Submitting application for notarization

In order to submit our application to Apple for notarization, we will zip it up and then use the notarytool submit command with the Keychain profile we saved in the previous section.

xcrun notarytool submit "/path/to/Omnis.zip" --keychain-profile "NotaryProfile" --wait

Once submitted, the --wait switch ensures the command doesn't return until the submission has been processed by the Apple notary service.

Without --wait, you will need to manually check if Apple's notary service has finished processing your submission.

---

If you cannot remember your Keychain profile, open the Keychain.app and search for notary: once found, look for the Account attribute - the last part of which will be the profile name.

For example, if the account attribute reads com.apple.gke.notary.tool.saved-creds.NotaryProfile, then your keychain profile name is NotaryProfile.

---

If your notarization comes back invalid like in the following case:

Processing complete
  id: 2667f8c3-dfee-4357-9703-dfb5f7648b50
  status: Invalid

You can use notarytool log to obtain more details on why it failed:

xcrun notarytool log 2667f8c3-dfee-4357-9703-dfb5f7648b50 --keychain-profile "NotaryProfile"

The log details will come back in JSON format:

...
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
...

And they will contain specifics:

...
    {
      "severity": "error",
      "code": null,
      "path": "[redacted]",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
      "architecture": "arm64"
    }
...

You can use this information to identify the specific components that are preventing a successful notarization.