Which API Key Role to Use for Notarization?

Any update on this? A technical reply would be appreciated.

Hey! It should be the App Store Specific Password that you can create under appleid.apple.com 🙂

I'm asking about the role (Developer, App Manager, etc), not how to provide credentials. Passwords and API Keys are mutually exclusive.

>Notarization doesn't seem like it would require significant access.

Are you suggesting that notarization happens in a vacuum? ...interesting.

I am trying to generate an apikey for notarization, and ended up with the conclusion that I need an app store connect api key. However, when creating one, I am asked about the role for this key. It is not clear to me if that should be Admin, App Manager, or Developer.
I don't understand oddvacados answer. How does an "app store specific password" help if an apikey is needed?
This is all assuming that the api that altool uses really is the app store connect api.

I tried to use the administrator role. However, my call to notarize the app got an "unauthorized" response.

Code Block 
xcrun altool --notarize-app -t osx --apiKey * --apiIssuer my_email@email.me -f some.dmg --primary-bundle-id org.myorg.myapp
Generated JWT:  *
2021-01-28 09:12:31.411 altool[8385:1881380] CFURLRequestSetHTTPCookieStorageAcceptPolicy_block_invoke: no longer implemented and should not be called
2021-01-28 09:12:32.154 altool[8385:1881380] * Error: Server returned an invalid MIME type: text/plain, body: Unauthenticated
2021-01-28 09:12:32.329 altool[8385:1881374] * Error: Unable to notarize app.
2021-01-28 09:12:32.329 altool[8385:1881374] *** Error: code -1011 (Failed to authenticate for session: (

Edit: the apiIssuerId is not the apple id, but some uuid you receive along with the keyId and the key. All three are required. Storing the key in a local directory as documented in altool does not work, but storing it in the $HOME/private_keys folder seems to work.

With those things corrected, and the 'administrator' role,
I got the successful response

Code Block 
No errors uploading 'some.dmg'.
RequestUUID = another-uuid-***

I did not try the other roles. I still wonder how that roles affect notarization, just guessing for "admin" does not feel right.

I think the misunderstanding is you don't have to use apiKey for notarization, you can use an Apple ID app-specific password token to do this as well.

You can go to appleid.apple.com, create an app-specific passwords, then use that to notarize, and then you should be able to do this with your own account level permission, which I believe access to Developer Resource is enough, or app manager.

xcrun altool --notarize-app -u your_username@company.com -p your_app_specific_password whatever else options you want

apiKey is certainly a good option as well, but I still can't figure out how to generate apiKey for app-manager with different apps permission like you can in Users role and connect.

Just in case someone is still asking this question (as I did): I was able to use notarytool (newer alternative to altool) authenticated via App Store Connect API key with only Developer role granted.