How to Notarize Electron Mac App by CLI
Currently, if you create a Mac App, but not distributed it by Mac AppStore, Apple ask developers to notarize this app, otherwise the user who download your app and click to open it, will receive an alert: "mac cannot be opened because the developer cannot be verified".
This post described how to notarize a macOS app by CLI, you must build and sign you app first.
About how to sign Mac App, please see:
https://www.electronjs.org/docs/latest/tutorial/code-signing
https://nocommandline.com/blog/how-to-sign-an-electron-app-on-mac-with-electron-builder/
Generate App Specific Password
Then, you must register an app specific password, in this case, we store it into KeyChain, run:
xcrun altool --store-password-in-keychain-item "AC_PASSWORD" \
-u "$your_applie_id" \
-p "$your_app_password"
Note, the AC_PASSWORD
is the title of record in KeyChain, the $your_applie_id
is your Apple ID Email, and $your_app_password
should be the app specific password you have generated.
If you don't want to store it to KeyChain, you may replace all AC_PASSWORD
as your password plain text when you run commands.
Get Team ID
Run this command:
xcrun altool --list-providers -u "$your_apple_id" -p "@keychain:AC_PASSWORD"
You will see a team list, the column: ProviderShortName
is your Team ID.
Notarized App
After you build your Mac App (also, you must sign it with Developer ID Application), let's notarize it by CLI.
Run this command:
xcrun notarytool submit your-app.dmg --wait --apple-id "$your_apple_id" \
--password "@keychain:AC_PASSWORD" \
--team-id "$your_apple_team_id";
This will take a while, and shows a process, please wait for it. After process finished, run the following command:
xcrun stapler staple your-app.dmg
Now, you app has been notarized, you can distribute your app to the web and let users download it.
For Electron Builder
If you are using electron-builder
, you can make this action automatic. Just install the package: electron-builder-notarize
npm i electron-builder-notarize --save-dev
# OR
yarn add electron-builder-notarize --dev
And add this config to electron-builder.config.json
{
...
"mac": {
...
// Add below 2 lines
"hardenedRuntime": true ,
"entitlements" : "./node_modules/electron-builder-notarize/entitlements.mac.inherit.plist"
},
"afterSign" : "electron-builder-notarize" // <-- Add this line
...
}
And you must add an .env
file (remember to ignore from git):
APPLE_ID=...
APPLE_ID_PASSWORD=...
APPLE_TEAM_ID=...
Now, when you pack electron app by electron-builder, it will auto notarize your app everytime.