Thanks. A few more questions. On the code signing front, each code item is signed separately and thus adding and removing libraries in /Libraries does not break anything. What if I also have some executables in there? Does the same applies to executables as well? /Library/MyAppLibs/Versions/1.2.3/ contains all my libraries, a few frameworks, some executables and other files. Now, this directory is signed as a bundle. Do I understand correctly that don't need it to be signed? Won't it affect the ability to run executables from this directory?   then have your app download and open that Do you mean my app should run something like open /tmp/my_lib.pkg? Isn't this require root password anyway? Is there a way to run it without installation dialogue, like when I run it from terminal? Is there a way to force MacOS to check library signature, so I can test if everything works fine after update?