app-password works with altool but is rejected by notarytool

Question

koparkuk OP

Created Oct ’23

Replies 2

Boosts 0

Participants 2

Hi there,

I'm in a process to move from altool to notarytool, following information found at TN3147.

First, TN3147 says the team-id is optional if my account has only one team membership, which is the case, but the notarytool says it's mandatory and I do have to use it (not an issue).

Now, the issue I face:

$ security unlock-keychain -p prorogue-stake-unused /Users/comp/Library/Keychains/my.keychain $ xcrun altool --username $APPLEID --password "@keychain:MYPASSWORD" --notarization-history 0 .. it displays the notarization history as expected ..

but: $ xcrun notarytool history --apple-id $APPLEID --team-id $TEAMID --password "@keychain:MYPASSWORD" Error: HTTP status code: 401. Invalid credentials. Username or password is incorrect. Use the app-specific password generated at appleid.apple.com. Ensure that all authentication arguments are correct.

The password is supposed work with both tools, according to TN3147. What am I missing?

Besr regards,

Answered by koparkuk in 769247022

Thanks, both suggesions do work now here!

Boost

Answer 1

DTS Engineer OP

Apple

Oct ’23

notarytool doesn’t use the @keychain syntax. You can either:

Pass the app-specific password directly to the --password argument.
Use the store-credentials subcommand to set up a profile and then, in your other commands, supply that profile name using the -p argument.

When I wrote TN3147 I assumed that you’d be passing in the literal app-specific password. That was clearly a mistake. I’ve made a note for me to go back and fix this (r. 117125235).

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1

Answer 2

koparkuk OP

Oct ’23

Accepted Answer

Thanks, both suggesions do work now here!

0