Notarize with Enterprise API Key

I followed this other documentation: https://developer.apple.com/documentation/enterpriseprogramapi/generating-tokens-for-api-requests and generated a JWT token manually.

With it, I could curl -v -H 'Authorization: Bearer ' "https://api.enterprise.developer.apple.com/v1/certificates" with success, but for https://appstoreconnect.apple.com/notary/v2/submissions? it fails with 401.

Failed for both keys, Developer and Admin access.

I also tried changing "aud": from apple-developer-enterprise-v1 to appstoreconnect-v1, just for the sake of trying.

Hi there, I'm sorry to hear that the API keys aren't working as expected.

The notarytool log line of Debug [JWT] Generating new JWT for key ID doesn't itself indicate failure, but it does look like you've tried a few of the same debugging steps I would have recommended, such as manual curl commands.

Could you file a bug report so we can investigate these specific cases further? You can select the 'Developer Tools & Resources' topic and mention the Apple Notary service or notarytool. Please post the bug report number here, I can take a look at the details on our end.

Please include a full set of recent stderr logs from notarytool with the --verbose flag. For cURL requests, please include the full command with any authorization or tokens redacted, as well as the returned "Request ID" or "x-apple-jingle-correlation-key" header value so we can investigate your specific failed request.

Hello!!

I am copying the answer and posting here in case comments don't get the same visibility.

I believe this is the bug number: FB15939005. One thing I forgot to add in the post but I added to the bug is, the Enterprise Key is much smaller than the Developer key, something like half the characters between ---begin key--- and ---end key---.

Please let me know if I can be of more support or if I missed something.

Thanks again for the help.

Hello!

Any chance I missed providing any info?

Hello @Xandi, thanks for following up! You did provide enough information in the bug report, and more detail will be provided there.

Ultimately it looks like the Enterprise Program API Key is only valid for the Enterprise Program API, and will not work with other services such as the App Store Connect API. The 'unexpected token at ' failure you've reported appears to be unrelated, but is something we're investigating.

To unblock you from submitting to Apple Notary, could you try generating an app-specific password following these instructions, and use it with notarytool, and letting us know how it goes? Please also see the 'App-specific Passwords' section in the notarytool manpage (run man notarytool in the terminal) for more information.

Hello again,

just to confirm I understood it correctly. I got this answer on the Feedback Assistant:

It looks like the Enterprise Program API Key is only valid for the Enterprise Program API, and will not work with other services such as the App Store Connect API. In that sense, the HTTP 401 Unauthorized response is expected. “Enterprise Program API keys are unique to the Enterprise Program API and you can’t use them for other Apple services.” https://developer.apple.com/documentation/enterpriseprogramapi/creating-api-keys-for-enterprise-program-api

The 'unexpected token at ' failure the user has reported appears to be unrelated, but we suspect that it’s related to the way notarytool is parsing the Enterprise Program API Private Key. We are looking into this, and will release a fix in the future that returns a more useful error message if it happens to be the case.

The current recommendation is to try generating an app-specific password following these instructions: https://support.apple.com/en-us/102654. Please let us know if this works for you! Here is the relevant snippet from the notarytool manpage:

(redacted instructions on how to create it)

If the issue is resolved, you can close this feedback by selecting “Close Feedback” via the Actions button found above. Thank you.

As of now, the way to go with Enterprise accounts is the App-specific Passwords. It is not the only best option, but also the only option?

Trying to understand it perfectly so I can update the team and the guidelines on how we should be working.

tl;dr; -> It seems there will be improvements on the error messages, but not the ability to Notarize with Enterprise API Keys, correct?

Thanks again and again.

@Xandi Hey there. Yes, everything you've said sounds correct!