How to upload dmg file for notarization in xcode

Question

I am trying to upload our existing app to apple for notarization.

According to the document https://help.apple.com/xcode/mac/current/#/dev88332a81e I have to open the app the xcode archive organizer.

We have a dmg file generated from our jenkins build server. How do I open the dmg file in xcode to upload?

Also, is there some command line tool that I can use for the notarization?

Answer 1

You can do it from the command line.

First you will need to extract the .app from your .dmg and resign it, removing the com.apple.security.get-task-allow entitlement in the process (this is added automatically by the build to support debugging and normally gets removed by archiving - the notarization service won't accept a package with that entitlement, however, so you must remove it).

The .entitlements file you use can just be an empty one.

Note also the use of the --options runtime, which specifies your app was built with the hardened runtime, and is also required.

codesign -f -s "Developer ID Application: Name (ID)" --entitlements my-entitlments.entitlements --options runtime MyApp.app

Now you need to repackage your .app back inside a .dmg, and resign that:

(I use the --options runtime flag here too, though not sure if it's necessary)

codesign -s "Developer ID Application: Name (ID)" MyApp.dmg --options runtime

Then use altool to submit your .dmg:

(Username and password must be someone on the macOS team in the developer portal)

xcrun altool --notarize-app -f MyApp.dmg --primary-bundle-id my-app.myapp -u username -p password

If it upload successfully, you will get back a token:

RequestUUID = 28fad4c5-68b3-4dbf-a0d4-fbde8e6a078f

Then you can check the status with altool, using that token:

xcrun altool --notarization-info 28fad4c5-68b3-4dbf-a0d4-fbde8e6a078f -u username -p password

Eventually, it will either succeed or fail. Just keep checking. Check the "Status" field of the response, which should be "success". The response will also include a log file that you can use to troubleshoot errors.

Assuming it succeeds, you need to staple the notarization to the app:

xcrun stapler staple MyApp.dmg

And then verify with spctl:

spctl -a -v MyApp.app

MyApp.app: accepted

source=Notarized Developer ID

You can also apply the quarantine flag to your .app and try to launch it, you will see the new Gatekeeper dialog:

xattr -w com.apple.quarantine MyApp.app