How to Install Mac Apps Outside the App Store Safely in 2026
Most of the best Mac apps don't live in the App Store. Sandboxing rules push developers to distribute directly: every major terminal, almost every video editor, most developer tools, popular utilities like Raycast and CleanShot X, and the entire Homebrew ecosystem. Installing from outside the store is normal, supported, and safe when you follow a few rules. It is also where the highest-risk downloads on a Mac live, so the rules matter.
This guide walks through Apple's notarization system, the difference between DMG and PKG installers, the correct way to handle Gatekeeper warnings, when to use Homebrew, and the red flags that should make you close the page before clicking download.
Why install outside the App Store at all
The Mac App Store is the safest distribution channel: every app is reviewed, signed, and sandboxed. But sandboxing forbids many useful capabilities — system-wide hotkeys, deep clipboard access, controlling other apps, disk monitoring, network proxying. Apps that need those features ship outside the store. Examples include BetterDisplay, Karabiner-Elements, Hammerspoon, almost every terminal emulator, Docker Desktop, and many menu-bar utilities. Direct distribution is also where smaller developers avoid Apple's 15–30% cut, which keeps prices lower and one-time purchases viable.
None of that means the App Store is bad. For category overlaps — calendar apps, weather apps, photo viewers, simple games — the store is usually the right pick. The question is per-app, not "store vs. outside the store."
How macOS protects you from outside installs
Even outside the store, modern macOS layers several protections around any download:
Gatekeeper — checks every downloaded executable against Apple's notarization database before allowing it to run. Unsigned apps and apps from unidentified developers are blocked by default.
Notarization — a process where developers submit their app to Apple. Apple's automated systems scan it for malware and verify the code signature before issuing a "notarization ticket" that macOS recognises. Notarized apps run cleanly; non-notarized apps trigger Gatekeeper warnings.
XProtect — built-in signature-based malware scanner that runs in the background.
System Integrity Protection (SIP) — prevents apps, even with admin rights, from modifying system files.
TCC (Transparency, Consent, and Control) — the permission prompts you get for camera, microphone, screen recording, Documents folder, Downloads folder, and so on. Apps cannot quietly access these without user consent.
The right baseline assumption is that any properly notarized app from a developer's official website is fundamentally safe to install — it ran through Apple's automated checks. The risk goes up sharply for non-notarized apps, apps from anonymous sources, and anything you got from a "cracked software" site.
DMG vs PKG: what you're actually installing
DMG (Disk Image)
A DMG is a virtual disk that mounts when you double-click it. Inside is typically the app icon and a shortcut to your Applications folder. The install is a drag-and-drop: copy the .app bundle to /Applications. Eject the disk image when done. Most modern Mac apps ship as DMGs because the install is fast, reversible, and obvious — you can see exactly what's being added.
PKG (Installer Package)
A PKG runs Apple's installer and can do more than just copy an app. It can install background helpers, launch agents, system-level extensions, kernel extensions (rare in 2026), and command-line tools. Required for apps that integrate deeply with macOS — Docker Desktop, Microsoft Office, hardware drivers — but the trade-off is that you can't see what's being installed without inspecting the package.
To inspect a PKG before running it: right-click → Show Package Contents, or use the free Suspicious Package app to see every file it will write. This is the cleanest way to verify what a PKG does, especially for installers from less-well-known developers.
Other formats
App bundles (.app) can also ship as bare ZIPs — unpack and drag to /Applications. Some open-source tools ship as tarballs that need to be unpacked from Terminal. Homebrew installs everything from the command line.
Step-by-step: installing a typical app safely
Download from the official source. Visit the developer's website directly, not a download mirror with extra "fast download" buttons. Many phishing pages mimic real ones with one-letter typos.
Check the URL in your browser's address bar. HTTPS, correct spelling, and a domain that matches the developer's main brand.
Open the DMG. Drag the .app into Applications. Eject the DMG. Drag the DMG file itself to Trash.
Launch the app. If macOS shows "App can't be opened because Apple cannot check it for malicious software," that means the app isn't notarized — close the dialog and consider whether you trust the developer enough to override Gatekeeper.
To override Gatekeeper deliberately: open System Settings → Privacy & Security, scroll to the Security section, and click "Open Anyway" for the most recently blocked app. macOS will ask one more time before launching it.
Watch the permission prompts. The first launch typically asks for permissions (Files, Notifications, Accessibility, Screen Recording). Grant only what makes sense for the app's function. A simple text editor shouldn't need Screen Recording or Accessibility.
Homebrew — the developer-friendly route
Homebrew is the de facto Mac package manager. It manages command-line tools out of the box and GUI apps via "Casks". Install from brew.sh. After that:
brew install <tool> — install a CLI tool.
brew install --cask <app> — install a GUI app from its official source via Homebrew.
brew upgrade — update everything.
brew uninstall <name> — remove cleanly.
Homebrew downloads apps from the same official URLs you'd visit in a browser, then performs the install steps for you. The advantage is repeatability and one-line updates. Casks also handle apps that don't auto-update themselves — install once with Homebrew, and brew upgrade keeps them current.
The trade-off is that Homebrew is curated by volunteers. Apps in the official Homebrew tap are reviewed before being added; third-party taps (less common) are not. Stick to the main tap unless you know what you're adding.
Common install types compared
Source
Trust level
Update path
Notes
Mac App Store
Highest
Automatic via Store
Sandboxed; reviewed by Apple
Notarized DMG/PKG from developer site
High
Built-in updater or Sparkle
Standard for major Mac apps
Homebrew Cask
High (curated)
brew upgrade
Pulls from official sources
Non-notarized but signed
Medium
Manual
Smaller dev or older app
Unsigned open-source build
Case by case
Manual / git pull
Inspect source if possible
"Cracked" or pirated
Avoid
None
High malware risk in 2026
Red flags to avoid
Multiple "Download" buttons that lead to different things. Reputable sites have one obvious download.
An installer that wants you to disable Gatekeeper system-wide. No legitimate app needs this in 2026.
An installer that wants to install a "Search Helper", "Smart Browser", or browser extension you didn't ask for. Bundled adware. Quit the installer.
A page that asks for an admin password before showing what's downloading. Likely a scareware loop. Force-quit the browser.
Fake "Adobe Flash" or "Codec Required" prompts on video sites. Flash is dead and macOS does not need extra codecs to play modern web video.
Sites that mirror a famous Mac app but with slightly altered branding or extra "Pro" version language. Common phishing vector for stealers.
An app that demands Full Disk Access immediately on first launch with no clear reason. Maybe legitimate (Time Machine-style tools), maybe not — verify the use case.
Verifying a download before opening it
For high-stakes apps — anything that asks for admin rights, anything that handles sensitive data — verify the download:
If the developer publishes a SHA-256 checksum, run shasum -a 256 path/to/file.dmg in Terminal and compare.
Verify the code signature with codesign -dvv /Applications/AppName.app. Look for "Authority=" lines listing the developer's Apple Team ID and "Notarized" status.
Check notarization with spctl --assess --type execute --verbose /Applications/AppName.app. A notarized app reports accepted; an unsigned or stripped one does not.
Scan with VirusTotal (web upload) if you want a second opinion before launching. Useful for unfamiliar developers.
Uninstalling cleanly
Dragging an .app to Trash leaves preferences, caches, helpers, and sometimes launch agents behind. For a clean uninstall:
Use AppCleaner (free) — drop the app onto its window and review the list of associated files it suggests deleting.
For Homebrew-managed apps: brew uninstall --cask <name> handles the main bundle. Check ~/Library/Application Support/<name> and ~/Library/Preferences/<bundle-id>.plist for leftovers.
For PKG-installed apps with their own uninstaller (Adobe, Microsoft), use it — those installs touch enough places that manual cleanup is impractical.
Check Login Items and Background Items after uninstalling — sometimes the helpers persist even after the parent app is gone.
Conclusion
Installing apps outside the Mac App Store is not riskier than the store as long as you stick to notarized apps from official sources, prefer DMGs over PKGs when both exist, use Homebrew Casks for everything it covers, and refuse to override Gatekeeper for apps you don't fully trust. The danger zone is cracked software, mirror sites, and bundled-installer downloads — every one of those has a higher chance of carrying a stealer or adware than anything from a legitimate developer's website. Stay in the safe zone and outside-store installs are no more dangerous than App Store ones.