Osx app notarization (without Xcode)

hello,
has anyone ever figured out how to notarize an app from the command line without Xcode?
I am building my app on osx with make, which works as it should. I am signing it from the command line, I think that works as it should. But I am stuck with the notarization process.

I was wondering if I could just use some of the node scripts out there:

or maybe

Is my app compiled with hardened runtime? The whole apple deployment is a kinda new world for me. And I guess using Xcode would simplify things there a lot. If I switch to Xcode, can this easily be done on CI as well?

Any pointers would be very much appreciated.
T

I don’t have experience with this but wonder if this reddit post could help

I also saw this recently

https://gregoryszorc.com/blog/2022/08/08/achieving-a-completely-open-source-implementation-of-apple-code-signing-and-notarization/

thanks, for the links, I will check them out.
But I guess I will have to do my homework first and read about osx deployment, hardened runtimes, signing, notarization, and certificates.

I am testing with the electron-notarize package, and will post an update once a get a response from the notarization servers.

@thomasgeissl

When I was deploying an app to the App Store I ended up doing all the notarizing in the terminal.
Here are the general steps.

The most important thing to do is generate an App specific password for your Apple Developer Account.
Once you have done that and assuming you have entitlements etc and signing all done right these are the steps:

Assuming you have a signed app which has been zipped to AppName.app.zip. 

Notarize with these steps: 

1) First get an app specific password that doesn’t require 2FA. 
Go to: https://appleid.apple.com and sign in with your Apple Developer email. 

2) Then get your asc-provider name as ProviderShortname ( this is your team ID short name ) 
xcrun altool --list-providers -u "yourdeveloperemail"

Will ask you for your password.
Use the app specific one you generated with step 1.  

3) xcrun altool --notarize-app --primary-bundle-id “com.YourCompany.AppName.app” --username “yourdeveloperemail” --asc-provider “ProviderShortnameFromStep2” --file AppName.app.zip 

Will ask you for your password.
Use the app specific one you generated with step 1.  

4) If no errors you’ll get a response with:
RequestUUID = 37a08bdf-1c2e-497e-9a06-91a454c454d5
 
5) Once it’s approved via email staple the app so it can be used offline:
xcrun stapler staple AppName.app

6) Then you can zip the AppName.app and replace the zipped app your used for step 3. 

Was thinking maybe we could add this to the Xcode Template somehow so maybe if a couple of vars are set in Project.xcconfig it could automate the process.

2 Likes

thanks a lot @theo,
i agree that it would be nice to have a xcode tempate or a script similar to the electron-notarize one.