Skip to content

Instantly share code, notes, and snippets.

@EvanBalster
Created April 29, 2020 19:05
Show Gist options
  • Save EvanBalster/63c0901c829c8905cc8a578aa1c93faf to your computer and use it in GitHub Desktop.
Save EvanBalster/63c0901c829c8905cc8a578aa1c93faf to your computer and use it in GitHub Desktop.
Mac OS X notarization script
#!/bin/sh -u
ASC_PROVIDER="$1"
ASC_USERNAME="$2"
ASC_PASSWORD="$3"
BUNDLE_ID="$4"
BUNDLE_PKG="$5"
# create temporary files
NOTARIZE_APP_LOG=$(mktemp -t notarize-app)
NOTARIZE_INFO_LOG=$(mktemp -t notarize-info)
# delete temporary files on exit
function finish {
rm "$NOTARIZE_APP_LOG" "$NOTARIZE_INFO_LOG"
}
trap finish EXIT
# submit app for notarization
if xcrun altool --notarize-app --primary-bundle-id "$BUNDLE_ID" --asc-provider "$ASC_PROVIDER" --username "$ASC_USERNAME" --password "$ASC_PASSWORD" -f "$BUNDLE_PKG" > "$NOTARIZE_APP_LOG" 2>&1; then
cat "$NOTARIZE_APP_LOG"
RequestUUID=$(awk -F ' = ' '/RequestUUID/ {print $2}' "$NOTARIZE_APP_LOG")
# check status periodically
while sleep 60 && date; do
# check notarization status
if xcrun altool --notarization-info "$RequestUUID" --asc-provider "$ASC_PROVIDER" --username "$ASC_USERNAME" --password "$ASC_PASSWORD" > "$NOTARIZE_INFO_LOG" 2>&1; then
cat "$NOTARIZE_INFO_LOG"
# once notarization is complete, run stapler and exit
if ! grep -q "Status: in progress" "$NOTARIZE_INFO_LOG"; then
xcrun stapler staple "$BUNDLE_PKG"
exit
fi
else
cat "$NOTARIZE_INFO_LOG" 1>&2
exit 1
fi
done
else
cat "$NOTARIZE_APP_LOG" 1>&2
exit 1
fi
@EvanBalster
Copy link
Author

This script uploads an app for notarization by Apple, waits for notarization to complete, and if successful staples the notarization ticket to the DMG bundle.

Parameters:

  1. Apple Developer Team ID (10-digit alphanumeric key from "Membership section")
  2. Apple ID (the e-mail address used to sign into Apple Developer)
  3. App-specific password for altool † (set this up at https://appleid.apple.com/)
  4. Bundle identifier for the app
  5. Location of the app to notarize (must be a ZIP or DMG file)

† Putting cleartext passwords in your script is sketchy, so I suggest installing the password into your Mac's keychain, with an ID like my-altool-password. Then, supply @keychain:my-altool-password as the password in the script.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment