I regularly help developers with notarisation and trusted execution problems. The notary log is a critical tool for debugging such problems, and so I figured I should post instructions on how to fetch it.
If you have comments or questions about this, start a new thread and tag it with Notarization so that I see it.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Fetching the Notary Log
The notary log is a key tool for debugging notarisation and trusted execution issues. Review the log:
-
When notarisation fails, for information as to what’s wrong
-
When notarisation succeeds, to check for warnings
-
If you encounter a trusted execution problem, to confirm that all your code was included in the notarised ticket
The way to fetch the log depends on how you notarised your product.
Reveal the Notary Log in Xcode
If you notarised your app with Xcode, reveal the notary log as follows:
-
Go to the Xcode organiser.
-
Select the archive that you notarised.
-
Click Show Status Log.
-
Find the “Ready to distribute” or “Package Invalid” item and click the small arrow next to it.
-
That reveals the notary log, a file called
audit.log, in the Finder.
Fetch the Notary Log with notarytool
If you notarise your product from the command-line using notarytool, use the log subcommand to fetch the notary log:
% xcrun notarytool log CREDENTIALS REQUEST_UUID
where:
-
CREDENTIALSis your notary service credentials, the same credentials you used to submit your request -
REQUEST_UUIDis the UUID printed bynotarytoolwhen you submitted your request.
Fetch the Notary Log with altool
If you notarise your product from the command-line using altool, first run the --notarization-info subcommand to get the notary log URL:
% xcrun altool CREDENTIALS --notarization-info REQUEST_UUID
…
LogFileURL: https://osxapps-ssl.itunes.apple.com/itunes-assets/Enigma…
…
where:
-
CREDENTIALSis your notary service credentials, the same credentials you used to submit your request -
REQUEST_UUIDis the UUID printed bynotarytoolwhen you submitted your request.
In the output the URL next to LogFileURL is the notary log URL. Use your HTTP client of choice to fetch that URL. For example:
% curl "https://osxapps-ssl.itunes.apple.com/itunes-assets/Enigma…"
The notary log URL has a limited lifetime, so fetch the log immediately after getting the URL. If the URL is too old, more than a day or so, use --notarization-info to fetch a new URL.
IMPORTANT altool has been deprecated for the purposes of notarisation. Switch to notarytool; it’s better, stronger, and faster. For the details, see WWDC 2021 Session 10261 Faster and simpler notarization for Mac apps.
