Apple Notarisation - Notarytool (altool depracated)

DanH

Is anyone using notarytool yet? Altool will be deprecated tomorrow. If anyone can share an example if so that would be very helpful!

Notarizing macOS software before distribution | Apple Developer Documentation

Give users even more confidence in your macOS software by submitting it to Apple for notarization.

Apple Developer Documentation (developer.apple.com)

Thanks!

bendurso

This is the command I use for the new notarytool:

xcrun notarytool submit "MyPluginInstaller.pkg" --keychain-profile "Mykeychain" --wait

d.healey

Yeah I've been using it for a long while, works just fine. My script is a bit complicated to share as it downloads my project from github, compiles it, codesigns it, builds an installer, notarizes, and then checks for the confirmation.

DanH

@bendurso thanks! How do you define the keychain?

DanH

@d-healey could just take the notarisation line?

d.healey

@DanH said in Apple Notarisation - Notarytool (altool depracated):

could just take the notarisation line?

It's more than a line :)

echo "Notarizing"

response=$(xcrun notarytool submit --apple-id "$apple_id" --password "$app_specific_password" --team-id "$team_id_for_notarization" "$output/$project_name Installer $version.pkg" --wait);

# Get notarization ID
job_id_line=$(grep -m 1 '  id:' < <(echo -e "${response}"))
job_id=$(echo "${job_id_line}" | cut -d ":" -s -f 2 | cut -d " " -f 2)

# Get the notarization status from the response
status_line=$(grep -m 1 '  status:' < <(echo -e "${response}"))
status_result=$(echo "${status_line}" | cut -d ":" -s -f 2 | cut -d " " -f 2)

echo "${response}"

if [[ ${status_result} != "Accepted" ]]; then
  exit 1
fi

# Staple the notarization result
echo "Adding notarization to $project_name Installer $version.pkg"
success=$(xcrun stapler staple "$output/$project_name Installer $version.pkg")
if [[ -z "${success}" ]]; then
  echo "[ERROR] Could not staple notarization to app"
  exit 1
fi

# Confirm stapling
echo "Checking notarization to $project_name Installer $version.pkg "
spctl --assess -vvv --type install "$output/$project_name Installer $version.pkg"

bendurso

@DanH Mm I don't remember how I created that keychain. But I think you can make it with your app specific password and team ID, like this: https://forum.hise.audio/topic/7714/apple-altool-vs-notarytool/4

Lindon

@DanH

you are best reading this:

TN3147: Migrating to the latest notarization tool | Apple Developer Documentation

Migrate your notarization workflows to from the deprecated .

Apple Developer Documentation (developer.apple.com)

--which I see you posted at the thread start -- hang on I will be on the mac in about an hour so I will post an example...

Lindon

@Lindon ok here a bit quicker than I thought

So the "keychain" option is really a short cut but if you havent been using it before then ..lets go with the standard replacement notarytool command

to submit something:

xcrun notarytool submit --apple-id "<your apple id>" --password "<your altool password>" --team-id "<your team ID>" "<path to your zip or pkg>" --wait

your old altool cammand for notarization should give you everything you need - except perhaps your teamID - but its in there is like a string like this. "7734UZ9PFG". - or its available in your apple developer account...

adding --wait at the end will make the process not complete until it gets a final status, this is useful as apple will no longer be emailing you with the results....instead in the command window once you've started this command you should see a percentage for the upload, then probably a status of "In Progress..." and eventually(if all goes well): "Accepted"

DanH

@Lindon amazing - really appreciate that thank you!