How to notarize a macOS app

First, sign it. Use

export SignatureKeychainId="Developer ID Application"

Generate an app-specific password at http://appleid.apple.com -> "Security", and add this generated password to the keychain: xcrun altool --store-password-in-keychain-item "APPLEDEVID_PASSWORD" -u "<appleid>" -p "<app_specific_password>"

Zip app bundle: ditto -ck --sequesterRsrc --keepParent myapp.app myapp.zip

The actual notarization can be done using a command xcrun altool -f <zipped or dmg'ed app bundle> --primary-bundle-id "<any_random_bundle_id_used_when_emailing_status>" --notarize-app --username <appleid> --password "@keychain:APPLEDEVID_PASSWORD"

Also, this command will give a logfile url, that can be used for debugging issues.

Notarization status can be verified with a command xcrun altool --notarization-info <submission request guid> -u <appleid> -p "@keychain:APPLEDEVID_PASSWORD" It's convenient to see the errors

Staple the app so it can be launched even if the user doesn't have an internet connection, using xcrun stapler staple "<AppName.app>"

codesign must be run with "--option=runtime" to enable hardened runtime

Sparkle framework's internals currently needs individual codesigning (https://github.com/sparkle-project/Sparkle/issues/1389), prior to codesigning the app bundle itself, in 3 steps (see https://furbo.org/2019/08/16/catalina-app-notarization-and-sparkle/):

codesign --force -o runtime --deep --timestamp --verify --verbose -s "$SignatureKeychainId" "OurAppBundle.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app"

codesign --force -o runtime --verbose -s "$SignatureKeychainId" "OurAppBundle.app/Mac Linguist.app/Contents/Frameworks/Sparkle.framework"

codesign --force --options=runtime --deep --timestamp --verify --verbose --sign "$SignatureKeychainId" "OurAppBundle.app/Mac Linguist.app"

Check if app is signed

codesign -dvvv myapp.app

Codesign app

codesign --deep --force -o runtime --verbose -s "$SignatureKeychainId" myapp.app

Queen's tutorial on codesigning

https://developer.apple.com/forums/thread/128166

Official guidelines form 2016

https://developer.apple.com/library/archive/technotes/tn2206/_index.html

WWDC All about notarization

https://developer.apple.com/videos/play/wwdc2019/703/

Queen's example

https://developer.apple.com/forums/thread/130855

Catalina: how do I determine why Gatekeeper is rejecting a signed executable?

https://developer.apple.com/forums/thread/125567

← Back to Articles