Asc Notarization

Name: Asc Notarization
Author: rorkai

rorkai/app-store-connect-cli-skills

Install when you ship a macOS app outside the Mac App Store and must archive, sign with Developer ID, and pass Apple notarization via xcodebuild and asc.

Install

npx skills add https://github.com/rorkai/app-store-connect-cli-skills --skill asc-notarization

What is this skill?

End-to-end macOS archive, export, Developer ID signing, and Apple notarization workflow
Preflight: verify Developer ID Application identity via security find-identity
Documents asc auth (asc auth login or ASC_* env) and Xcode CLI prerequisites
Troubleshooting path for Invalid trust settings / errSecInternalComponent on codesign
Notes that Developer ID certs are created in Apple Developer portal—not via App Store Connect API alone

Adoption & trust: 621 installs on skills.sh; 845 GitHub stars; 1/3 security scanners passed (skills.sh audits).

Recommended Skills

Release Skillsjimliu/baoyu-skills

release-skills is a universal agent workflow for solo and indie builders who are ready to ship a new version instead of …19.5k installs·20.9k stars

Changelog Automationwshobson/agents

Changelog Automation is an agent skill for solo and indie builders who ship software on a regular cadence and want relea…8.9k installs·36.5k stars

Msstore Cligithub/awesome-copilot

Microsoft Store Developer CLI (msstore) is an agent skill that teaches coding agents how to operate Microsoft’s Store pu…6.8k installs·34.6k stars

Changelog Generatorcomposiohq/awesome-claude-skills

Changelog-generator is an agent skill that automates the tedious translation from git commits to readable release docume…4.4k installs·63.7k stars

Shopify App Store Reviewshopify/shopify-ai-toolkit

Shopify App Store Review is an agent skill from Shopify’s AI toolkit that helps solo and indie builders stress-test a Sh…3.8k installs·373 stars

Shipping And Launchaddyosmani/agent-skills

shipping-and-launch is an agent skill that walks solo builders through deploying to production with discipline: every la…3.8k installs·49.1k stars

Journey fit

Primary fit

Notarization is a gate immediately before distributing a signed macOS binary—classic Ship work, not idea or grow analytics. Launch subphase under Ship captures outbound distribution readiness (DMG/pkg) after the app already builds and reviews clean.

Common Questions / FAQ

Is Asc Notarization safe to install?

skills.sh reports 1 of 3 security scanners passed. Review the Security Audits panel on this page before installing in production.

SKILL.md

READMESKILL.md - Asc Notarization

# macOS Notarization

Use this skill when you need to notarize a macOS app for distribution outside the App Store.

## Preconditions
- Xcode installed and command line tools configured.
- Auth is configured (`asc auth login` or `ASC_*` env vars).
- A Developer ID Application certificate in the local keychain.
- The app's Xcode project builds for macOS.

## Preflight: Verify Signing Identity

Before archiving, confirm a valid Developer ID Application identity exists:

```bash
security find-identity -v -p codesigning | grep "Developer ID Application"
```

If no identity is found, create one at https://developer.apple.com/account/resources/certificates/add (the App Store Connect API does not support creating Developer ID certificates).

### Fix Broken Trust Settings

If `codesign` or `xcodebuild` fails with "Invalid trust settings" or "errSecInternalComponent", the certificate may have custom trust overrides that break the chain:

```bash
# Check for custom trust settings
security dump-trust-settings 2>&1 | grep -A1 "Developer ID"

# If overrides exist, export the cert and remove them
security find-certificate -c "Developer ID Application" -p ~/Library/Keychains/login.keychain-db > /tmp/devid-cert.pem
security remove-trusted-cert /tmp/devid-cert.pem
```

### Verify Certificate Chain

After fixing trust settings, verify the chain is intact:

```bash
codesign --deep --force --options runtime --sign "Developer ID Application: YOUR NAME (TEAM_ID)" /path/to/any.app 2>&1
```

The signing must show the chain: Developer ID Application → Developer ID Certification Authority → Apple Root CA.

## Step 1: Archive

```bash
xcodebuild archive \
  -scheme "YourMacScheme" \
  -configuration Release \
  -archivePath /tmp/YourApp.xcarchive \
  -destination "generic/platform=macOS"
```

## Step 2: Export with Developer ID

Create an ExportOptions plist for Developer ID distribution:

```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>method</key>
    <string>developer-id</string>
    <key>signingStyle</key>
    <string>automatic</string>
    <key>teamID</key>
    <string>YOUR_TEAM_ID</string>
</dict>
</plist>
```

Export the archive:

```bash
xcodebuild -exportArchive \
  -archivePath /tmp/YourApp.xcarchive \
  -exportPath /tmp/YourAppExport \
  -exportOptionsPlist ExportOptions.plist
```

This produces a `.app` bundle signed with Developer ID Application and a secure timestamp.

### Verify the Export

```bash
codesign -dvvv "/tmp/YourAppExport/YourApp.app" 2>&1 | grep -E "Authority|Timestamp"
```

Confirm:
- Authority chain starts with "Developer ID Application"
- A Timestamp is present

## Step 3: Create a ZIP for Notarization

```bash
ditto -c -k --keepParent "/tmp/YourAppExport/YourApp.app" "/tmp/YourAppExport/YourApp.zip"
```

## Step 4: Submit for Notarization

### Fire-and-forget
```bash
asc notarization submit --file "/tmp/YourAppExport/YourApp.zip"
```

### Wait for result
```bash
asc notarization submit --file "/tmp/YourAppExport/YourApp.zip" --wait
```

### Custom polling
```bash
asc notarization submit --file "/tmp/YourAppExport/YourApp.zip" --wait --poll-interval 30s --timeout 1h
```

## Step 5: Check Results

### Status
```bash
asc notarization status --id "SUBMISSION_ID" --output table
```

### Developer Log (for failures)
```bash
asc notarization log --id "SUBMISSION_ID"
```

Fetch the log URL to see detailed issues:
```bash
curl -sL "LOG_URL" | python3 -m json.tool
```

### List Previous Submissions
```bash
asc notarization list --output table
asc notarization list --limit 5 --output table
```

## Step 6: Staple (Optional)

After notarization succeeds, staple t

What is this skill?

End-to-end macOS archive, export, Developer ID signing, and Apple notarization workflow

Preflight: verify Developer ID Application identity via security find-identity

Documents asc auth (asc auth login or ASC_* env) and Xcode CLI prerequisites

Troubleshooting path for Invalid trust settings / errSecInternalComponent on codesign

Notes that Developer ID certs are created in Apple Developer portal—not via App Store Connect API alone

Adoption & trust: 621 installs on skills.sh; 845 GitHub stars; 1/3 security scanners passed (skills.sh audits).

Journey fit

Primary fit

SKILL.md

READMESKILL.md - Asc Notarization

# macOS Notarization

Use this skill when you need to notarize a macOS app for distribution outside the App Store.

## Preconditions
- Xcode installed and command line tools configured.
- Auth is configured (`asc auth login` or `ASC_*` env vars).
- A Developer ID Application certificate in the local keychain.
- The app's Xcode project builds for macOS.

## Preflight: Verify Signing Identity

Before archiving, confirm a valid Developer ID Application identity exists:

```bash
security find-identity -v -p codesigning | grep "Developer ID Application"
```

If no identity is found, create one at https://developer.apple.com/account/resources/certificates/add (the App Store Connect API does not support creating Developer ID certificates).

### Fix Broken Trust Settings

If `codesign` or `xcodebuild` fails with "Invalid trust settings" or "errSecInternalComponent", the certificate may have custom trust overrides that break the chain:

```bash
# Check for custom trust settings
security dump-trust-settings 2>&1 | grep -A1 "Developer ID"

# If overrides exist, export the cert and remove them
security find-certificate -c "Developer ID Application" -p ~/Library/Keychains/login.keychain-db > /tmp/devid-cert.pem
security remove-trusted-cert /tmp/devid-cert.pem
```

### Verify Certificate Chain

After fixing trust settings, verify the chain is intact:

```bash
codesign --deep --force --options runtime --sign "Developer ID Application: YOUR NAME (TEAM_ID)" /path/to/any.app 2>&1
```

The signing must show the chain: Developer ID Application → Developer ID Certification Authority → Apple Root CA.

## Step 1: Archive

```bash
xcodebuild archive \
  -scheme "YourMacScheme" \
  -configuration Release \
  -archivePath /tmp/YourApp.xcarchive \
  -destination "generic/platform=macOS"
```

## Step 2: Export with Developer ID

Create an ExportOptions plist for Developer ID distribution:

```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>method</key>
    <string>developer-id</string>
    <key>signingStyle</key>
    <string>automatic</string>
    <key>teamID</key>
    <string>YOUR_TEAM_ID</string>
</dict>
</plist>
```

Export the archive:

```bash
xcodebuild -exportArchive \
  -archivePath /tmp/YourApp.xcarchive \
  -exportPath /tmp/YourAppExport \
  -exportOptionsPlist ExportOptions.plist
```

This produces a `.app` bundle signed with Developer ID Application and a secure timestamp.

### Verify the Export

```bash
codesign -dvvv "/tmp/YourAppExport/YourApp.app" 2>&1 | grep -E "Authority|Timestamp"
```

Confirm:
- Authority chain starts with "Developer ID Application"
- A Timestamp is present

## Step 3: Create a ZIP for Notarization

```bash
ditto -c -k --keepParent "/tmp/YourAppExport/YourApp.app" "/tmp/YourAppExport/YourApp.zip"
```

## Step 4: Submit for Notarization

### Fire-and-forget
```bash
asc notarization submit --file "/tmp/YourAppExport/YourApp.zip"
```

### Wait for result
```bash
asc notarization submit --file "/tmp/YourAppExport/YourApp.zip" --wait
```

### Custom polling
```bash
asc notarization submit --file "/tmp/YourAppExport/YourApp.zip" --wait --poll-interval 30s --timeout 1h
```

## Step 5: Check Results

### Status
```bash
asc notarization status --id "SUBMISSION_ID" --output table
```

### Developer Log (for failures)
```bash
asc notarization log --id "SUBMISSION_ID"
```

Fetch the log URL to see detailed issues:
```bash
curl -sL "LOG_URL" | python3 -m json.tool
```

### List Previous Submissions
```bash
asc notarization list --output table
asc notarization list --limit 5 --output table
```

## Step 6: Staple (Optional)

After notarization succeeds, staple t

Install

What is this skill?

Recommended Skills

Journey fit

Is Asc Notarization safe to install?

SKILL.md

This week for builders

Install

What is this skill?

Recommended Skills

Journey fit

Is Asc Notarization safe to install?

SKILL.md