Guides··6 min read

Is boring.notch Safe? The Gatekeeper Warning Explained

Short answer: yes. boring.notch is safe to install when you download it from the official GitHub releases page run by TheBoredTeam. The alarming macOS message about an unidentified developer is Gatekeeper reacting to how the app is signed, not evidence of malware. The code is open source, so anyone can read exactly what it ships.

By Deepak Yadav, building NotchBay

The short version

  • boring.notch is safe when installed from the official TheBoredTeam GitHub; the warning reflects missing notarization, not malware.
  • Unsigned and ad-hoc signed apps all trigger the same unidentified developer dialog; it is an identity check, not a scan result.
  • The real risk is repackaged copies on third-party mirrors; the dialog looks identical for genuine and tampered builds, so the download source is everything.

#Is boring.notch safe to install?

boring.notch is a free, open source app that turns the MacBook notch into a Dynamic Island style control, built in public on GitHub by a volunteer group called TheBoredTeam. When people search is boring notch safe, what they have usually just seen is a macOS dialog refusing to open the app because the developer cannot be verified. That dialog reads like a virus alert. It is not one.

A bias label before anything else: I build NotchBay, a competing notch app, so I have an obvious commercial reason to scare you away from a free alternative. I am not going to, because the honest answer is that boring.notch, installed from its official repository, is fine. The warning has a mundane technical explanation that applies to plenty of legitimate open source Mac software.

#Why does macOS flag boring.notch as unidentified?

Every app downloaded outside the App Store gets checked by Gatekeeper on first launch. Gatekeeper looks for two things: a Developer ID signature, which is a certificate Apple issues to developers who hold a paid account at 99 dollars a year, and a notarization ticket, which is proof that Apple's automated service scanned that exact build for known malware. An app with both opens after a mild confirmation. An app with neither gets the scary version: the developer cannot be verified, or Apple could not confirm the app is free of malware.

A third state matters here: ad-hoc signing. Apple silicon Macs require every binary to carry some signature just to execute, so build tools like Xcode stamp apps with an ad-hoc signature, essentially a checksum with no identity attached. It satisfies the hardware and tells Gatekeeper nothing about who made the app. To Gatekeeper, ad-hoc signed and unsigned look the same: unverifiable.

I watch this exact dialog appear on my own work. During NotchBay development I run ad-hoc signed builds constantly, and Gatekeeper treats the app I wrote, on the machine I wrote it on, as a stranger. The dialog measures paperwork, not intent.

The unidentified developer warning fires for every app without a notarized Developer ID signature, malicious or not. It is an identity check that failed, not a malware scan that found something.

#What do macOS signing tiers actually mean?

It helps to see the three tiers side by side, because the Gatekeeper dialog collapses them into one binary impression of safe versus scary:

Signing stateWhat Gatekeeper doesWhat it actually tells you
Unsigned or ad-hoc signedBlocks first launch with the unidentified developer warningIdentity unverified. Says nothing about safety either way
Developer ID, not notarizedStill warns or blocks on current macOSApple can verify who built it; that specific build was not scanned
Developer ID plus notarizationOpens after a standard first-run confirmationIdentity verified and the build passed Apple's automated malware scan

Notarization requires a paid Apple developer account, which is why volunteer open source projects often ship without it.

Notarization is a genuine signal when present. Its absence, though, most often means nobody paid Apple 99 dollars a year for the project. That is normal for community-run open source software, and it is the whole story behind the boring notch gatekeeper warning people search for.

#Is boring.notch a virus?

No evidence I am aware of points that way, and the way the project operates argues against it. The source code is public on GitHub. Anyone can read it, the commit history is visible with names attached, issues get debated in the open, and if you trust nothing at all you can clone the repository and build the app yourself in Xcode. A malicious change would have to sit in public view, under version control, for anyone to spot.

I will not pretend I have audited every line, and nobody selling a competing product should claim that. But open source shifts the trust question in a way a closed app cannot: you do not have to take anyone's word for what the app does, mine included. Credit where due, TheBoredTeam pioneered the free and open notch app, and that transparency is a real advantage. If your actual question is how the two apps compare, I wrote that up in NotchBay vs boring.notch.

#How do you install boring.notch safely?

The one genuinely risky path is third-party download portals and mirrors. Sites that rehost Mac apps sometimes wrap them in their own installers or bundle extra software, and here is the trap: a tampered copy and the authentic copy produce the same Gatekeeper warning, because neither carries notarization. The dialog cannot tell you whether a build is genuine. Only the download source can. So:

  1. Go to the official repository. The project lives at github.com/TheBoredTeam/boring.notch. Check the organization name; TheBoredTeam is the real one.
  2. Download from the Releases section of that repo, not from a download portal, a mirror, or a link in a random video description.
  3. Open it past Gatekeeper. On recent macOS versions, including Tahoe, the old right-click trick no longer bypasses the check. Double-click the app and let macOS block it, then open System Settings, go to Privacy and Security, scroll to the message about the blocked app, and click Open Anyway. You will confirm once more and authenticate.
  4. Review its permission prompts on their own merits. Notch apps ask for system permissions to do their jobs; grant what the features you actually use require.

Open Anyway means personally overriding a system check, which is why it should only follow a download you trust. From the official repo, that is reasonable. From a mirror, it is not.

#Where does NotchBay stand on signing?

Fair to turn the question on the person writing this. NotchBay is signed with my Developer ID certificate, so macOS can verify who built it and that the build has not been modified since I signed it. I am claiming exactly that and no more; you may still see a first-run confirmation depending on your macOS version, and the accurate move is to let your own Mac show you rather than have me promise a dialog I do not control.

The symmetry is worth noticing. boring.notch answers the trust question with open code you can read. NotchBay answers it with an identity certificate Apple can check. Those are different kinds of verifiability, both legitimate, and neither is a malware verdict on the other. If you are still deciding what belongs in your notch, the wider field is compared in the best Mac notch apps, and the setup walkthrough is in how to get a Dynamic Island on your Mac.

#Frequently asked questions

Is boring.notch safe to install on a Mac?

Yes, provided you download it from the official TheBoredTeam repository on GitHub. The unidentified developer warning macOS shows is Gatekeeper reacting to the absence of a notarized Developer ID signature, not a malware finding. The project's code is open source, so anyone can inspect what the app does.

Why does macOS say boring.notch is from an unidentified developer?

Gatekeeper looks for a Developer ID certificate and an Apple notarization ticket, which require a paid developer account. Builds distributed without them, including ad-hoc signed open source builds, all trigger the same warning. It is an identity check that failed, not a scan that found something.

Is boring.notch a virus?

There is no evidence of that. The app is developed in public on GitHub, where the full source code, commit history, and releases are visible, and anyone can build it from source. The realistic risk is downloading a repackaged copy from a third-party mirror, which is why you should only use the official releases page.

How do I open boring.notch past the Gatekeeper warning?

On recent macOS versions, double-click the app and let macOS block it, then open System Settings, go to Privacy and Security, scroll to the message about the blocked app, and click Open Anyway. You will confirm once more and authenticate. Only do this for apps whose download source you trust.

Written by the builder of NotchBay, a paid competitor to boring.notch, which is why the bias label sits at the top. Found an error? Tell me and I’ll fix it, accuracy beats winning.
Deepak YadavCrafting beautiful digital consumer products.

Product designer and indie hacker. Founder of Ossian Design Lab. Builds and ships business and consumer digital products in public.

Follow on X

Read next.

Look up.
It's all right there.