Code Signing

Starting in macOS Sierra, disk images can be code signed to verify the integrity of their contents. When a disk image is not code signed, macOS’s Gatekeeper will launch applications bundled inside the disk image from a virtual randomized path, which prevents certain attack vectors for maliciously crafted application resources. Applications inside of disk images which have been properly code signed are not subject to this launch path randomization. To learn more about this security issue, see the WWDC 2016 session 706 “What’s New in Security” and Technote 2206.

To code sign your disk image, you’ll need to have a Developer ID certificate from Apple. In the volume options panel of the sidebar in a DMG Canvas document, select the Developer ID Application certificate from the Code Signing popup. DMG Canvas will then code sign and verify the disk image for you, notifying you if there’s an error. That’s all there is to it.

**Note that code-signed disk images must also be notarized to open on macOS 10.15 Catalina.