19

I am trying to upload our existing app to apple for notarization.

According to the document https://help.apple.com/xcode/mac/current/#/dev88332a81e I have to open the app the xcode archive organizer.

We have a dmg file generated from our jenkins build server. How do I open the dmg file in xcode to upload?

Also, is there some command line tool that I can use for the notarization?

Cœur
  • 37,241
  • 25
  • 195
  • 267
laocius
  • 772
  • 1
  • 8
  • 21
  • Follow steps from [Customizing the Notarization Workflow](https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/customizing_the_notarization_workflow#3087720) – Parag Bafna Jul 12 '19 at 07:57

2 Answers2

43

You can do it from the command line.

First you will need to extract the .app from your .dmg and resign it, removing the com.apple.security.get-task-allow entitlement in the process (this is added automatically by the build to support debugging and normally gets removed by archiving - the notarization service won't accept a package with that entitlement, however, so you must remove it).

The .entitlements file you use can just be an empty one.

Xcode 10.2 and higher lets you set a build setting "Code Signing Inject Base Entitlements" that will prevent the com.apple.security.get-task-allow entitlement from being added in the first place. You can use this option on e.g. release builds where debugging is not required, and skip this whole dance of resigning and repackaging with an empty entitlements file.

Note also the use of the --options runtime, which specifies your app was built with the hardened runtime, and is also required.

codesign -f -s "Developer ID Application: Name (ID)" --entitlements my-entitlments.entitlements --options runtime MyApp.app

Now you need to repackage your .app back inside a .dmg, and resign that:

(I use the --options runtime flag here too, though not sure if it's necessary)

codesign -s "Developer ID Application: Name (ID)" MyApp.dmg --options runtime

Then use altool to submit your .dmg:

(Username and password must be someone on the macOS team in the developer portal)

xcrun altool --notarize-app -f MyApp.dmg --primary-bundle-id my-app.myapp -u username -p password

If it upload successfully, you will get back a token:

RequestUUID = 28fad4c5-68b3-4dbf-a0d4-fbde8e6a078f

Then you can check the status with altool, using that token:

xcrun altool --notarization-info 28fad4c5-68b3-4dbf-a0d4-fbde8e6a078f -u username -p password

Eventually, it will either succeed or fail. Just keep checking. Check the "Status" field of the response, which should be "success". The response will also include a log file that you can use to troubleshoot errors.

Assuming it succeeds, you need to staple the notarization to the app:

xcrun stapler staple MyApp.dmg

And then validate:

xcrun stapler validate MyApp.dmg

The validate action worked!

You can also apply the quarantine flag to your .app and try to launch it, you will see the new Gatekeeper dialog:

xattr -w com.apple.quarantine MyApp.app
TheNextman
  • 12,428
  • 2
  • 36
  • 75
  • 1
    I followed your instructions and got "Unable to find an iTunes Connect user for username xxxx@xxxxx and provider . This username may not be enabled for iTunes Connect. Contact your team admin for assistance. (1296)" – laocius Nov 05 '18 at 00:51
  • 2
    Then I suggest you double check the credentials you are using. https://help.apple.com/itc/apploader/#/apdSb30def73 – TheNextman Nov 05 '18 at 01:24
  • 2
    It was because I was not invited to Itunes Connect. It worked now. Thanks a lot – laocius Nov 05 '18 at 01:35
  • 2
    When you staple with xcrun, how does it know which "notarization" to use when you do this for multiple apps? I'm surprised that the notarization come back with a UUID or something to identify a specific notary approval. – Trygve Nov 29 '18 at 17:41
  • 3
    `stapler` talks to Apple. From `man stapler`: "stapler requires internet access to retrieve tickets when stapling or validating." – TheNextman Nov 30 '18 at 02:31
  • 2
    I'm just about to start fiddling with this for our release CI builds. I was curious, since the docs at https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/customizing_the_notarization_workflow says "While you can notarize a ZIP archive, you can’t staple to it directly. Instead, run stapler against each individual item that you originally added to the archive. Then create a new ZIP file containing the stapled items for distribution.", is this true also for .dmg files? Must I mount the .dmg and staple each item in it, or will just stapling the .dmg do that? – estan Jan 19 '19 at 10:51
  • 3
    @estan You can just staple the .dmg – TheNextman Jan 19 '19 at 18:15
  • 2
    spctl -a -v -t install .pkg to check a pkg if accepted, without --type (-t) install, it will fail – StefanS May 09 '19 at 08:46
  • 2
    stapler validate is the proper option to check pkg – StefanS May 13 '19 at 10:53
  • while running "xcrun altool --notarize-app" command i get error message "The username is not a member of the provider. Contact your team admin for assistance. (1296) " Someone know why i get this error? thanks in advance – peco Nov 07 '19 at 14:01
  • This is not work for '.saver' file, I get 'Unable to validate your application.' when I want to code sign it. – Ahmadreza Mar 09 '20 at 10:02
  • 9
    Apple really needs to make this entire process easier; having to go through all that is ridiculous. – l'L'l Mar 10 '20 at 19:48
  • For me it is failing and giving an error. Link to my: [ticket](https://stackoverflow.com/questions/64597424/electron-notarisation-failed-due-to-the-binary-uses-an-sdk-older-than-the-10-9-s) – Abhishek Matta Oct 29 '20 at 19:03
1

With Xcode 13 and later, notarization via command-line has come down to these 2 basically:

xcrun notarytool store-credentials "<key>" --apple-id "<your apple id>" --team-id <your teamid> --password "<app specific password>"

and

xcrun notarytool submit <your file>.dmg --keychain-profile "<key>" --wait

At the time of writing this answer, the apple documentation is confusing as they have mentioned using the secret 2FA password instead of the app specific password. You can go through these steps to create an app specific password.

Slightly longer version here: https://blog.rampatra.com/how-to-notarize-a-dmg-or-zip-file-with-the-help-of-xcode-s-notary-tool

Ram Patra
  • 16,266
  • 13
  • 66
  • 81