“I don’t know how to notarize applications as part of a CI/CD process”
Notarizing applications are easy enough to complete via Xcode’s Export Archive wizard. But you should realize that this approach may not be workable in larger organizations. Among the reasons are as follows:
- Only certain individuals should have access to the organization’s Developer ID account, for security reasons. Nevertheless, notarizing applications via Xcode requires access to this.
- Notarizing via the GUI takes time out of a developer’s day. Undeniable when the organization has multiple releases a week—this includes internal releases too–spending a developers’ time just to notarize applications will not wise.
What’s more, larger organizations would probably have pre-existing CI/CD processes that you need to comply. Similarly these organizations probably already have pre-exiting CI/CD infrastructures.
Yes there is.
Xcode provides command-line tools that you can use to automate notarization. Correspondingly you can use these to integrate the process into a pre-existing CI/CD environment that you already have—as long as it runs on a Mac.
The Standard Notarization Workflow
Have a look at the following activity diagram showing a typical notarization workflow. I’ve marked the “happy path” in blue arrows.
Having built a notarizable artifact—which is usually a macOS application bundle—you’ll then need to upload it to the notarization service. The upload returns a UUID which you can use its status. It follows that you would need to poll this status every few seconds—most artifacts less than 100MB takes less than 10 minutes to notarize. When the status indicates a failed notarization, you would then need to download its log messages to discover the issue and make corrections.
Upon successful notarization, you should staple the notarization ticket back onto the artifact. Stapling saves the user’s mac from needing to be on-line to validate the app’s notarization result. It is equally important to enclose stapling within a loop. Because stapling can fail despite notarization status showed successful. Probably due to the service responsible for stapling hasn’t received the ticket from the one responsible for notarization.
The following are commands that you would need for notarization. Most of these commands requires authentication—details on this are described in my other post.
Upload Notarization Artifact
The following command shows how to upload an artifact for notarization. In return you would get an UUID to query its status.
xcrun altool --notarize-app \ --primary-bundle-id «app bundle identifier» \ --file «notarizable artifact»
Given a UUID returned by the notarization upload, you use the following command to get its status:
xcrun altool --notarization-info «request UUID»
When the notarization process is completed—regardless of success or failure—the above command would also return a URL of notarization log messages. In turn, these log messages would be very useful to diagnose notarization failures.
The following command would staple the notarization ticket back into the artifact. Unlike other commands, this one does not require authentication.
xcrun stapler staple «app bundle»
I’ve put together a shell script to notarize and staple a macOS application bundle. You can use the script “as-is” or as an inspiration on how you can integrate it into a full CI/CD pipeline.