Monday, June 17, 2019 [Tweets] [Favorites]

Notarizing Command-Line Tools for macOS 10.15

Howard Oakley:

I was taken aback, then, when I heard from WWDC that Catalina was going to apply essentially the same security rules to command tools as it does to apps.


The processes that I then had to go through to sign, harden, package and notarize each of my four command tools were a revelation. They’re detailed step by step in this article and in this PDF.

They demonstrate how badly this common task in development has been cobbled together without any design: it’s not a workflow but an obstacle course. To turn 260 lines of code into an installable and duly notarized 33 KB package took a total of 5 apps (including Xcode itself), 4 command tools which I had to invoke in 6 different commands, 2 different developer certificates (one for the tool, one for the package) and an app-specific password to be able to run altool to submit the tool for notarization.

It’s almost like they don’t want you to distribute Mac software.


Update (2019-06-18): Rosyna Keller:

All that needs to be done is to put all command line tools into one zip archive and notarize that, per the documentation:

No need to create an Info.plist, package, or 4 Request UUIDs.

Rosyna Keller:

Normally, you’d unzip and staple (if you desire) the top level items in the zip, however many there are. Sadly, due to a current limitation, stand-alone Mach-Os can’t be stapled, so that step can be skipped.

If you zipped up a bunch of things that weren’t standalone Mach-Os, then you’d do the staple.


When stand-alone binaries can be stapled, this will be much less confusing.

Howard Oakley:

Now I’m completely lost!

I have four separately-distributed command tools, each of which comes in its own Installer package.

Are you suggesting that I should Zip all 4 installers together and submit as a single notarization, then unZip them for individual distribution?

Leo Natan:

There are more limitations. In my .app bundle, a developer tool, I had an iOS framework bundle for easier access to developers (similar to how Reveal distributes their mobile framework). Apparently, the notarization service is unable to handle such cases.

Update (2019-06-19): Gus Mueller:

Not a very nice way for notarization to randomly fail :/


I FIGURED IT OUT!! (Well somebody on the forums did but I confirmed it).

I was apart of two other teams that didn’t have an accepted agreement. Of course, I wasn’t using those teams, but apparently it mattered!

Once I left those teams (because they were old and at least one I know the owner lost control due to a silly Apple issue with 2FA), I could notarize with ease.

Update (2019-06-21): Howard Oakley:

Although I’m a fan of Apple’s Notary Service, and have only had good experiences with it over that year, and I’m a strong supporter of notarization for improved security, I hate being given no notice, and hate trying to perform critical tasks without any useful documentation. Thankfully, in response to those articles, Rosyna Keller @rosyna has been kind enough to provide more specific advice. Here I’m going to pass that on, as far as I understand it.

Update (2019-07-11): Tom Bridge:

The Notarization of binaries with Apple Notary Service is a fascinating topic worth exploring, and in this year’s talk at Mac Admins, I delved deep into the subject.


"It’s almost like they don’t want you to distribute Mac software."

Seems that way, doesn't it??? I still have no resolution!

@Matt Sorry to hear that. And there are issues distributing through the Mac App Store, as well. I’ve been stuck for months on an issue where the hardened runtime works differently in the App Review environment than where I can test myself, so I keep getting rejected for a problem that doesn’t manifest for myself or my customers. DTS is helping, but we haven’t figured it out yet.

[…] Notarising command‐line tools: I’m no developer, but when I read this piece by Howard Oakley, I almost felt pangs in my stomach. Again, check the associated commentary on the always‐excellent Michael Tsai’s blog. […]

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment