Apple’s notarization service allows Apple to verify apps distributed outside of the App Store system. If you make your own apps to distribute to customers, clients, family or friends then you will have to notarize them by submitting them to Apple. This avoids painful dialog boxes in macOS 10.15 Catalina that prevent your app from launching by default.
Notarization The Hard Way
I’d been putting off notarizing my apps created for my clients for three reasons,
1) it isn’t a strict necessity because most users are on macOS 10.14 Mojave,
2) I use Munki to distribute and install software which bypasses the requirements, and
3) I’m lazy
But it is only a matter of time before this would be a strict requirement and necessity. Also the relaxed requirements for notarization of apps was about to change again in February 2020 and I said this is the moment to do something. What now? Check with Rich Trouton and his blog Der Flounder.
codesign –force –options runtime –deep –sign “Developer ID Application: Name (#H7373736)” “/Applications/Cool-App.app/”
Rich Trouton is the modern major general of documentation and a super awesome dude. His blog Der Flounder has documented this process and now it was time to revisit this. Step by step recipes well explained with comments. What’s not to love?! Well, I didn’t get far because I missed some ingredients. Signing the app failed. I couldn’t notarize it without signing it. Hmm…
error: The specified item could not be found in the keychain.
It didn’t work the hard way, so let’s try it another way.
Notarization Made Easy
A very awesome app from Late Night Software called SD Notary can help make this process go smoothly. Their app detects if you have the right cert to run this process. Something which I thought I had, but did not.
Certificates, Identifiers & Profiles
It’s no accident I got tripped up in the same place with the cli and with the SD Notary app to notarize my app. I was missing the correct certificate. When I tried to codesign as a first step that’s when I got an error that I puzzled over for a minute.
The SD Notary app stopped me also at the first step because it said it couldn’t find a Developer Signing ID. And that with the command line error finally made me realize I’d missed something. And here I thought creating the app specific password was the hard part. (It wasn’t hard, but you have to look in the right place!).
A quick run back to the Apple developer site and a trip to the “certs identifier and profiles” section to create a new “Developer ID Application” cert (I had the installer one previously) solved that. I also had some trouble creating an app specific password, mostly because I was looking in the wrong place (in my dev account, not my apple ID account) but that got sorted.
The “Developer ID Application” is what I needed.. Of course to get this I need to generate a cert signing request. There’s always a few steps. But once these are done then you’re good to go.
Once the proper Application type cert is in place, and the app specific password then you’re able to notarize via cli or an app like SD Notary. I tested this in Terminal:
xcrun altool --notarize-app --primary-bundle-id "com.apple.automator.Cool-App" --username "firstname.lastname@example.org" --password "really-cool-passw0rd" --file "/Applications/Cool-App.app.zip" No errors uploading '/Applications/Cool-App.app.zip'. RequestUUID = 12345f-567e-476f-a229-6789cef906b
And in less than 3 minutes I received an email declaring it done. “Your Mac software was successfully notarized.”
Then I went back to SD Notary and tried again. It was also successful and after selecting the app the entire process of signing, zipping, submitting to Apple, then stapling was done seamlessly.
Hope that makes sense to someone. And the next time I notarize an app I will be able to do it seamlessly thanks to the help of everyone who has provided documentation and cool apps. Cheers.