I'm integrating Notary API, in our CI/CD pipelines.
It all works well for notarization, but there is no mention of how to obtain the signing ticket nor how to staple it to the dmg.
Do I need to use for that the:
xcrun stapler staple
I was hoping that with use of the Notary API, I can avoid requiring xtools and developer id on the machine.
This is a trickier question than it seems at first blush.
I can confirm that the Notary API doesn’t vend tickets. The question is whether it should. If you got a ticket back from the API, what would you do with it?
There are three targets supported by stapler:
App bundles
Disk images (.dmg)
Installer packages (.pkg)
Of these, only the first one is relevant. That’s because, for the last two:
The built-in tools don’t let you supply a ticket to staple when you create these containers.
Apple doesn’t document the .dmg and .pkg formats [1], so you can’t write your own replacement for stapler.
With regards app bundles, we don’t officially document where the ticket goes their either, but it’s trivial to work out.
The question is, is the app bundle case a sufficient justification for the Notary API to support an endpoint to return tickets? I dunno, but I guess it wouldn’t hurt to ask. I recommend that you file an enhancement request explaining your rationale.
Please post your bug number, just for the record.
The workaround is, of course, to run the stapler command.
avoid requiring xtools
stapler is part of the developer tools. You can avoid the need to install all of Xcode by installing the Command Line Tools package.
If you don’t want to do even that, you can copy stapler from that package and add it to you C{I,D} machine. Such shenanigans are most definitely unsupported [2], but it’ll work in this case.
If you decide to do this, it’s especially important that you file that ER.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] That doesn’t stop folks from reverse engineering them, primarily to use on non-Apple C{I,D} systems. But it’s hard to use that as a justification for your ER.
[2] Except in the case of notarytool, where we explicitly support that.
Thank you for the detailed answer. Command Line Tools package, is not a blocker for me. I was afraid that this step will require some form of verification.