Home > Automator, macOS, Payload-Free Package Creator, Xcode > Notarizing Automator applications

Notarizing Automator applications

Apple recently updated their notarization documentation to include this note:

Beginning in macOS 10.14.5, all new or updated kernel extensions and all software from developers new to distributing with Developer ID must be notarized in order to run. In a future version of macOS, notarization will be required by default for all software.

Screen Shot 2019 04 10 at 4 03 43 PM

The part about “notarization will be required by default for all software” made me think, because there are a few apps that I’ve written over the years that are still useful (at least to me). All of them were built using Automator, which meant that the usual Xcode-based ways of notarizing applications wasn’t going to work for me.

With assistance by folks in the MacAdmins Slack though, I was able to develop a process that allowed me to do the following:

  1. Codesign an Automator application
  2. Upload the application to Apple for notarization
  3. Attach the notarization to the application
  4. Verify that the notarization was attached and valid.

The documentation linked below was also very helpful in figuring out how to notarize using command line tools:

For more details, please see below the jump.

Pre-requisites

For notarization, you need the following things:

  1. Xcode 10 or later installed on your Mac.
  2. An Apple Developer Connection account
  3. A one-time password for your ADC account’s Apple ID

As an example to use for the process, I’m using an existing Automator application that I wrote a while back:

Notarization requires that the application in question be code signed and I had not yet done so for this application, so I needed to code sign my application first.

To do this, first clear the application of extended attributes by running a command like the one below:

sudo xattr -rc "/path/to/Application Name Here.app"

In my case, the command looked like this:

sudo xattr -rc "/Users/username/Desktop/Payload-Free Package Creator.app"

Once the application is ready for signing, run a command like the one below was run to code sign the application:

codesign --force --options runtime --deep --sign "Developer ID Application: Name Here (YG45FDT45F)" "/path/to/Application Name Here.app"

In my case, the command looked like this:

codesign --force --options runtime --deep --sign "Developer ID Application: Rich Trouton (XF95CST45F)" "/Users/username/Desktop/Payload-Free Package Creator.app"

Once signed, verify the signature using a command like the one below:

codesign -dv --verbose=4 "/path/to/Application Name Here.app"

In my case, the command looked like this:

codesign -dv --verbose=4 "/Users/username/Desktop/Payload-Free Package Creator.app"

Once finished, the output of the code signing looked like this:

The next thing needed is to get the app ready for upload to Apple for notarization. For this, you’ll need to do two things:

  1. Have your one-time password for your ADC account ready.
  2. Compress your application inside of a .zip file

Screen Shot 2019 04 10 at 1 31 35 PM

Once your application has been compressed, run a command similar to the one below to upload it to Apple for notarization:

xcrun altool --notarize-app --primary-bundle-id "com.example.application.name" --username "adc_appleid_here" --password "adc_appleid_one_time_password_here" --file "/path/to/Application Name Here.zip"

In my case, the command looked like this:

xcrun altool --notarize-app --primary-bundle-id "com.apple.automator.Payload-FreePackageCreator" --username "adc_appleid_here" --password "one-time-password-goes-here" --file "/Users/username/Desktop/Payload-Free Package Creator.zip"

Once finished, the output of the notarization upload looked like this:

To validate that the notarization is successful, run a command similar to the one below:

xcrun altool --notarization-info uuid-goes-here --username "adc_appleid_here" --password "one-time-password-goes-here"

In my case, the command looked like this:

xcrun altool --notarization-info be136ed3-3888-44e1-87ed-0e5c8c13cdb5 --username "adc_appleid_here" --password "one-time-password-goes-here"

Once finished, the output of the notarization validation looked like this:

As part of the validation, a link to a log file is included. In my case, the log looks like this:

Once the notarization has been generated for the app, the next step is to attach, or staple, the notarization to the app. To do this, run a command similar to the one below on your codesigned app:

xcrun stapler staple "/path/to/Application Name Here.app"

In my case, the command looked like this:

xcrun stapler staple "/Users/username/Desktop/Payload-Free Package Creator.app"

Once finished, the output of the stapling process looked like this:

The final step is to validate that the stapling was successful. To do this, run a command similar to the one below:

stapler validate -v "/path/to/Application Name Here.app"

In my case, the command looked like this:

stapler validate -v "/Users/username/Desktop/Payload-Free Package Creator.app"

Once finished, the output of the stapling validation looked like this:

Following notarization, Apple should send you a notification similar to the one shown below that your app has been notarized.

Screen Shot 2019 04 10 at 5 00 19 PM

  1. April 13, 2019 at 5:36 pm

    Great Instructions Rich!

    When I try to notarize an AppleScript app the code signing and the notarization succeed as you say but when I get to the stapling step the response I get to:

    xcrun stapler staple “/Volumes/HardDrive/MyApp.app”

    is:

    CloudKit query for MyApp.app (2/936578f9cf6dff6314bdebeba427cac9dab3f7e8) failed due to “record not found”.
    Could not find base64 encoded ticket in response for 2/936578f9cf6dff6314bdebeba427cac9dab3f7e8
    The staple and validate action failed! Error 65.

    • April 19, 2019 at 5:37 am

      You might check out this thread: . It involves an extra step of creating an entitlements file. In the example case, it’s just entitlements to send Apple events and load external frameworks.

      • davidnottage
        May 21, 2019 at 8:14 pm

        “You might check out this thread” I guess the link disappeared? What extra step is it?

      • sstanleyau
        May 21, 2019 at 11:12 pm

        It looks like the link has been eaten — it’s a thread on Apple’s Developer Forums. Things have moved on a bit, and now the easiest way is to use SD Notary from the makers of Script Debugger. (Disclaimer: I’m one of the authors.)

  2. April 18, 2019 at 4:11 pm

    Instead of creating a .zip, I created a .dmg and then signed it (without hardening)
    I used the signed .dmg to upload for notarization and was then able to staple the successful notarization to the .dmg.
    So maybe that is the way to deal with AppleScript apps.

  3. cashxx
    April 22, 2019 at 8:12 pm

    macOS is slowly becoming iOS! Sad days ahead!

  4. Ni Liu
    May 31, 2019 at 2:51 am

    Hello, I want to ask, what is the difference between ADC and normal Developer ID? Thanks

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: