Using rcodesign

The rcodesign executable provided by this project provides a command mechanism to interact with Apple code signing.

Signing with sign

The rcodesign sign command can be used to sign a filesystem path.

Unless you want to create an ad-hoc signature on a Mach-O binary, you’ll need to tell this command what code signing certificate to use.

To sign a Mach-O executable:

rcodesign sign \
  --p12-file developer-id.p12 --p12-password-file ~/.certificate-password \
  --code-signature-flags runtime \
  path/to/executable

To sign an .app bundle (and all Mach-O binaries inside):

rcodesign sign \
  --p12-file developer-id.p12 --p12-password-file ~/.certificate-password \
  path/to/My.app

To sign a DMG image:

rcodesign sign

–p12-file developer-id.p12 –p12-password-file ~/.certificate-password path/to/app.dmg

To sign a .pkg installer:

rcodesign sign \
 --p12-file developer-id-installer.p12 --p12-password-file ~/.certificate-password \
 path/to/installer.pkg

Notarizing and Stapling

You can notarize a signed asset via rcodesign notarize.

Notarization requires an Apple Connect API Key. See Obtaining an Apple Connect API Key for instructions on how to obtain one.

Notarization also requires Apple’s Transporter tool. See Installing Apple Transporter for Notarization for more about Transporter. The rcodesign find-transporter command can be used to see if rcodesign can find Transporter.

You will need an API Key AuthKey_<ID>.p8 file on disk in one of the default locations used by Apple Transporter. These are $(pwd)/private_keys/, ~/private_keys/, ~/.private_keys/, and ~/.appstoreconnect/private_keys/.

You need to provide both the Key ID and IssuerID when invoking this command. Both can be found at https://appstoreconnect.apple.com/access/api.

To notarize an already signed asset:

rcodesign notarize \
  --api-issuer 68911d4c-110c-4172-b9f7-b7efa30f9680 \
  --api-key DEADBEEF \
  path/to/file/to/notarize

By default notarize just uploads the asset to Apple. To wait on its notarization result, add --wait:

rcodesign notarize \
  --api-issuer 68911d4c-110c-4172-b9f7-b7efa30f9680 \
  --api-key DEADBEEF \
  --wait \
  path/to/file/to/notarize

Or to wait and automatically staple the file if notarization was successful:

rcodesign notarize \
  --api-issuer 68911d4c-110c-4172-b9f7-b7efa30f9680 \
  --api-key DEADBEEF \
  --staple \
  path/to/file/to/notarize

If notarization is interrupted or was initiated on another machine and you just want to attempt to staple an asset that was already notarized, you can run rcodesign staple. e.g.:

rcodesign staple \
  --api-issuer 68911d4c-110c-4172-b9f7-b7efa30f9680 \
  --api-key DEADBEEF \
  path/to/file/to/staple