We are using notarytool to notorize installers for distribution. notarytool submit file-path { -k key-path -d key-id -i issuer | --apple-id apple-id [--password app-specific-password] --team-id team-id | -p profile-name [--keychain keychain-path] } [--wait --no-s3-acceleration] App Store Connect API Keys Developer ID team administrators can create App Store Connect API keys for the developers on their team by logging into <https://appstoreconnect.apple.com/access/api> and selecting the "Keys" tab. For security purposes, the private key can only be downloaded once. -k, --key key-path App Store Connect API key. File system path to the private key. -d, --key-id key-id App Store Connect API Key ID. For most teams this will be a 10 character alphanumeric string. -i, --issuer issuer App Store Connect API Issuer ID. The issuer ID is a UUID format string. What is the recommended practice for the key-path, where should the API private key be stored in the the file system ? There is this documentation https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_keychain https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave But none seems to make a recommendation for storing private keys in a way that would work with notarytool https://help.apple.com/developer-account/#/devcdfbb56a3 States the following, but does not make a recommendation WARNING: Save this file in a secure place because the key is not saved in your developer account and you won’t be able to download it again. If the Download button is disabled, you previously downloaded the key.