We are using notarytool to notorize installers for distribution.
notarytool submit file-path
{ -k key-path -d key-id -i issuer | --apple-id
apple-id [--password app-specific-password]
--team-id team-id | -p profile-name [--keychain keychain-path] }
[--wait --no-s3-acceleration]
App Store Connect API Keys
Developer ID team administrators can create App Store Connect API
keys for the developers on their team by logging into
<https://appstoreconnect.apple.com/access/api> and selecting the
"Keys" tab. For security purposes, the private key can only be
downloaded once.
-k, --key key-path
App Store Connect API key. File system path to the
private key.
-d, --key-id key-id
App Store Connect API Key ID. For most teams this will be
a 10 character alphanumeric string.
-i, --issuer issuer
App Store Connect API Issuer ID. The issuer ID is a UUID
format string.
What is the recommended practice for the key-path, where should the API private key be stored in the the file system ?
There is this documentation
https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys
But none seems to make a recommendation for storing private keys in a way that would work with notarytool
https://help.apple.com/developer-account/#/devcdfbb56a3
States the following, but does not make a recommendation
WARNING: Save this file in a secure place because the key is not saved in your developer account and you won’t be able to download it again. If the Download button is disabled, you previously downloaded the key.