Author Topic: CodeSign and Notarize procedures  (Read 206 times)


  • New member
  • *
  • Posts: 5
CodeSign and Notarize procedures
« on: July 31, 2019, 03:34:22 pm »
I posted some years ago, how to Codesign outside the X-Code:

But now Apple have added App Bundle notarizing, where they co-sign the bundle.

The procedure I am using now is (new is bold):

1/  Join the Mac Dev Center through Appstore.  $99 a year - suck it up.
2/  In the Dev center, go to the certificate section, and create 2 certificates:  Go to: Certificates ->  + to create new -> Production ->  Developer ID ->  (1) Developer ID Application, and (2) Developer ID Installer.  You do this in conjunction with KeyChain utility program and its Assistant and request a cert (use the saved to disk method)
3/  Download those two certs and install into your KeyChain (click the cer file).
4/  Download two more intermediate certs - Go to: Certificates ->  + to create new -> Intermediate certs, and get both WWDR and Developer ID Intermediate cert.  You might already have these.  Install these to your KeyChain.

5/  Sign your .app bundle:
/usr/bin/codesign -f -o runtime --timestamp -s "Developer ID Application: My Software Corp." /path/to/my/app/

6/  Make your package file with your signed .app above

7/  Sign your .pkg file:
/usr/bin/productsign --sign "Developer ID Installer: MyCoName inc." /input/path/to/package.pkg  /OUTPUT/path/for/the/result.pkg

8/  Make your .dmg file as required.

9/  Upload finished dmg to Apple:
/usr/bin/xcrun altool --notarize-app --primary-bundle-id "" -u "" -p "my_password" -t osx -f /path/to/my/dmg/file.dmg

10/  wait.... check progress with:
/usr/bin/xcrun altool --notarization-history 0 -u "" -p "my_password"

11/  After the above step registers "Package Approved"
/usr/bin/xcrun stapler staple  /path/to/my/dmg/file.dmg


To verify, install the app and call
/usr/bin/spctl -a -v /Applications/
which will return "accepted" if all OK.


Step  9 requires you to have a new 2FA application sign in's. see:

Apples guide to notarizing:

I am still using the PackageMaker utility app to make the packages, and all is well.  But its days are numbered (32 bit app).  I will have to move onto the pkgbuild and productbuild one day soon.


  • Hero Member
  • *****
  • Posts: 1025
    • formatio reticularis
Re: CodeSign and Notarize procedures
« Reply #1 on: August 10, 2019, 06:57:15 am »
Thanks for providing this important information. Would you mind to update the corresponding wiki page?
function GetRandomNumber: integer; //
  GetRandomNumber := 4; // chosen by fair dice roll. Guaranteed to be random.

Lazarus 2.0.2 | FPC 3.0.4 | PPC, Intel, ARM | macOS, Windows, Linux