Does macOS phone home to Apple's servers before running an app for the first time?

Solution 1:

Yes, Catalina and Mojave gatekeeper can and will phone home now as part of a layered defense model against malware and privacy protection system violations.

Everyone expects (or tolerates) this on the first run, but ongoing checks for certificate revocation can and will block apps when any trusted Certificate Authority revokes a signing certificate before their expiration dates. When this happens repeatedly, it can be highly frustrating.

• https://lapcatsoftware.com/articles/catalina-executables.html
• https://developer.apple.com/news/?id=09032019a

If you (or anyoneelse fails to) sign or notarize installers/packages/apps and don’t staple the notarization, this is how gatekeeper and related checks are supposed to work. We would need to know your gatekeeper settings and more about your app to know if this is in play. Also, when the systems online and locally to check revocations change or fail, this may be challenging to troubleshoot.

• https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution

Notarization specifically is a Catalina-era feature and not anything to do with specific hardware.

Apple recommends that you notarize all of the software that you’ve distributed, including older releases, and even software that doesn’t meet all of these requirements or that is unsigned. Apple’s notary service uses a variety of methods, including telemetry, to determine which of the above rules to relax for preexisting software.

Stapling the ticket generated by your successful notarization should restore the behavior and performance you expect as Gatekeeper can find the ticket while offline in most cases.