Apple recently updated their notarization documentation to include this note:
Beginning in macOS 10.14.5, all new or updated kernel extensions and all software from developers new to distributing with Developer ID must be notarized in order to run. In a future version of macOS, notarization will be required by default for all software.
The part about “notarization will be required by default for all software” made me think, because there are a few apps that I’ve written over the years that are still useful (at least to me). All of them were built using Automator, which meant that the usual Xcode-based ways of notarizing applications wasn’t going to work for me.
With assistance by folks in the MacAdmins Slack though, I was able to develop a process that allowed me to do the following:
- Codesign an Automator application
- Upload the application to Apple for notarization
- Attach the notarization to the application
- Verify that the notarization was attached and valid.
The documentation linked below was also very helpful in figuring out how to notarize using command line tools:
- https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/customizing_the_notarization_workflow
- https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution
For more details, please see below the jump.
Pre-requisites
For notarization, you need the following things:
- Xcode 10 or later installed on your Mac.
- An Apple Developer Connection account
- A one-time password for your ADC account’s Apple ID
As an example to use for the process, I’m using an existing Automator application that I wrote a while back:
Notarization requires that the application in question be code signed and I had not yet done so for this application, so I needed to code sign my application first.
To do this, first clear the application of extended attributes by running a command like the one below:
sudo xattr -rc "/path/to/Application Name Here.app"
In my case, the command looked like this:
sudo xattr -rc "/Users/username/Desktop/Payload-Free Package Creator.app"
Once the application is ready for signing, run a command like the one below was run to code sign the application:
codesign --force --options runtime --deep --sign "Developer ID Application: Name Here (YG45FDT45F)" "/path/to/Application Name Here.app"
In my case, the command looked like this:
codesign --force --options runtime --deep --sign "Developer ID Application: Rich Trouton (XF95CST45F)" "/Users/username/Desktop/Payload-Free Package Creator.app"
Once signed, verify the signature using a command like the one below:
codesign -dv --verbose=4 "/path/to/Application Name Here.app"
In my case, the command looked like this:
codesign -dv --verbose=4 "/Users/username/Desktop/Payload-Free Package Creator.app"
Once finished, the output of the code signing looked like this:
The next thing needed is to get the app ready for upload to Apple for notarization. For this, you’ll need to do two things:
- Have your one-time password for your ADC account ready.
- Compress your application inside of a .zip file
Once your application has been compressed, run a command similar to the one below to upload it to Apple for notarization:
xcrun altool --notarize-app --primary-bundle-id "com.example.application.name" --username "adc_appleid_here" --password "adc_appleid_one_time_password_here" --file "/path/to/Application Name Here.zip"
In my case, the command looked like this:
xcrun altool --notarize-app --primary-bundle-id "com.apple.automator.Payload-FreePackageCreator" --username "adc_appleid_here" --password "one-time-password-goes-here" --file "/Users/username/Desktop/Payload-Free Package Creator.zip"
Once finished, the output of the notarization upload looked like this:
To validate that the notarization is successful, run a command similar to the one below:
xcrun altool --notarization-info uuid-goes-here --username "adc_appleid_here" --password "one-time-password-goes-here"
In my case, the command looked like this:
xcrun altool --notarization-info be136ed3-3888-44e1-87ed-0e5c8c13cdb5 --username "adc_appleid_here" --password "one-time-password-goes-here"
Once finished, the output of the notarization validation looked like this:
As part of the validation, a link to a log file is included. In my case, the log looks like this:
Once the notarization has been generated for the app, the next step is to attach, or staple, the notarization to the app. To do this, run a command similar to the one below:
xcrun stapler staple "/path/to/Application Name Here.zip"
In my case, the command looked like this:
xcrun stapler staple "/Users/username/Desktop/Payload-Free Package Creator.app"
Once finished, the output of the stapling process looked like this:
The final step is to validate that the stapling was successful. To do this, run a command similar to the one below:
stapler validate -v "/path/to/Application Name Here.zip"
In my case, the command looked like this:
stapler validate -v "/Users/username/Desktop/Payload-Free Package Creator.app"
Once finished, the output of the stapling validation looked like this:
Following notarization, Apple should send you a notification similar to the one shown below that your app has been notarized.
