Osx app notarization (without Xcode)

has anyone ever figured out how to notarize an app from the command line without Xcode?
I am building my app on osx with make, which works as it should. I am signing it from the command line, I think that works as it should. But I am stuck with the notarization process.

I was wondering if I could just use some of the node scripts out there:

or maybe

Is my app compiled with hardened runtime? The whole apple deployment is a kinda new world for me. And I guess using Xcode would simplify things there a lot. If I switch to Xcode, can this easily be done on CI as well?

Any pointers would be very much appreciated.

I don’t have experience with this but wonder if this reddit post could help

I also saw this recently


thanks, for the links, I will check them out.
But I guess I will have to do my homework first and read about osx deployment, hardened runtimes, signing, notarization, and certificates.

I am testing with the electron-notarize package, and will post an update once a get a response from the notarization servers.


When I was deploying an app to the App Store I ended up doing all the notarizing in the terminal.
Here are the general steps.

The most important thing to do is generate an App specific password for your Apple Developer Account.
Once you have done that and assuming you have entitlements etc and signing all done right these are the steps:

Assuming you have a signed app which has been zipped to AppName.app.zip. 

Notarize with these steps: 

1) First get an app specific password that doesn’t require 2FA. 
Go to: https://appleid.apple.com and sign in with your Apple Developer email. 

2) Then get your asc-provider name as ProviderShortname ( this is your team ID short name ) 
xcrun altool --list-providers -u "yourdeveloperemail"

Will ask you for your password.
Use the app specific one you generated with step 1.  

3) xcrun altool --notarize-app --primary-bundle-id “com.YourCompany.AppName.app” --username “yourdeveloperemail” --asc-provider “ProviderShortnameFromStep2” --file AppName.app.zip 

Will ask you for your password.
Use the app specific one you generated with step 1.  

4) If no errors you’ll get a response with:
RequestUUID = 37a08bdf-1c2e-497e-9a06-91a454c454d5
5) Once it’s approved via email staple the app so it can be used offline:
xcrun stapler staple AppName.app

6) Then you can zip the AppName.app and replace the zipped app your used for step 3. 

Was thinking maybe we could add this to the Xcode Template somehow so maybe if a couple of vars are set in Project.xcconfig it could automate the process.


thanks a lot @theo,
i agree that it would be nice to have a xcode tempate or a script similar to the electron-notarize one.

I also needed a quick way to do this reliably and ended up spending some (too much) time automating it. I don’t have the examples all working yet, but here are the helper makefiles:

Actually, in some ways my solution is a bit overcomplicated. I will try distilling the important parts down into a script which might be a little less flexible but easier to maintain.

Ok all, I have a working solution I am satisfied with: mac-dist-helper 0.3.0

It’s a single Makefile you can drop into a project or include as a submodule. I have working examples for Cocoa app, OF app, console program, and Pure Data external:


this is great! I was just discussing this yesterday with my group at MIT and can’t wait to try this…

(it’s been getting harder and harder to distribute Mac software, like https://srcsnap.glitch.me)

1 Like

For an integration / workflow example with an existing project, loaf:

altool is deprecated and replaced with notarytool which is easier to embed in a script since you can use the -w option to wait until the whole notary process is done.