Monday, June 21, 2021

altool Update and notarytool

Rosyna Keller:

So here’s a thread of some new stuff in Xcode 12.5’s altool 4.047.1207[…]

[…]

For any altool invocation that accepts -p @keychain, you can now use --keychain <path to keychain.keychain-db> to specify the keychain db to store to or retrieve from.

[…]

If you’re cursed with DSL or another type of connection that doesn’t let you do ANYTHING if you saturate an upload connection, there’s a new --throttle <Kbps> option that lets you set a max Kbps value, as an integer.

I can’t remember if this is very new, but there’s a new --show-progress option that shows progress during altool operations and doesn’t require you to use --verbose.

Apple:

Notarization works in tandem with macOS to help people safely download software for their Mac outside of the App Store. Discover how notarytool can help you quickly and easily notarize your Mac app for distribution. We’ll show you how you can now notarize your apps with just a single command, and how to bring notarization into your continuous integration workflows.

Rosyna Keller:

altool is effectively deprecated for notarization (but not for the App Store!). The new normal is notarytool and the docs have been updated to discuss notarytool.

notarytool includes such neat features as a wait/--wait [sub]command that replaces manually manual polling in altool. When enabled, notarytool only returns on error, or if the submission has been fully processed and it reaches a final state (Accepted, Invalid, et cetera)

[…]

Unlike altool, notarytool has zero external dependencies other than a base macOS install. You can even grab the Xcode 13 Command Line Tools installer, extract notarytool, and run it on any Mac running macOS 10.15.7 or later, without installing full Xcode.

The fact notarytool, like stapler, is a standalone binary means you can put it on a server without having to install Xcode to use it.

[…]

The notice of altool deprecation and the altool-specific docs are now on their own page.

Rosyna Keller:

It supports webhooks too (--webhook <callback url>) but the process for that hasn’t been fully documented yet. There’s just a small aside in the new notarization documentation that it’s a valid option. So if you don’t want to use wait, you can be asynchronously notified.

I’m still seeing lots of cases where altool gets stuck, and the upload never finishes. It eventually logs an error and exits, but the process reports success, which confuses my build script. Then I can’t try it again without doing a new build because it thinks an upload is already in progress. Hopefully notarytool will work better.

Previously:

Update (2021-07-02): Howard Oakley:

She also said that the Notary service has been streamlined, and now has a dedicated backend which should be both more reliable and faster. Performance targets are for notarization to be completed within 15 minutes for 98% of submissions, and most to be finished in less than 5 minutes.

The main issue I have is that uploading fails so frequently that it often takes me multiple tries and over an hour to submit a build. Only then does the 5–15 minutes start counting.

Update (2021-07-06): Armin Briegel:

When Apple introduced notarization with Catalina, I published a post describing how to notarize a command line tool. At WWDC this year, Apple introduced updates to this process with Xcode 13 (currently in beta). Most importantly, there is a new command line tool called notarytool.

I have been seeing better reliability with altool since switching the transport from DAV to HTTPS.

Update (2021-07-26): Sasmito Adibowo:

Now it’s time to look at all those developer tools Apple delivered and see how it can improve our work as software engineers.

Comments RSS · Twitter

Leave a Comment