Name: Asc Notarization
Author: Rudrankriyam

Install

Terminal · npx

$npx skills add https://github.com/rudrankriyam/app-store-connect-cli-skills --skill asc-notarization

Works with Paperclip

How Asc Notarization fits into a Paperclip company.

Asc Notarization drops into any Paperclip agent that handles this kind of work. Assign it to a specialist inside a pre-configured PaperclipOrg company and the skill becomes available on every heartbeat — no prompt engineering, no tool wiring.

E-Commerce EmpirePaired

Pre-configured AI company — 20 agents, 9 skills, one-time purchase.

$59$89

Explore pack

Source file

SKILL.md212 linesmarkdown

Expand

1---2name: asc-notarization3description: Archive, export, and notarize macOS apps using xcodebuild and asc. Use when you need to prepare a macOS app for distribution outside the App Store with Developer ID signing and Apple notarization.4---5 6# macOS Notarization7 8Use this skill when you need to notarize a macOS app for distribution outside the App Store.9 10## Preconditions11- Xcode installed and command line tools configured.12- Auth is configured (`asc auth login` or `ASC_*` env vars).13- A Developer ID Application certificate in the local keychain.14- The app's Xcode project builds for macOS.15 16## Preflight: Verify Signing Identity17 18Before archiving, confirm a valid Developer ID Application identity exists:19 20```bash21security find-identity -v -p codesigning | grep "Developer ID Application"22```23 24If no identity is found, create one at https://developer.apple.com/account/resources/certificates/add (the App Store Connect API does not support creating Developer ID certificates).25 26### Fix Broken Trust Settings27 28If `codesign` or `xcodebuild` fails with "Invalid trust settings" or "errSecInternalComponent", the certificate may have custom trust overrides that break the chain:29 30```bash31# Check for custom trust settings32security dump-trust-settings 2>&1 | grep -A1 "Developer ID"33 34# If overrides exist, export the cert and remove them35security find-certificate -c "Developer ID Application" -p ~/Library/Keychains/login.keychain-db > /tmp/devid-cert.pem36security remove-trusted-cert /tmp/devid-cert.pem37```38 39### Verify Certificate Chain40 41After fixing trust settings, verify the chain is intact:42 43```bash44codesign --deep --force --options runtime --sign "Developer ID Application: YOUR NAME (TEAM_ID)" /path/to/any.app 2>&145```46 47The signing must show the chain: Developer ID Application → Developer ID Certification Authority → Apple Root CA.48 49## Step 1: Archive50 51```bash52xcodebuild archive \53  -scheme "YourMacScheme" \54  -configuration Release \55  -archivePath /tmp/YourApp.xcarchive \56  -destination "generic/platform=macOS"57```58 59## Step 2: Export with Developer ID60 61Create an ExportOptions plist for Developer ID distribution:62 63```xml64<?xml version="1.0" encoding="UTF-8"?>65<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">66<plist version="1.0">67<dict>68    <key>method</key>69    <string>developer-id</string>70    <key>signingStyle</key>71    <string>automatic</string>72    <key>teamID</key>73    <string>YOUR_TEAM_ID</string>74</dict>75</plist>76```77 78Export the archive:79 80```bash81xcodebuild -exportArchive \82  -archivePath /tmp/YourApp.xcarchive \83  -exportPath /tmp/YourAppExport \84  -exportOptionsPlist ExportOptions.plist85```86 87This produces a `.app` bundle signed with Developer ID Application and a secure timestamp.88 89### Verify the Export90 91```bash92codesign -dvvv "/tmp/YourAppExport/YourApp.app" 2>&1 | grep -E "Authority|Timestamp"93```94 95Confirm:96- Authority chain starts with "Developer ID Application"97- A Timestamp is present98 99## Step 3: Create a ZIP for Notarization100 101```bash102ditto -c -k --keepParent "/tmp/YourAppExport/YourApp.app" "/tmp/YourAppExport/YourApp.zip"103```104 105## Step 4: Submit for Notarization106 107### Fire-and-forget108```bash109asc notarization submit --file "/tmp/YourAppExport/YourApp.zip"110```111 112### Wait for result113```bash114asc notarization submit --file "/tmp/YourAppExport/YourApp.zip" --wait115```116 117### Custom polling118```bash119asc notarization submit --file "/tmp/YourAppExport/YourApp.zip" --wait --poll-interval 30s --timeout 1h120```121 122## Step 5: Check Results123 124### Status125```bash126asc notarization status --id "SUBMISSION_ID" --output table127```128 129### Developer Log (for failures)130```bash131asc notarization log --id "SUBMISSION_ID"132```133 134Fetch the log URL to see detailed issues:135```bash136curl -sL "LOG_URL" | python3 -m json.tool137```138 139### List Previous Submissions140```bash141asc notarization list --output table142asc notarization list --limit 5 --output table143```144 145## Step 6: Staple (Optional)146 147After notarization succeeds, staple the ticket so the app works offline:148 149```bash150xcrun stapler staple "/tmp/YourAppExport/YourApp.app"151```152 153For DMG or PKG distribution, staple after creating the container:154```bash155# Create DMG156hdiutil create -volname "YourApp" -srcfolder "/tmp/YourAppExport/YourApp.app" -ov -format UDZO "/tmp/YourApp.dmg"157xcrun stapler staple "/tmp/YourApp.dmg"158```159 160## Supported File Formats161 162| Format | Use Case |163|--------|----------|164| `.zip`  | Simplest; zip a signed `.app` bundle |165| `.dmg`  | Disk image for drag-and-drop install |166| `.pkg`  | Installer package (requires Developer ID Installer certificate) |167 168## PKG Notarization169 170To notarize `.pkg` files, you need a **Developer ID Installer** certificate (separate from Developer ID Application). This certificate type is not available through the App Store Connect API — create it at https://developer.apple.com/account/resources/certificates/add.171 172Sign the package:173```bash174productsign --sign "Developer ID Installer: YOUR NAME (TEAM_ID)" unsigned.pkg signed.pkg175```176 177Then submit:178```bash179asc notarization submit --file signed.pkg --wait180```181 182## Troubleshooting183 184### "Invalid trust settings" during export185The Developer ID certificate has custom trust overrides. See the Preflight section above to remove them.186 187### "The binary is not signed with a valid Developer ID certificate"188The app was signed with a Development or App Store certificate. Re-export with `method: developer-id` in ExportOptions.plist.189 190### "The signature does not include a secure timestamp"191Add `--timestamp` to manual `codesign` calls, or use `xcodebuild -exportArchive` which adds timestamps automatically.192 193### Upload timeout for large files194Set a longer upload timeout:195```bash196ASC_UPLOAD_TIMEOUT=5m asc notarization submit --file ./LargeApp.zip --wait197```198 199### Notarization returns "Invalid" but signing looks correct200Fetch the developer log for specific issues:201```bash202asc notarization log --id "SUBMISSION_ID"203```204 205Common causes: unsigned nested binaries, missing hardened runtime, embedded libraries without timestamps.206 207## Notes208- The `asc notarization` commands use the Apple Notary API v2, not `xcrun notarytool`.209- Authentication uses the same API key as other `asc` commands.210- Files are uploaded directly to Apple's S3 bucket with streaming (no full-file buffering).211- Files over 5 GB use multipart upload automatically.212- Always use `--help` to verify flags: `asc notarization submit --help`.

Related skills

Asc App Create Ui

Install Asc App Create Ui skill for Claude Code from rudrankriyam/app-store-connect-cli-skills.

Asc Aso Audit

Install Asc Aso Audit skill for Claude Code from rudrankriyam/app-store-connect-cli-skills.

Asc Build Lifecycle

Install Asc Build Lifecycle skill for Claude Code from rudrankriyam/app-store-connect-cli-skills.