Notarize your Electron apps seamlessly
# npm
npm i electron-notarize --save-dev
# yarn
yarn add electron-notarize --dev
From apple's docs, the definition of a "notarized app"
A notarized app is a macOS app that was uploaded to Apple for processing before it was distributed. When you export a notarized app from Xcode, it code signs the app with a Developer ID certificate and staples a ticket from Apple to the app. The ticket confirms that you previously uploaded the app to Apple.
On macOS 10.14 and later, the user can launch notarized apps when Gatekeeper is enabled. When the user first launches a notarized app, Gatekeeper looks for the app’s ticket online. If the user is offline, Gatekeeper looks for the ticket that was stapled to the app.
Basically Apple are going to make this a hard requirement soon, may as well get on the train early.
options
ObjectappBundleId
String - The app bundle identifier your Electron app is using. E.g.com.github.electron
appPath
String - The absolute path to your.app
fileascProvider
String (optional) - Your Team Short Name. This is necessary if you are part of multiple teams, you can find it out by runningiTMSTransporter -m provider -u APPLE_DEV_ACCOUNT -p APP_PASSWORD
- There are two methods available: user name with password:
appleId
String - The username of your apple developer accountappleIdPassword
String - The password for your apple developer account
- ... or apiKey with apiIssuer:
appleApiKey
String - Required for JWT authentication. See Note on JWT authentication below.appleApiIssuer
String - Issuer ID. Required ifappleApiKey
is specified.
For notarization, you need the following things:
- Xcode 10 or later installed on your Mac.
- An Apple Developer account.
- An app-specific password for your ADC account’s Apple ID.
- Your app may need to be signed with hardened-runtime and the following entitlements:
- com.apple.security.cs.allow-jit
- com.apple.security.cs.allow-unsigned-executable-memory
- Never hard code your password into your packaging scripts, use an environment variable at a minimum.
- It is possible to provide a keychain reference instead of your actual password (assuming that you have already logged into the Application Loader from Xcode). For example:
const password = `@keychain:"Application Loader: ${appleId}"`;
Another option is that you can add a new keychain item using either the Keychain Access app or from the command line using the security
utility:
security add-generic-password -a "AC_USERNAME" -w <app_specific_password> -s "AC_PASSWORD"
where AC_USERNAME
should be replaced with your Apple ID, and then in your code you can use:
const password = `@keychain:AC_PASSWORD`;
You can obtain an API key from Appstore Connect. Create a key with App Manager access. Note down the Issuer ID and download the .p8
file. This file is your Api key and comes with the name of AuthKey_<api_key>.p8
. This is the string you have to supply when calling notarize
.
Based on the ApiKey
altool
will look in the following places for that file:
./private_keys
, ~/private_keys
, ~/.private_keys
and ~/.appstoreconnect/private_keys
.
import { notarize } from 'electron-notarize';
async function packageTask () {
// Package your app here, and code side with hardened runtime
await notarize({
appBundleId,
appPath,
appleId,
appleIdPassword,
ascProvider, // This parameter is optional
});
}