How to Distribute Your Branded Desktop Email App (Windows, macOS, Linux)

When you generate desktop apps from Rebrand → Generate Apps (available on the Complete tier), Mailbux builds branded installers for Windows, macOS, and Linux. Unlike the mobile stores, desktop apps are distributed by you — usually as a download on your website. This guide covers signing and distribution so your customers can install without scary security warnings.

What you get

• Windows — an .exe installer (NSIS) and/or an MSIX/AppX package.
• macOS — a .dmg disk image (and/or a .pkg).
• Linux — an .AppImage (portable) and/or .deb package.

You can hand these files to customers as-is, but code signing is what removes the "unknown developer" warnings and builds trust.

Windows — sign with an EV/OV code-signing certificate

1. Buy a code-signing certificate from a CA (e.g. DigiCert, Sectigo). An EV certificate gives the best SmartScreen reputation immediately.
2. Sign the installer with Microsoft's signtool:
   

   signtool sign /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 /a "YourBrand-Setup.exe"

3. Verify: signtool verify /pa "YourBrand-Setup.exe".

Without signing, Windows SmartScreen may warn users; they can still install via More info → Run anyway, but signing is strongly recommended for a branded product.

macOS — sign & notarize

macOS Gatekeeper blocks unsigned apps. You need an Apple Developer membership and a Developer ID Application certificate.

1. Sign the app bundle inside the .dmg:
   

   codesign --deep --force --options runtime --sign "Developer ID Application: Your Company (TEAMID)" "YourBrand.app"

2. Notarize with Apple and staple the ticket:
   

   xcrun notarytool submit "YourBrand.dmg" --apple-id you@example.com --team-id TEAMID --password APP_SPECIFIC_PASSWORD --wait
   xcrun stapler staple "YourBrand.dmg"

Notarized DMGs open with a normal double-click on any Mac — no right-click workaround needed.

Linux — make it easy to run

• AppImage is the most portable: customers just chmod +x YourBrand.AppImage and double-click. No signing authority exists, but you can publish a checksum.
• .deb installs with sudo apt install ./yourbrand.deb on Debian/Ubuntu.
• Publish a SHA-256 checksum next to each file so users can verify integrity.

Distribute to your customers

1. Upload the signed installers to your website or a cloud bucket.
2. Create a simple Downloads page with one button per OS and the version number.
3. Detect the visitor's OS to highlight the right download first (optional, but a nice touch).

Auto-updates: if your build is configured with an update feed, host the generated update files alongside the installer so existing users upgrade automatically. Otherwise, email customers when a new version is available.

Troubleshooting

• Windows "Unknown publisher". The installer isn't signed yet, or the certificate hasn't built reputation — an EV certificate fixes this fastest.
• macOS "app is damaged / can't be opened". The app isn't notarized; complete the notarize + staple step above.
• Linux AppImage won't launch. Make it executable (chmod +x) and install libfuse2 if the system prompts for it.

Finish the series for mobile: Sign & publish your Android app (.aab) and Sign & publish your iOS app (.xcarchive).