{"id":"46ff408b-9775-4b25-8456-a5e7e4c04d18","shortId":"ykqEK7","kind":"skill","title":"asc-notarization","tagline":"Archive, export, and notarize macOS apps using xcodebuild and asc. Use when you need to prepare a macOS app for distribution outside the App Store with Developer ID signing and Apple notarization.","description":"# macOS Notarization\n\nUse this skill when you need to notarize a macOS app for distribution outside the App Store.\n\n## Preconditions\n- Xcode installed and command line tools configured.\n- Auth is configured (`asc auth login` or `ASC_*` env vars).\n- A Developer ID Application certificate in the local keychain.\n- The app's Xcode project builds for macOS.\n\n## Preflight: Verify Signing Identity\n\nBefore archiving, confirm a valid Developer ID Application identity exists:\n\n```bash\nsecurity find-identity -v -p codesigning | grep \"Developer ID Application\"\n```\n\nIf no identity is found, create one at https://developer.apple.com/account/resources/certificates/add (the App Store Connect API does not support creating Developer ID certificates).\n\n### Fix Broken Trust Settings\n\nIf `codesign` or `xcodebuild` fails with \"Invalid trust settings\" or \"errSecInternalComponent\", the certificate may have custom trust overrides that break the chain:\n\n```bash\n# Check for custom trust settings\nsecurity dump-trust-settings 2>&1 | grep -A1 \"Developer ID\"\n\n# If overrides exist, export the cert and remove them\nsecurity find-certificate -c \"Developer ID Application\" -p ~/Library/Keychains/login.keychain-db > /tmp/devid-cert.pem\nsecurity remove-trusted-cert /tmp/devid-cert.pem\n```\n\n### Verify Certificate Chain\n\nAfter fixing trust settings, verify the chain is intact:\n\n```bash\ncodesign --deep --force --options runtime --sign \"Developer ID Application: YOUR NAME (TEAM_ID)\" /path/to/any.app 2>&1\n```\n\nThe signing must show the chain: Developer ID Application → Developer ID Certification Authority → Apple Root CA.\n\n## Step 1: Archive\n\n```bash\nxcodebuild archive \\\n  -scheme \"YourMacScheme\" \\\n  -configuration Release \\\n  -archivePath /tmp/YourApp.xcarchive \\\n  -destination \"generic/platform=macOS\"\n```\n\n## Step 2: Export with Developer ID\n\nCreate an ExportOptions plist for Developer ID distribution:\n\n```xml\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">\n<plist version=\"1.0\">\n<dict>\n    <key>method</key>\n    <string>developer-id</string>\n    <key>signingStyle</key>\n    <string>automatic</string>\n    <key>teamID</key>\n    <string>YOUR_TEAM_ID</string>\n</dict>\n</plist>\n```\n\nExport the archive:\n\n```bash\nxcodebuild -exportArchive \\\n  -archivePath /tmp/YourApp.xcarchive \\\n  -exportPath /tmp/YourAppExport \\\n  -exportOptionsPlist ExportOptions.plist\n```\n\nThis produces a `.app` bundle signed with Developer ID Application and a secure timestamp.\n\n### Verify the Export\n\n```bash\ncodesign -dvvv \"/tmp/YourAppExport/YourApp.app\" 2>&1 | grep -E \"Authority|Timestamp\"\n```\n\nConfirm:\n- Authority chain starts with \"Developer ID Application\"\n- A Timestamp is present\n\n## Step 3: Create a ZIP for Notarization\n\n```bash\nditto -c -k --keepParent \"/tmp/YourAppExport/YourApp.app\" \"/tmp/YourAppExport/YourApp.zip\"\n```\n\n## Step 4: Submit for Notarization\n\n### Fire-and-forget\n```bash\nasc notarization submit --file \"/tmp/YourAppExport/YourApp.zip\"\n```\n\n### Wait for result\n```bash\nasc notarization submit --file \"/tmp/YourAppExport/YourApp.zip\" --wait\n```\n\n### Custom polling\n```bash\nasc notarization submit --file \"/tmp/YourAppExport/YourApp.zip\" --wait --poll-interval 30s --timeout 1h\n```\n\n## Step 5: Check Results\n\n### Status\n```bash\nasc notarization status --id \"SUBMISSION_ID\" --output table\n```\n\n### Developer Log (for failures)\n```bash\nasc notarization log --id \"SUBMISSION_ID\"\n```\n\nFetch the log URL to see detailed issues:\n```bash\ncurl -sL \"LOG_URL\" | python3 -m json.tool\n```\n\n### List Previous Submissions\n```bash\nasc notarization list --output table\nasc notarization list --limit 5 --output table\n```\n\n## Step 6: Staple (Optional)\n\nAfter notarization succeeds, staple the ticket so the app works offline:\n\n```bash\nxcrun stapler staple \"/tmp/YourAppExport/YourApp.app\"\n```\n\nFor DMG or PKG distribution, staple after creating the container:\n```bash\n# Create DMG\nhdiutil create -volname \"YourApp\" -srcfolder \"/tmp/YourAppExport/YourApp.app\" -ov -format UDZO \"/tmp/YourApp.dmg\"\nxcrun stapler staple \"/tmp/YourApp.dmg\"\n```\n\n## Supported File Formats\n\n| Format | Use Case |\n|--------|----------|\n| `.zip`  | Simplest; zip a signed `.app` bundle |\n| `.dmg`  | Disk image for drag-and-drop install |\n| `.pkg`  | Installer package (requires Developer ID Installer certificate) |\n\n## PKG Notarization\n\nTo notarize `.pkg` files, you need a **Developer ID Installer** certificate (separate from Developer ID Application). This certificate type is not available through the App Store Connect API — create it at https://developer.apple.com/account/resources/certificates/add.\n\nSign the package:\n```bash\nproductsign --sign \"Developer ID Installer: YOUR NAME (TEAM_ID)\" unsigned.pkg signed.pkg\n```\n\nThen submit:\n```bash\nasc notarization submit --file signed.pkg --wait\n```\n\n## Troubleshooting\n\n### \"Invalid trust settings\" during export\nThe Developer ID certificate has custom trust overrides. See the Preflight section above to remove them.\n\n### \"The binary is not signed with a valid Developer ID certificate\"\nThe app was signed with a Development or App Store certificate. Re-export with `method: developer-id` in ExportOptions.plist.\n\n### \"The signature does not include a secure timestamp\"\nAdd `--timestamp` to manual `codesign` calls, or use `xcodebuild -exportArchive` which adds timestamps automatically.\n\n### Upload timeout for large files\nSet a longer upload timeout:\n```bash\nASC_UPLOAD_TIMEOUT=5m asc notarization submit --file ./LargeApp.zip --wait\n```\n\n### Notarization returns \"Invalid\" but signing looks correct\nFetch the developer log for specific issues:\n```bash\nasc notarization log --id \"SUBMISSION_ID\"\n```\n\nCommon causes: unsigned nested binaries, missing hardened runtime, embedded libraries without timestamps.\n\n## Notes\n- The `asc notarization` commands use the Apple Notary API v2, not `xcrun notarytool`.\n- Authentication uses the same API key as other `asc` commands.\n- Files are uploaded directly to Apple's S3 bucket with streaming (no full-file buffering).\n- Files over 5 GB use multipart upload automatically.\n- Always use `--help` to verify flags: `asc notarization submit --help`.","tags":["asc","notarization","app","store","connect","cli","skills","rorkai","agent-skills","ai-skills","app-store-connect","apple"],"capabilities":["skill","source-rorkai","skill-asc-notarization","topic-agent-skills","topic-ai-skills","topic-app-store-connect","topic-apple","topic-asc","topic-automation","topic-cicd","topic-cli","topic-devops","topic-ios","topic-macos","topic-testflight"],"categories":["app-store-connect-cli-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/rorkai/app-store-connect-cli-skills/asc-notarization","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add rorkai/app-store-connect-cli-skills","source_repo":"https://github.com/rorkai/app-store-connect-cli-skills","install_from":"skills.sh"}},"qualityScore":"0.700","qualityRationale":"deterministic score 0.70 from registry signals: · indexed on github topic:agent-skills · 776 github stars · SKILL.md body (6,185 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-02T18:53:02.314Z","embedding":null,"createdAt":"2026-04-18T21:56:46.789Z","updatedAt":"2026-05-02T18:53:02.314Z","lastSeenAt":"2026-05-02T18:53:02.314Z","tsv":"'/account/resources/certificates/add':126 '/account/resources/certificates/add.':567 '/largeapp.zip':687 '/library/keychains/login.keychain-db':200 '/path/to/any.app':234 '/tmp/devid-cert.pem':201,207 '/tmp/yourapp.dmg':497,501 '/tmp/yourapp.xcarchive':264,300 '/tmp/yourappexport':302 '/tmp/yourappexport/yourapp.app':325,356,474,493 '/tmp/yourappexport/yourapp.zip':357,372,381,390 '1':177,236,254,327 '1h':397 '2':176,235,269,326 '3':345 '30s':395 '4':359 '5':399,452,764 '5m':682 '6':456 'a1':179 'add':654,665 'alway':770 'api':131,561,731,740 'app':9,22,27,48,53,83,128,308,467,513,558,626,633 'appl':34,250,729,751 'applic':76,101,115,198,229,245,314,339,549 'archiv':4,95,255,258,295 'archivepath':263,299 'asc':2,13,66,70,368,377,386,404,417,443,448,586,679,683,704,724,744,776 'asc-notar':1 'auth':63,67 'authent':736 'author':249,330,333 'automat':288,667,769 'avail':555 'bash':104,165,220,256,296,322,351,367,376,385,403,416,431,442,470,485,571,585,678,703 'binari':615,714 'break':162 'broken':140 'bucket':754 'buffer':761 'build':87 'bundl':309,514 'c':195,353 'ca':252 'call':659 'case':507 'caus':711 'cert':187,206 'certif':77,138,155,194,209,248,531,544,551,601,624,635 'chain':164,210,217,242,334 'check':166,400 'codesign':111,144,221,323,658 'command':59,726,745 'common':710 'configur':62,65,261 'confirm':96,332 'connect':130,560 'contain':484 'correct':695 'creat':121,135,274,346,482,486,489,562 'curl':432 'custom':158,168,383,603 'deep':222 'destin':265 'detail':429 'develop':30,74,99,113,136,180,196,227,243,246,272,279,285,312,337,412,528,541,547,574,599,622,631,642,698 'developer-id':284,641 'developer.apple.com':125,566 'developer.apple.com/account/resources/certificates/add':124 'developer.apple.com/account/resources/certificates/add.':565 'direct':749 'disk':516 'distribut':24,50,281,479 'ditto':352 'dmg':476,487,515 'drag':520 'drag-and-drop':519 'drop':522 'dump':173 'dump-trust-set':172 'dvvv':324 'e':329 'embed':718 'env':71 'errsecinternalcompon':153 'exist':103,184 'export':5,185,270,293,321,597,638 'exportarch':298,663 'exportopt':276 'exportoptions.plist':304,645 'exportoptionsplist':303 'exportpath':301 'fail':147 'failur':415 'fetch':423,696 'file':371,380,389,503,537,589,672,686,746,760,762 'find':107,193 'find-certif':192 'find-ident':106 'fire':364 'fire-and-forget':363 'fix':139,212 'flag':775 'forc':223 'forget':366 'format':495,504,505 'found':120 'full':759 'full-fil':758 'gb':765 'generic/platform':266 'grep':112,178,328 'harden':716 'hdiutil':488 'help':772,779 'id':31,75,100,114,137,181,197,228,233,244,247,273,280,286,292,313,338,407,409,420,422,529,542,548,575,580,600,623,643,707,709 'ident':93,102,108,118 'imag':517 'includ':650 'instal':57,523,525,530,543,576 'intact':219 'interv':394 'invalid':149,593,691 'issu':430,702 'json.tool':438 'k':354 'keeppar':355 'key':741 'keychain':81 'larg':671 'librari':719 'limit':451 'line':60 'list':439,445,450 'local':80 'log':413,419,425,434,699,706 'login':68 'longer':675 'look':694 'm':437 'maco':8,21,36,47,89,267 'manual':657 'may':156 'method':283,640 'miss':715 'multipart':767 'must':239 'name':231,578 'need':17,43,539 'nest':713 'notar':3,7,35,37,45,350,362,369,378,387,405,418,444,449,460,533,535,587,684,689,705,725,777 'notari':730 'notarytool':735 'note':722 'offlin':469 'one':122 'option':224,458 'output':410,446,453 'outsid':25,51 'ov':494 'overrid':160,183,605 'p':110,199 'packag':526,570 'pkg':478,524,532,536 'plist':277 'poll':384,393 'poll-interv':392 'precondit':55 'preflight':90,608 'prepar':19 'present':343 'previous':440 'produc':306 'productsign':572 'project':86 'python3':436 're':637 're-export':636 'releas':262 'remov':189,204,612 'remove-trusted-cert':203 'requir':527 'result':375,401 'return':690 'root':251 'runtim':225,717 's3':753 'scheme':259 'section':609 'secur':105,171,191,202,317,652 'see':428,606 'separ':545 'set':142,151,170,175,214,595,673 'show':240 'sign':32,92,226,238,310,512,568,573,618,628,693 'signatur':647 'signed.pkg':582,590 'signingstyl':287 'simplest':509 'skill':40 'skill-asc-notarization' 'sl':433 'source-rorkai' 'specif':701 'srcfolder':492 'stapl':457,462,473,480,500 'stapler':472,499 'start':335 'status':402,406 'step':253,268,344,358,398,455 'store':28,54,129,559,634 'stream':756 'submiss':408,421,441,708 'submit':360,370,379,388,584,588,685,778 'succeed':461 'support':134,502 'tabl':411,447,454 'team':232,291,579 'teamid':289 'ticket':464 'timeout':396,669,677,681 'timestamp':318,331,341,653,655,666,721 'tool':61 'topic-agent-skills' 'topic-ai-skills' 'topic-app-store-connect' 'topic-apple' 'topic-asc' 'topic-automation' 'topic-cicd' 'topic-cli' 'topic-devops' 'topic-ios' 'topic-macos' 'topic-testflight' 'troubleshoot':592 'trust':141,150,159,169,174,205,213,594,604 'type':552 'udzo':496 'unsign':712 'unsigned.pkg':581 'upload':668,676,680,748,768 'url':426,435 'use':10,14,38,506,661,727,737,766,771 'v':109 'v2':732 'valid':98,621 'var':72 'verifi':91,208,215,319,774 'volnam':490 'wait':373,382,391,591,688 'without':720 'work':468 'xcode':56,85 'xcodebuild':11,146,257,297,662 'xcrun':471,498,734 'xml':282 'yourapp':491 'yourmacschem':260 'zip':348,508,510","prices":[{"id":"8a986c63-85db-403b-8c53-862dfd31dc42","listingId":"46ff408b-9775-4b25-8456-a5e7e4c04d18","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"rorkai","category":"app-store-connect-cli-skills","install_from":"skills.sh"},"createdAt":"2026-04-18T21:56:46.789Z"}],"sources":[{"listingId":"46ff408b-9775-4b25-8456-a5e7e4c04d18","source":"github","sourceId":"rorkai/app-store-connect-cli-skills/asc-notarization","sourceUrl":"https://github.com/rorkai/app-store-connect-cli-skills/tree/main/skills/asc-notarization","isPrimary":false,"firstSeenAt":"2026-04-18T21:56:46.789Z","lastSeenAt":"2026-05-02T18:53:02.314Z"}],"details":{"listingId":"46ff408b-9775-4b25-8456-a5e7e4c04d18","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"rorkai","slug":"asc-notarization","github":{"repo":"rorkai/app-store-connect-cli-skills","stars":776,"topics":["agent-skills","ai-skills","app-store-connect","apple","asc","automation","cicd","cli","devops","ios","macos","testflight","xcode"],"license":"mit","html_url":"https://github.com/rorkai/app-store-connect-cli-skills","pushed_at":"2026-04-24T08:59:37Z","description":"Skills to automate app store deployed and everything related to it using the asc cli","skill_md_sha":"6e14084d7b3eac99c936e6640a2677fed89e8f49","skill_md_path":"skills/asc-notarization/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/rorkai/app-store-connect-cli-skills/tree/main/skills/asc-notarization"},"layout":"multi","source":"github","category":"app-store-connect-cli-skills","frontmatter":{"name":"asc-notarization","description":"Archive, export, and notarize macOS apps using xcodebuild and asc. Use when you need to prepare a macOS app for distribution outside the App Store with Developer ID signing and Apple notarization."},"skills_sh_url":"https://skills.sh/rorkai/app-store-connect-cli-skills/asc-notarization"},"updatedAt":"2026-05-02T18:53:02.314Z"}}