Altool Depreciated Notary Tool Q/A?

I noticed that the Altool has been downgraded and is being replaced by the notary tool. I used to send pkg in for notarization like this

xcrun altool --notarize-app --primary-bundle-id "com.Product.pkg" -u "Email@com" -p "1111-2222-3333-4444" -t osx -f Product.pkg

Is it possible to see/get an example of the new notary tool terminal command to be used instead?

I assume also that stapling would be done in the same manor like this directly after notarization is complete and confirmed via email,

xcrun stapler staple Product.pkg

Thank you!!

Post not yet marked as solved Up vote post of DavidsonC Down vote post of DavidsonC
2.4k views
Posted by
DavidsonC
Reply

  • I have added a notary profile named "NotaryProfile" with app password to keychain is it this by chance?

    xcrun notarytool submit "com.Product.pkg" --keychain-profile "NotaryProfile" --wait 

    then wait until confirmation and staple?

    xcrun stapler staple Product.pkg

    DavidsonC
Add a Comment

Replies

There are like 5 videos explaining how it is easier to use notary tool than Altool, however no actual technical infos about terminal commands just some [Apple security engineer] saying how much easier the new way is, just need technical infos. Here is a suggestion […] pay a developer to make an All in one utility for codesiging notarizing and stapling in order to avoid the terminal..

Posted by
DavidsonC
Post marked as downvoted Up vote reply of DavidsonC Down vote reply of DavidsonC
Add a Comment

Customizing the notarization workflow: https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow

Posted by
mikeyh
Up vote reply of mikeyh Down vote reply of mikeyh
Add a Comment

Is it possible to see/get an example of the new notary tool terminal command to be used instead?

Sure. Here’s the command I use:

% xcrun notarytool submit CREDENTIALS /path/to/file/to/submit

where CREDENTIALS is my credentials. You have two options for that:

  • App-specific password

  • App Store Connect API key

For internal reasons I have to use the latter. In that case CREDENTIALS looks like this:

--key /path/to/key.p8 --key-id KEY_ID -i ISSUER

where key.p8 is the App Store Connect API key, KEY_ID is the key ID, and ISSUER is the issuer UUID, both of which you get when you create that key.

If you want to continue using an app-specific password, follow the instructions in Customizing the notarization workflow.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment