Notarising two builds of the same app

Code Signing Notarization
perdrix52
perdrix52 OP
Created Apr ’25
Replies 3
Boosts 0
Views 61
Participants 2

I have built my application for arm and x64 so I have two files called DeepSkyStacker.app in different directories.

I have followed the instructions to notarise the arm version of the app, but an concerned about what I should do to notarise the other one - do I just zip that up and then run:

xcrun notarytool submit "DeepSkyStacker.zip" --keychain-profile "Notary Profile for DeepSkyStacker" --wait
xcrun stapler staple DeepSkyStacker.app

again or will that mess everything up?

Related to that can I use the Notary Profile I created for DeepSkyStacker to notarise other apps that are part of the same product (DeepSkyStackerLive and DeepSkyStackerCL)??

Thanks David

Answered by DTS Engineer in 837154022

The answer here depends on how you distribute your app:

  • Most developers — and, to be clear, Apple strongly recommends this approach — ship a universal binary, that is, a single product that supports Apple silicon and Intel.

  • Some folks choose to ship separate Apple silicon and Intel variants of their product.

When it comes to notarisation, you should notarise what you ship to your users. So:

  • If you ship a universal binary, construct that first and then notarise the result.

  • If you ship architecture-specific variants, notarise each one separately.

For more background as to how this works, and hence why this advice makes sense, see Notarisation Fundamentals.

Related to that can I use the Notary Profile I created for DeepSkyStacker to notarise other apps … ?

You mean the keychain profile? If so, then yes, absolutely.

The keychain profile identifies you, the person doing the notarisation. I recommend that you use the same profile for all notarisation work you do on behalf of a specific team [1].

But this raises another question:

to notarise other apps that are part of the same product (DeepSkyStackerLive and DeepSkyStackerCL)

If your product includes multiple code items that are always distributed together, you generally want to notarise those in one go. So, rather than notarising each code item separately, assemble them all into your file product and notarise that.

For general advice on this topic, see:

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] If you’re a member of multiple teams, it makes sense to create a profile for each team.

Replies  3
Boosts  0
Views  61
Participants  2
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
Apr ’25
Recommended

The answer here depends on how you distribute your app:

  • Most developers — and, to be clear, Apple strongly recommends this approach — ship a universal binary, that is, a single product that supports Apple silicon and Intel.

  • Some folks choose to ship separate Apple silicon and Intel variants of their product.

When it comes to notarisation, you should notarise what you ship to your users. So:

  • If you ship a universal binary, construct that first and then notarise the result.

  • If you ship architecture-specific variants, notarise each one separately.

For more background as to how this works, and hence why this advice makes sense, see Notarisation Fundamentals.

Related to that can I use the Notary Profile I created for DeepSkyStacker to notarise other apps … ?

You mean the keychain profile? If so, then yes, absolutely.

The keychain profile identifies you, the person doing the notarisation. I recommend that you use the same profile for all notarisation work you do on behalf of a specific team [1].

But this raises another question:

to notarise other apps that are part of the same product (DeepSkyStackerLive and DeepSkyStackerCL)

If your product includes multiple code items that are always distributed together, you generally want to notarise those in one go. So, rather than notarising each code item separately, assemble them all into your file product and notarise that.

For general advice on this topic, see:

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] If you’re a member of multiple teams, it makes sense to create a profile for each team.

1
perdrix52
perdrix52 OP
Apr ’25

I accept the point about the Universal Binary but unfortunately vcpgk doesn't support universal binaries.

I also I can't compile my code x64 and arm64 with same compiler options, because since the latest update XCode rejects arm64 compilations with AVX related options specified.

So separate builds it is.

For clarification are you saying I should zip up a directory containing DeepSkyStacker.app, DeepSkyStackerCL.app and DeepSkyStackerLive.app and submit that for notarising?

Thanks David

0
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
Apr ’25
unfortunately vcpgk doesn't support universal binaries.

The standard way to get around such limitations is to build the code for each architecture and then lipo the results together.

IMPORTANT This assumes that both apps have the same resources. If they have different resources, things get trickier.

See An Apple Library Primer for a lot of background on how Mach-O works, links to documentation for lipo and friends, and much more.

For clarification are you saying I should … ?

My final advice is gonna depend on your approach to packaging. We’re currently discussing that in your other thread. Let’s drive that to a conclusion and then come back here if necessary.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Notarising two builds of the same app
First post date Last post date
 
 
Q