This post covers publishing of macOS applications outside the Mac App Store. The different distribution methods are described by Apple. At this point it is assumed that the decision has been made to distribute outside the App Store. Distributing installers is not covered however the steps are fundamentally the same.
Version: Xcode 12.4, macOS 10.15.7
Before beginning the app export process, ensure the following are installed and present.
Xcode 10.2 or later
Although Xcode 10 will work, Xcode adds the secure timestamp from Xcode 10.2.
To enable automatic signing, Xcode needs to connect to the Developer portal with an Apple ID registered to a Developer account. Your Apple ID must be registered to the same Developer account where the Developer ID came from. This post describes how to check if your Apple ID is setup correctly.
Developer ID certificate
The Developer ID private key must be installed on your Mac keychain.
Apple describes a Developer ID certificate as...
A Developer ID certificate lets Gatekeeper verify that you’re a trusted developer when a user opens your app, plug-in, or installer package downloaded from outside the Mac App Store.
Only an Account Holder can generate a Developer ID certificate. Once the certificate is generated and the private key exported from the Account Holder's keychain, the exported key (with a .p12 extension) can be installed on any Mac machine.
You can check if you have a Developer ID certificate in your keychain by running the following command from the Terminal.
$ security find-certificate -c "Developer ID Application"
Notarization only works for binaries linked against macOS 10.9 or later. Set your Xcode project's Deployment Target to at least 10.9
When you are ready to distribute your app, the first step is to archive the application.
From the Xcode menu, choose Product > Archive. The Organizer window launches showing the archive. You are now ready for the next step: notarization.
Apple describes notarization as...
Notarization gives users more confidence that the Developer ID-signed software you distribute has been checked by Apple for malicious components. Notarization is not App Review. The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly. If there are no issues, the notary service generates a ticket for you to staple to your software; the notary service also publishes that ticket online where Gatekeeper can find it.
From the Organizer, click on the Distribute App button to start the distribution process.
Though there is an option to export without notarizing, always choose to notarize as notarization enables automated scans of your app. Choose Upload in the destination window.
Choose Automatically manage signing in the signing options window.
Review package content
If the Summary and Entitlements are as expected, click Upload to upload the app to Apple's notarization service.
You can monitor the upload progress as shown.
Once the upload is complete, wait for Apple's notification.
You will receive a notification and an email to your Apple ID once the notarization is complete. For this post, notarization only took about 30 mins.
Export Notarized App
From the Organizer, choose the archive, and scroll down. If the Organizer is closed, open it from the Xcode menu. Choose Window > Organizer.
Click on Export Notarized App to save the app to your chosen location.
You now have an app that can be distributed outside the Mac App Store.
Verifying if an app is notarized
Verifying notarization is not a mandatory step after exporting a notarized app. It can be useful when you have an app or installer package and you want to know if it is notarized. The post on How to Check if a macOS App is Notarized describes the verification steps.
If you have questions or issues with notarization, Apple's references is a good starting point for investigation.
Top comments (0)