damaged, from an unidentified developer, or cannot be checked for malware.
When the check runs
Gatekeeper's full check is triggered by the quarantine flag. When a browser, AirDrop, or Messages saves a file, macOS tags it with the com.apple.quarantine extended attribute. The first launch of a quarantined app triggers the full assessment: signature, notarization ticket, and a malware scan. Apps installed through the Mac App Store are vetted by the store itself, so this is mostly a concern for apps you distribute directly.
What each failure looks like
- "App is damaged and can't be opened"
- The signature does not verify. Usually the app was modified after signing (a build script touched the bundle post-codesign), the signature is broken, or in older cases the zip round-trip stripped it.
- "Cannot be opened because the developer cannot be verified"
- Signed, but not notarized, or signed ad hoc or with a non-Developer ID certificate. Apple has no notarization ticket for it.
- "From an unidentified developer"
- No valid Developer ID signature at all.
Checking a build before shipping it
# Full Gatekeeper assessment (what a user's Mac will do) spctl --assess --type execute -vv MyApp.app # Verify the signature and its chain codesign --verify --deep --strict -vv MyApp.app # See or remove the quarantine flag while testing xattr -p com.apple.quarantine MyApp.app xattr -dr com.apple.quarantine MyApp.app
The reliable pre-flight test is to zip the final build, download it over a real browser on a clean machine (so it gets quarantined), and launch it. That exercises the exact path a user hits.
Bypassing it is getting harder
For years the workaround for a blocked app was Control-click then Open. macOS Sequoia removed that shortcut: users now have to visit System Settings, then Privacy and Security, and approve the app there. In practice that means distributing an un-notarized macOS app to the public is no longer viable, and notarization is effectively mandatory for anything shipped outside the App Store.