How can I export the "Notary Profile" used by notarytool for CI/CD

Code Signing Notarization
perdrix52
perdrix52 OP
Created 2w
Replies 3
Boosts 0
Views 102
Participants 2

Once I have built my macOS .app and signed it I run notarytool using this simple shell script:

#!/bin/sh
ditto -c -k --keepParent "$1.app" "$1.zip"
xcrun notarytool submit "$1.zip" --keychain-profile "Notary Profile for DeepSkyStacker" --wait
xcrun stapler staple $1.app
rm -f $1.zip

How can I export that "keychain-profile" (notary profile) so I can use it in CI/CD actions? Clearly I don't wish to expose the full invocation of xcrun notarytool store-credentials.

Answered by DTS Engineer in 841705022

Profiles are not in any way magic. Each one is just a keychain item with appropriate attributes set.

notarytool doesn’t have a way to import and export profiles. You might be able to do that with Keychain Access, but I suspect that it won’t pan out. There’s not a standardised export format for keychain password items.

The easiest way to handle the CI/CD server case is to skip the keychain entirely. I generally do this with API key authentication rather than an app-specific password. That’s because with an API key the only thing you need to get on your CI/CD server is that key file, and CI/CD servers generally have a standard way to provisioning a task with a file-based secret.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Replies  3
Boosts  0
Views  102
Participants  2
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
2w
Recommended

Profiles are not in any way magic. Each one is just a keychain item with appropriate attributes set.

notarytool doesn’t have a way to import and export profiles. You might be able to do that with Keychain Access, but I suspect that it won’t pan out. There’s not a standardised export format for keychain password items.

The easiest way to handle the CI/CD server case is to skip the keychain entirely. I generally do this with API key authentication rather than an app-specific password. That’s because with an API key the only thing you need to get on your CI/CD server is that key file, and CI/CD servers generally have a standard way to provisioning a task with a file-based secret.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
perdrix52
perdrix52 OP
2w

OK, So how do to I set up to use notarytool without a keychain-profile set up using altool?

D.

0
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
2w
without a keychain-profile set up using altool?

To be clear, altool isn’t a factor here. OTOH, TN3147 Migrating to the latest notarization tool is a convenience source of notarytool examples:

  • The App-specific password section shows how to authenticate with a password.

  • The App Store Connect API key section shows how to authenticate with an App Store Connect API key.

Both sections show how to supply your credentials as arguments rather than via the profile mechanism.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
How can I export the "Notary Profile" used by notarytool for CI/CD
First post date Last post date
 
 
Q