Why Whisper Notes for Mac Uses DMG Distribution—and How to Verify It
Understand the move from the Mac App Store to a website DMG, why system-wide dictation uses Accessibility permission, and how to verify signing, notarization, and updates.
Updated

Key takeaways
- Website distribution can still use Developer ID signing, Apple notarization, and Gatekeeper.
- System-wide insertion requires a clear explanation of Accessibility permission.
- Download only from the official site and periodically review macOS privacy permissions.
Why distribution affects system-wide dictation
Whisper Notes for Mac inserts recognized text into the active application after a user-triggered shortcut. That workflow relies on macOS Accessibility permission, while sandbox and review constraints affect implementation and updates. Website DMG distribution preserves that workflow. This is a product-specific decision, not a claim that every Accessibility-enabled app must leave the Mac App Store.
What DMG, Developer ID, notarization, and Gatekeeper do
A DMG is only an installation container. Developer ID signing identifies the publisher and protects integrity; Apple notarization scans submitted software; Gatekeeper verifies these signals when the app first runs. If macOS reports an unverifiable developer, damaged signature, or unexpected source, delete the file and download it again from the official site rather than disabling system protection.
Why Accessibility permission is sensitive
Accessibility access can inspect and control interface elements. System-wide dictation uses it to insert text at the active cursor, but the permission remains powerful. Users should see a specific explanation, a visible recording state, and a clear path to revoke access in System Settings. Microphone and Accessibility permissions serve different purposes and should be explained separately.
How existing users should migrate
Export important recordings and transcripts, follow the official license-migration instructions, and test a short dictation, one import, and one export before removing the old build. Avoid running two versions that compete for the same shortcut. Never share an Apple ID password or remote-control access with unofficial support contacts.
Update a website-distributed app safely
Accept updates only in-app or from the verified official domain, review version notes, and keep Gatekeeper enabled. Security-conscious organizations can validate the signature before rollout and test on a small device group. Transparent release notes, verifiable signing, and precise permission explanations are more useful than a generic request to “trust the developer.”
Frequently asked questions
Is a DMG app automatically less safe than a Mac App Store app?
No. A website app can still be signed, notarized, and checked by Gatekeeper, but the user must verify the download source and update path.
Why does system-wide dictation need Accessibility access?
It allows the app to insert recognized text at the cursor after the user triggers dictation. Because the permission is powerful, it should be narrowly explained and revocable.
What should I do if macOS cannot verify the developer?
Do not disable security controls. Delete the installer, download it again from the official site, and contact official support if verification still fails.