I am trying to upload our existing app to apple for notarization.
According to the document https://help.apple.com/xcode/mac/current/#/dev88332a81e I have to open the app the xcode archive organizer.
We have a dmg file generated from our jenkins build server. How do I open the dmg file in xcode to upload?
Also, is there some command line tool that I can use for the notarization?
You can do it from the command line.
First you will need to extract the .app from your .dmg and resign it, removing the com.apple.security.get-task-allow
entitlement in the process (this is added automatically by the build to support debugging and normally gets removed by archiving - the notarization service won't accept a package with that entitlement, however, so you must remove it).
The .entitlements file you use can just be an empty one.
Xcode 10.2 and higher lets you set a build setting "Code Signing Inject Base Entitlements" that will prevent the com.apple.security.get-task-allow
entitlement from being added in the first place. You can use this option on e.g. release builds where debugging is not required, and skip this whole dance of resigning and repackaging with an empty entitlements file.
Note also the use of the --options runtime
, which specifies your app was built with the hardened runtime, and is also required.
codesign -f -s "Developer ID Application: Name (ID)" --entitlements my-entitlments.entitlements --options runtime MyApp.app
Now you need to repackage your .app back inside a .dmg, and resign that:
(I use the --options runtime
flag here too, though not sure if it's necessary)
codesign -s "Developer ID Application: Name (ID)" MyApp.dmg --options runtime
Then use altool
to submit your .dmg:
(Username and password must be someone on the macOS team in the developer portal)
xcrun altool --notarize-app -f MyApp.dmg --primary-bundle-id my-app.myapp -u username -p password
If it upload successfully, you will get back a token:
RequestUUID = 28fad4c5-68b3-4dbf-a0d4-fbde8e6a078f
Then you can check the status with altool
, using that token:
xcrun altool --notarization-info 28fad4c5-68b3-4dbf-a0d4-fbde8e6a078f -u username -p password
Eventually, it will either succeed or fail. Just keep checking. Check the "Status" field of the response, which should be "success". The response will also include a log file that you can use to troubleshoot errors.
Assuming it succeeds, you need to staple the notarization to the app:
xcrun stapler staple MyApp.dmg
And then validate:
xcrun stapler validate MyApp.dmg
The validate action worked!
You can also apply the quarantine flag to your .app and try to launch it, you will see the new Gatekeeper dialog:
xattr -w com.apple.quarantine MyApp.app