Thanks for the quick reply! Yes the 3 points of the requirements are correct The number of users we are expecting will be more than thousands in total potentially, but for per day we are anticipating hundreds as the starting point The disk image contains app bundle with Contents/MacOS which contains the main app and several other executables; also Contents/Resources/ contains resources files; also Info.plist as well as the codeSignature

I have tried appending xattr to a downloaded dmg, and it still launches successfully. Wondering whether this is one of the feasible solutions, any limitations there? And other suggestions are super welcomed too!

I found something really promising from the tech note: To support the creation of droplet-like apps or similar forms of personalization, it is acceptable to place the string representation of a UUID (e.g. 16F2ACA8-AA29-48ED-9ED9-F96F3A230505) into an extended attribute named com.apple.application-instance of the top-level directory of your bundle (e.g. MyApp.app).

This will not invalidate the code signature or affect the bundle’s code identity. You may then link this UUID to storage outside the bundle that carries the necessary configuration data, such as NSUserDefaults, a file in the Application Support directory, or a web service. Wanna confirm this is still correct information, thanks a lot!

Got it! Wondering how's sign and notarize app different from doing that for disk? Is that similar process or more lightweight process? Do you have any code example for that process (sign + notarize the app + rebuild the disk image)?

Also, what's the downside of setting extended attribute on the disk image? Is there any way to protect it from lost, say like serving it directly to users after appending the attribute