FAQ

Common questions about KestrelSign, code signing, and notarization.

General

What is code signing?

Code signing is the process of applying a digital signature to your application using a certificate issued by a trusted authority. It verifies that the software comes from you and has not been tampered with since it was signed. Both macOS (Gatekeeper) and Windows (SmartScreen) use code signatures to protect users.

Do I need to sign my application?

If you distribute desktop software, yes. On macOS, unsigned applications are blocked by Gatekeeper and users cannot open them without manually overriding security settings. On Windows, unsigned applications trigger SmartScreen warnings that discourage users from running them. Signing and notarizing your app ensures a smooth experience for your users.

Does KestrelSign work on both macOS and Windows?

Yes. KestrelSign runs on both platforms. macOS signing features (codesign, notarization, stapling) are only available when running on macOS, and Windows signing features (signtool, Authenticode) are only available when running on Windows. Project management, verification, and reporting work on both platforms.

What frameworks does KestrelSign support?

KestrelSign works with applications built using Electron, Qt/C++, Python (fbs, PyInstaller), .NET, WPF, Flutter, Tauri, React Native, Unity, Java/Swing, Node.js, Rust, Swift, Go, and NSIS-based installers. It also handles custom or unrecognized bundle structures with a general-purpose signing strategy.

Certificates

Does KestrelSign provide certificates?

No. KestrelSign is a signing tool, not a certificate authority. You bring your own certificates -- Apple Developer ID for macOS and a code signing certificate from a CA (DigiCert, Sectigo, etc.) for Windows.

Can I use a self-signed certificate?

Technically yes, but it will not provide the trust benefits of a certificate from a recognized authority. Gatekeeper and SmartScreen will still warn users. Self-signed certificates are mainly useful for internal testing.

What is the difference between OV and EV certificates?

OV (Organization Validation) certificates are standard code signing certificates. They work for signing but new applications need to build SmartScreen reputation over time. EV (Extended Validation) certificates provide immediate SmartScreen trust but are stored on a hardware token and cost more. See the Windows signing page for details.

Notarization

Is notarization required?

For macOS, effectively yes. Since macOS 10.15 (Catalina), Apple requires all software distributed outside the Mac App Store to be notarized. Without notarization, Gatekeeper blocks the application. Windows does not have an equivalent requirement.

How long does notarization take?

Usually 2 to 15 minutes, depending on the size of your application and Apple's current queue. Occasionally it can take longer during peak times. KestrelSign tracks the progress in real-time.

What if notarization fails?

KestrelSign retrieves the detailed notarization log from Apple, which identifies the specific issues. Common causes include unsigned binaries, missing hardened runtime, or invalid entitlements. See the notarization page for troubleshooting.

Licensing

Is there a subscription?

No. KestrelSign is a one-time purchase. You pay once and use it forever. Your purchase includes one year of free updates. After that, you can continue using your version or purchase an update extension.

How many machines can I use it on?

Each license allows activation on up to three machines. This covers typical developer setups like a Windows desktop and a Mac laptop.

What happens when my trial ends?

After 14 days or when you reach the trial signing limit, you will need to purchase a license to continue signing. You can still open the application, view past reports, and manage projects -- only new signing operations require an active license.

Support

How do I get help?

Email us at service@robottworks.com. Standard license holders receive email support. Pro license holders receive priority support with faster response times.

Where do I report bugs?

Email service@robottworks.com with a description of the issue and the relevant log files. You can find log files in the locations described on the reports and logs page.