How to notarize a screen saver

One of my App's targets produces a .saver module, but I have failed to figure out how to notorize it, is this possible?

Accepted Reply

Reply to self with what I’ve done for Catalina:


You can’t notarize the .saver directly, but you can in a round-about-way notarize a ZIP file, which is how I distribute my screen saver. Here are the steps I use for my simple saver, your mileage will undoubtably vary:


  • /usr/bin/codesign -f -o runtime --timestamp --sign “insert Developer ID Installer certificate identifier here” XYZZY.saver
  • compress the code signed .saver e.g. XYZZY.saver.zip
  • /usr/bin/xcrun altool --verbose --notarize-app --primary-bundle-id “insert identifier here" -u “xyzzy@plugh.com" -p “insert app-specific PW for your Apple ID here" -t osx -f XYZZY.saver.zip
  • Aside: store the App-specific password in your keychain and reference it from the command line like this:

    /usr/bin/xcrun altool --store-password-in-keychain-item "AC_PASSWORD" -u xyzzy@plugh.com -p “insert App-specific PW from Apple here”

  • wait for notarization, check status like this:

    /usr/bin/xcrun altool --notarization-history 0 -u “xyzzy@plugh.com" -p "@keychain:AC_PASSWORD”

  • While you can notarize a ZIP archive, you can’t staple the notarization ticket to it directly. Instead, run stapler against each individual item that you originally added to the archive. Then create a new ZIP file containing the stapled items for distribution.
    • /usr/bin/xcrun stapler staple XYZZY.saver
    • Re-zip the saver and distribute
  • Where should the .saver file and the saver.zip be located on my hard drive?

Add a Comment

Replies

Reply to self with what I’ve done for Catalina:


You can’t notarize the .saver directly, but you can in a round-about-way notarize a ZIP file, which is how I distribute my screen saver. Here are the steps I use for my simple saver, your mileage will undoubtably vary:


  • /usr/bin/codesign -f -o runtime --timestamp --sign “insert Developer ID Installer certificate identifier here” XYZZY.saver
  • compress the code signed .saver e.g. XYZZY.saver.zip
  • /usr/bin/xcrun altool --verbose --notarize-app --primary-bundle-id “insert identifier here" -u “xyzzy@plugh.com" -p “insert app-specific PW for your Apple ID here" -t osx -f XYZZY.saver.zip
  • Aside: store the App-specific password in your keychain and reference it from the command line like this:

    /usr/bin/xcrun altool --store-password-in-keychain-item "AC_PASSWORD" -u xyzzy@plugh.com -p “insert App-specific PW from Apple here”

  • wait for notarization, check status like this:

    /usr/bin/xcrun altool --notarization-history 0 -u “xyzzy@plugh.com" -p "@keychain:AC_PASSWORD”

  • While you can notarize a ZIP archive, you can’t staple the notarization ticket to it directly. Instead, run stapler against each individual item that you originally added to the archive. Then create a new ZIP file containing the stapled items for distribution.
    • /usr/bin/xcrun stapler staple XYZZY.saver
    • Re-zip the saver and distribute
  • Where should the .saver file and the saver.zip be located on my hard drive?

Add a Comment

Cool ! That almost asnwers the problem I am having , too!


One question, though: where would I find the 'Developer ID Installer certificate identifier' ?

Also, I don't think I have an 'app-specific PW' - what do I do?


The last step in your instractions is not clear to me:

does 'xcrun stapler staple XYZZY.saver' "run stapler against each individual item" for me?

or do I have to do this for each and every item inside the package myself?


Thanks a lot in advance!

I get my Dev ID Installer from Keychain Access in the Certificates section: Developer ID Installer: Your Name (123456). Use the string "Your Name (123456)".


Generate the App Specific PW here: https://support.apple.com/en-us/HT204397


You have to run stapler againsts every item in the archive, then recerate the archive. For me, there's only one item the saver module.

Thanks for the great answer, this saved me a ton of time. I'll add a few details from my experience for the benefit of the thread:
  • I was able to make this work for my distribution via a DMG instead of ZIP.

  • I use appdmg to build the DMG that contains my .saver file. It is a very handy tool that does the Developer ID signing. It doesn't do the notarization, but the steps provided above against the DMG file works a treat.

  • I added the app-specific password by logging in to https://appleid.apple.com with my developer account

  • After notarizing, I simply ran the staple command on the DMG and it was notarized. There is a lot of auto-magic going on there.

  • I was able to validate that "source" is "Notarize Developer ID" using: spctl --assess -vvv --type install <fileName>.dmg. You should see something like:

Code Block # spctl --assess -vvv --type install screensaver.dmg 
screensaver.dmg accepted
source=Notarized Developer ID
origin=Developer ID Application: <your developer account name> (<your team identifier>)

Note the Notarized part. Otherwise you would just see source = Developer ID

Where should the .saver file and the saver.zip be located on my hard drive?

It doesn’t really matter. Usually folks do development in a directory that they create within their home directory.

ps I recommend steering clear of directories, like Document and Desktop, that are protected by MAC.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"