|NOTARYTOOL(1)||General Commands Manual||NOTARYTOOL(1)|
Manage submissions to the Apple notary service.
Common subcommands include submit, info, wait, history, log, store-credentials, and help.
Notarization gives users more confidence that the Developer ID-signed software you distribute has been checked by Apple for malicious components. Notarization is not App Review. The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly. If there are no issues, the notary service generates a ticket for you to staple (see stapler(1)) to your software; the notary service also publishes that ticket online where Gatekeeper can find it.
notarytool is a developer interface to
this service. For example,
submit [options] --wait
file-path will verify file-path
is one of the Supported Upload File Formats, initiate
a connection with the Apple notary service, return the
Submission ID, upload the file to the Apple notary
service, wait for the submission to be processed by the Apple notary
service, and exit when the processing is complete.
For more information on notarization, see the "Notarizing macOS Software Before Distribution" documentation at: <https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution>
The following authentication options are available for all
Developer ID team administrators can create App Store Connect API keys for the developers on their team by logging into <https://appstoreconnect.apple.com/access/api> and selecting the "Keys" tab. For security purposes, the private key can only be downloaded once.
Create App-specific passwords by following the instructions on "Using app-specific passwords" at <https://support.apple.com/en-us/HT204397>. Any developer that has accepted the relevant agreements can use app-specific passwords with the Apple notary Service.
--passwordoption is not specified.
notarytoolsubcommand. Usually 10 alphanumeric characters. Your Apple ID may be a member of multiple teams, you can find Team IDs for teams you belong to by going to <https://developer.apple.com/account/#/membership>. You cannot get information on Submission IDs created by another wwdr_team_id.
The following options are available for all subcommands except store-credentials:
notarytool. Use the profile name that you previously provided via the store-credentials command.
-pprofile-name. If the specified keychain file is locked, you will be prompted to unlock it.
notarytool submit works
only with UDIF disk images, signed "flat" installer packages, and
notarytool will do a shallow validation
of the file before submission. Passing any other file format in
submit will result in an error.
returns a Submission ID as a UUID formatted string used to identify your
submission. This Submission ID is necessary for the following subcommands:
info, wait, and log.
The Submission ID is also necessary when requesting support for most Apple
notary service issues.
Submission IDs are unique to the development team that generated them. You can only retrieve information for submissions created by your team.
The following output control options are available for all
notarytoolmay change the verbose logging. Do not write scripts assuming specific messages will continue to exist in the current form.
notarytooldefaults to --progress.
notarytooldefaults to normal output format.
notarytoolhelp subcommand for more detailed help.
--key-pathto pass the file path of a private key, the contents of the private key are stored in the new keychain item and the private key file can be deleted.
profile-name is the name of the new keychain item to create. Passing in a previously saved profile name will cause the old keychain item to be overwritten.
--no-wait. See the wait subcommand for more information.
notarytoolwill exit after polling for the specified duration. Although
notarytoolexits, the submission will continue to be processed by the Apple Notary service. See the wait subcommand for more information.
--forceoption can be useful if you think the pre-flight validation is incorrect or slow.
Use output-path to specify a path for the new notarization log file, otherwise the notarization log is printed to stdout.
Only return from
notarytool once the
Apple notary service has responded with a status of
"Accepted", "Invalid", "Rejected", or if a
fatal error has occurred during submission. This option replaces the
need for polling from a script.
notarytoolwill exit after polling for duration. The Notary service will continue processing the submission even if the timeout is reached. Duration is an integer followed by an optional suffix: seconds 's' (default), minutes 'm', hours 'h'. For example, these values all set the timeout to an hour: 3600, 3600s, 60m, 1h.
In fall of 2023, altool will no longer be supported for
notarytool instead. If you
previously invoked altool like this:
altool --notarize-app -f path/to/app.pkg --primary-bundle-id com.example.myapp --apiKey 7UD13000 --issuerId 6bc36aee-c5c8-11ec-9d64-0242ac120001
Instead, use notarytool like this:
notarytool submit path/to/app.pkg --key path/to/AuthKey_7UD13000.p8 --key-id 7UD13000 --issuer 6bc36aee-c5c8-11ec-9d64-0242ac120001 --wait
notarytool has some options that are
designed to allow a developer to tune some characteristics specifically for
their network conditions.
notarytoolsubmit .. [
--no-s3-accelerationwhen submitting files to the notary service.
notarytool command first appeared in
|April 28th, 2022||macOS|