Start with where it came from

Prefer the developer’s official site or the Mac App Store. Be cautious with sponsored search results, mirrors and archives that repackage old software.

A familiar filename is not proof of origin. Check the exact domain and whether the publisher documents the current version.

Let macOS make its checks

Gatekeeper verifies downloaded software when you first open it. Do not remove quarantine metadata or bypass the warning just to make an installer run.

A Developer ID signature helps identify the signer and detect changes to signed content. Notarisation means Apple checked a submitted build for known malicious content; it is a valuable signal, not a lifetime guarantee.

Do not treat “unsigned” as a malware verdict. Legitimate scripts and niche command-line tools may be unsigned, but they deserve more context before execution.

Check for disguise and extra components

Confirm that the real file type matches its extension. Double extensions, a script presented as a document and executable content buried in an archive all deserve review.

Installers can add login items, privileged helpers, browser bridges or extensions. The main app window may not show everything that will run later.

When in doubt, stop

Do not upload a confidential file to a public scanning service without understanding its sharing policy. A hash-only reputation check can reduce exposure, but an unknown hash proves neither safety nor danger.

If the app cannot be tied to a trustworthy source and its requested authority is difficult to justify, do not run it on your primary account.

Primary sources