Is it necessary to verify the GPG signature of an app installed from the web on macOS?

Or does something like notarization take care of that?

You’re basically trusting Apple that it’s the right dev.

Wouldn’t that be the case if I’m installing from the App Store as well? If it’s the same then I have no problem trusting Apple with this.

Yes

1 Like

You’re also trusting Apple with the OS as a whole so I’m not convinced impersonating developer certs should be your largest concern if you don’t trust Apple whatsoever.

1 Like

my thoughts too.

Well, Apple doesn’t verify every app signature, so there could be a time period between an Apple developer certificate being compromised and Apple revoking it.

I’m not sure what the likelihood that a developer leaks their Apple certificate but not their GPG key is though, probably pretty small… depends on their build workflow I suppose.

4 Likes