abdullah4ai/asc-notarization
swiftship/internal/skills/data/features/asc-notarization/SKILL.md
Archive, export, and notarize macOS apps using xcodebuild and asc. Use when you need to prepare a macOS app for distribution outside the App Store with Developer ID signing and Apple notarization.
$ install --global
skillsauthnpx skillsauth add abdullah4ai/apple-dev-docs asc-notarizationInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Error
VirusTotalMulti-engine malware detection
70%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 20, 2026, 5:48 PM231.8s1 file scanned
SKILL.md
- name:
- asc-notarization
- description:
- Archive, export, and notarize macOS apps using xcodebuild and asc. Use when you need to prepare a macOS app for distribution outside the App Store with Developer ID signing and Apple notarization.
macOS Notarization
Use this skill when you need to notarize a macOS app for distribution outside the App Store.
Preconditions
- Xcode installed and command line tools configured.
- Auth is configured (
asc auth loginorASC_*env vars). - A Developer ID Application certificate in the local keychain.
- The app's Xcode project builds for macOS.
Preflight: Verify Signing Identity
Before archiving, confirm a valid Developer ID Application identity exists:
security find-identity -v -p codesigning | grep "Developer ID Application"
If no identity is found, create one at https://developer.apple.com/account/resources/certificates/add (the App Store Connect API does not support creating Developer ID certificates).
Fix Broken Trust Settings
If codesign or xcodebuild fails with "Invalid trust settings" or "errSecInternalComponent", the certificate may have custom trust overrides that break the chain:
# Check for custom trust settings
security dump-trust-settings 2>&1 | grep -A1 "Developer ID"
# If overrides exist, export the cert and remove them
security find-certificate -c "Developer ID Application" -p ~/Library/Keychains/login.keychain-db > /tmp/devid-cert.pem
security remove-trusted-cert /tmp/devid-cert.pem
Verify Certificate Chain
After fixing trust settings, verify the chain is intact:
codesign --deep --force --options runtime --sign "Developer ID Application: YOUR NAME (TEAM_ID)" /path/to/any.app 2>&1
The signing must show the chain: Developer ID Application → Developer ID Certification Authority → Apple Root CA.
Step 1: Archive
xcodebuild archive \
-scheme "YourMacScheme" \
-configuration Release \
-archivePath /tmp/YourApp.xcarchive \
-destination "generic/platform=macOS"
Step 2: Export with Developer ID
Create an ExportOptions plist for Developer ID distribution:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>method</key>
<string>developer-id</string>
<key>signingStyle</key>
<string>automatic</string>
<key>teamID</key>
<string>YOUR_TEAM_ID</string>
</dict>
</plist>
Export the archive:
xcodebuild -exportArchive \
-archivePath /tmp/YourApp.xcarchive \
-exportPath /tmp/YourAppExport \
-exportOptionsPlist ExportOptions.plist
This produces a .app bundle signed with Developer ID Application and a secure timestamp.
Verify the Export
codesign -dvvv "/tmp/YourAppExport/YourApp.app" 2>&1 | grep -E "Authority|Timestamp"
Confirm:
- Authority chain starts with "Developer ID Application"
- A Timestamp is present
Step 3: Create a ZIP for Notarization
ditto -c -k --keepParent "/tmp/YourAppExport/YourApp.app" "/tmp/YourAppExport/YourApp.zip"
Step 4: Submit for Notarization
Fire-and-forget
asc notarization submit --file "/tmp/YourAppExport/YourApp.zip"
Wait for result
asc notarization submit --file "/tmp/YourAppExport/YourApp.zip" --wait
Custom polling
asc notarization submit --file "/tmp/YourAppExport/YourApp.zip" --wait --poll-interval 30s --timeout 1h
Step 5: Check Results
Status
asc notarization status --id "SUBMISSION_ID" --output table
Developer Log (for failures)
asc notarization log --id "SUBMISSION_ID"
Fetch the log URL to see detailed issues:
curl -sL "LOG_URL" | python3 -m json.tool
List Previous Submissions
asc notarization list --output table
asc notarization list --limit 5 --output table
Step 6: Staple (Optional)
After notarization succeeds, staple the ticket so the app works offline:
xcrun stapler staple "/tmp/YourAppExport/YourApp.app"
For DMG or PKG distribution, staple after creating the container:
# Create DMG
hdiutil create -volname "YourApp" -srcfolder "/tmp/YourAppExport/YourApp.app" -ov -format UDZO "/tmp/YourApp.dmg"
xcrun stapler staple "/tmp/YourApp.dmg"
Supported File Formats
| Format | Use Case |
|--------|----------|
| .zip | Simplest; zip a signed .app bundle |
| .dmg | Disk image for drag-and-drop install |
| .pkg | Installer package (requires Developer ID Installer certificate) |
PKG Notarization
To notarize .pkg files, you need a Developer ID Installer certificate (separate from Developer ID Application). This certificate type is not available through the App Store Connect API — create it at https://developer.apple.com/account/resources/certificates/add.
Sign the package:
productsign --sign "Developer ID Installer: YOUR NAME (TEAM_ID)" unsigned.pkg signed.pkg
Then submit:
asc notarization submit --file signed.pkg --wait
Troubleshooting
"Invalid trust settings" during export
The Developer ID certificate has custom trust overrides. See the Preflight section above to remove them.
"The binary is not signed with a valid Developer ID certificate"
The app was signed with a Development or App Store certificate. Re-export with method: developer-id in ExportOptions.plist.
"The signature does not include a secure timestamp"
Add --timestamp to manual codesign calls, or use xcodebuild -exportArchive which adds timestamps automatically.
Upload timeout for large files
Set a longer upload timeout:
ASC_UPLOAD_TIMEOUT=5m asc notarization submit --file ./LargeApp.zip --wait
Notarization returns "Invalid" but signing looks correct
Fetch the developer log for specific issues:
asc notarization log --id "SUBMISSION_ID"
Common causes: unsigned nested binaries, missing hardened runtime, embedded libraries without timestamps.
Notes
- The
asc notarizationcommands use the Apple Notary API v2, notxcrun notarytool. - Authentication uses the same API key as other
asccommands. - Files are uploaded directly to Apple's S3 bucket with streaming (no full-file buffering).
- Files over 5 GB use multipart upload automatically.
- Always use
--helpto verify flags:asc notarization submit --help.
Related Skills
abdullah4ai/apple-developer-toolkit
tools
VerifiedTrustedCommunity
Apple platform skill for docs, WWDC lookup, App Store Connect work, and SwiftUI app generation. Use repo-local `node cli.js` for Apple docs and WWDC search, `appledev store` for App Store Connect workflows, and `appledev build` for app scaffolding or fix loops on macOS. USE WHEN: Apple APIs, WWDC sessions, TestFlight/App Store tasks, or building/fixing Apple-platform apps. DON'T USE WHEN: non-Apple platforms, generic backend work, or general web research. EDGE CASES: docs-only queries use `node cli.js` in this repo, not `appledev`; release workflows use `appledev store`; app scaffolding uses `appledev build`; rules-only requests can read `references/ios-rules/` or `references/swiftui-guides/` progressively without invoking binaries.
8SKILL.mdUpdated Mar 27, 2026
abdullah4ai/apple-developer-toolkit
tools
VerifiedTrustedCommunity
All-in-one Apple developer skill with three integrated tools shipped as a single unified binary. (1) Documentation search across Apple frameworks, symbols, and 1,267 WWDC sessions from 2014-2025. No credentials needed. (2) App Store Connect CLI with 120+ commands covering builds (find/wait/upload), TestFlight, pre-submission validate, submissions, signing, subscriptions (family-sharable), IAP, analytics, Xcode Cloud, metadata workflows, release pipeline dashboard, insights, win-back offers, promoted purchases, product pages, nominations, accessibility declarations, pre-orders, pricing filters, localizations update, diff, webhooks with local receiver, workflow automation, and more. Requires App Store Connect API key. (3) Multi-platform app builder (iOS/watchOS/tvOS/iPad/macOS/visionOS) that generates complete Swift/SwiftUI apps from natural language with auto-fix, simulator launch, interactive chat mode, and open-in-Xcode. Requires an LLM API key and Xcode. Includes 38 iOS development rules and 12 SwiftUI best practice guides for Liquid Glass, navigation, state management, and modern APIs. All three tools ship as one binary (appledev). USE WHEN: Apple API docs, App Store Connect management, WWDC lookup, or building iOS/watchOS/tvOS/macOS/visionOS apps from scratch. DON'T USE WHEN: non-Apple platforms or general coding.
7SKILL.mdUpdated Mar 27, 2026
abdullah4ai/widgets
testing
VerifiedTrustedCommunity
watchOS complications: WidgetKit complication families, accessory sizes, timeline providers for watch face. Use when implementing watchOS-specific patterns related to widgets.
5SKILL.mdUpdated Mar 27, 2026
abdullah4ai/haptics
development
VerifiedTrustedCommunity
watchOS haptic feedback: WKInterfaceDevice preset haptic types for wrist-based feedback. Use when implementing watchOS-specific patterns related to haptics.
5SKILL.mdUpdated Mar 27, 2026