How to Notarize Electron Mac App by CLI

Currently, if you create a Mac App, but not distributed it by Mac AppStore, Apple ask developers to notarize this app, otherwise the user who download your app and click to open it, will receive an alert: "mac cannot be opened because the developer cannot be verified".

This post described how to notarize a macOS app by CLI, you must build and sign you app first.

About how to sign Mac App, please see:

Generate App Specific Password

Then, you must register an app specific password, in this case, we store it into KeyChain, run:

xcrun altool --store-password-in-keychain-item "AC_PASSWORD" \
  -u "$your_applie_id" \
  -p "$your_app_password"

Note, the AC_PASSWORD is the title of record in KeyChain, the $your_applie_id is your Apple ID Email, and $your_app_password should be the app specific password you have generated.

If you don't want to store it to KeyChain, you may replace all AC_PASSWORD as your password plain text when you run commands.

Get Team ID

Run this command:

xcrun altool --list-providers -u "$your_apple_id" -p "@keychain:AC_PASSWORD"

You will see a team list, the column: ProviderShortName is your Team ID.

Notarized App

After you build your Mac App (also, you must sign it with Developer ID Application), let's notarize it by CLI.

Run this command:

xcrun notarytool submit your-app.dmg --wait --apple-id "$your_apple_id" \
  --password "@keychain:AC_PASSWORD" \
  --team-id "$your_apple_team_id";

This will take a while, and shows a process, please wait for it. After process finished, run the following command:

xcrun stapler staple your-app.dmg

Now, you app has been notarized, you can distribute your app to the web and let users download it.

For Electron Builder

If you are using electron-builder , you can make this action automatic. Just install the package: electron-builder-notarize

npm i electron-builder-notarize --save-dev
# OR
yarn add electron-builder-notarize --dev

And add this config to electron-builder.config.json

{
  ...
  "mac": {
    ...
    // Add below 2 lines
    "hardenedRuntime": true ,
    "entitlements" : "./node_modules/electron-builder-notarize/entitlements.mac.inherit.plist"
  },
  "afterSign" : "electron-builder-notarize" // <-- Add this line
  ...
}

And you must add an .env file (remember to ignore from git):

APPLE_ID=...
APPLE_ID_PASSWORD=...
APPLE_TEAM_ID=...

Now, when you pack electron app by electron-builder, it will auto notarize your app everytime.