Asc Notarization

Name: Asc Notarization
Author: rudrankriyam

rudrankriyam/app-store-connect-cli-skills

Archive, export, and notarize a macOS app with Developer ID signing and Apple notarization via xcodebuild and the asc CLI for distribution outside the Mac App Store.

Overview

Asc-notarization is an agent skill for the Ship phase that prepares Developer ID–signed macOS apps for Apple notarization using xcodebuild and asc.

Install

npx skills add https://github.com/rudrankriyam/app-store-connect-cli-skills --skill asc-notarization

What is this skill?

End-to-end macOS notarization workflow with xcodebuild archive/export plus asc
Preflight codesign identity check and guidance when Developer ID certs are missing
Trust-settings troubleshooting for Invalid trust settings and errSecInternalComponent
Requires asc auth (login or ASC_* env) and Xcode command line tools
Explicit note that App Store Connect API cannot create Developer ID certificates

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 2k installs on skills.sh; 845 GitHub stars; 1/3 security scanners passed (skills.sh audits).

What problem does it solve?

Your macOS app is ready to ship direct to users but archive, codesign, or notarization fails on certs, trust settings, or ASC auth.

Who is it for?

Solo macOS indie devs distributing signed .dmg or zip builds with asc and Xcode already in the loop.

Skip if: iOS-only App Store submissions or teams with no Developer ID certificate and no plan to create one in the developer portal.

When should I use this skill?

Archive, export, and notarize macOS apps with Developer ID signing and Apple notarization via xcodebuild and asc.

What do I get? / Deliverables

You get a notarized, Gatekeeper-ready macOS build distributed outside the App Store with documented preflight and cert fixes.

Notarized macOS build artifact
Documented archive/export commands
Resolved codesign trust and identity preflight

Recommended Skills

Release Skillsjimliu/baoyu-skills

release-skills is a universal agent workflow for solo and indie builders who are ready to ship a new version instead of …19.5k installs·20.9k stars

Changelog Automationwshobson/agents

Changelog Automation is an agent skill for solo and indie builders who ship software on a regular cadence and want relea…8.9k installs·36.5k stars

Msstore Cligithub/awesome-copilot

Microsoft Store Developer CLI (msstore) is an agent skill that teaches coding agents how to operate Microsoft’s Store pu…6.8k installs·34.6k stars

Changelog Generatorcomposiohq/awesome-claude-skills

Changelog-generator is an agent skill that automates the tedious translation from git commits to readable release docume…4.4k installs·63.7k stars

Shopify App Store Reviewshopify/shopify-ai-toolkit

Shopify App Store Review is an agent skill from Shopify’s AI toolkit that helps solo and indie builders stress-test a Sh…3.8k installs·373 stars

Shipping And Launchaddyosmani/agent-skills

shipping-and-launch is an agent skill that walks solo builders through deploying to production with discipline: every la…3.8k installs·49.1k stars

Journey fit

Primary fit

Notarization is a shipping gate for macOS binaries you distribute directly to users, after the app builds and before download links go live. Launch covers distribution mechanics outside store listings—Developer ID signing and Apple notarization are the last mile for downloadable macOS builds.

Also useful

ShipSecurity

How it compares

macOS Developer ID notarization workflow—not iOS TestFlight upload or generic cross-platform release tagging.

Common Questions / FAQ

Who is asc-notarization for?

Indie macOS developers using asc and Xcode who need Apple notarization for non–App Store distribution.

When should I use asc-notarization?

In Ship launch prep when exporting a Release archive, fixing codesign trust errors, or submitting a build for notarization before publishing a download.

Is asc-notarization safe to install?

Review Security Audits on this page; the workflow uses keychain certs and ASC credentials—never paste production secrets into untrusted logs.

SKILL.md

READMESKILL.md - Asc Notarization

# macOS Notarization

Use this skill when you need to notarize a macOS app for distribution outside the App Store.

## Preconditions
- Xcode installed and command line tools configured.
- Auth is configured (`asc auth login` or `ASC_*` env vars).
- A Developer ID Application certificate in the local keychain.
- The app's Xcode project builds for macOS.

## Preflight: Verify Signing Identity

Before archiving, confirm a valid Developer ID Application identity exists:

```bash
security find-identity -v -p codesigning | grep "Developer ID Application"
```

If no identity is found, create one at https://developer.apple.com/account/resources/certificates/add (the App Store Connect API does not support creating Developer ID certificates).

### Fix Broken Trust Settings

If `codesign` or `xcodebuild` fails with "Invalid trust settings" or "errSecInternalComponent", the certificate may have custom trust overrides that break the chain:

```bash
# Check for custom trust settings
security dump-trust-settings 2>&1 | grep -A1 "Developer ID"

# If overrides exist, export the cert and remove them
security find-certificate -c "Developer ID Application" -p ~/Library/Keychains/login.keychain-db > /tmp/devid-cert.pem
security remove-trusted-cert /tmp/devid-cert.pem
```

### Verify Certificate Chain

After fixing trust settings, verify the chain is intact:

```bash
codesign --deep --force --options runtime --sign "Developer ID Application: YOUR NAME (TEAM_ID)" /path/to/any.app 2>&1
```

The signing must show the chain: Developer ID Application → Developer ID Certification Authority → Apple Root CA.

## Step 1: Archive

```bash
xcodebuild archive \
  -scheme "YourMacScheme" \
  -configuration Release \
  -archivePath /tmp/YourApp.xcarchive \
  -destination "generic/platform=macOS"
```

## Step 2: Export with Developer ID

Create an ExportOptions plist for Developer ID distribution:

```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>method</key>
    <string>developer-id</string>
    <key>signingStyle</key>
    <string>automatic</string>
    <key>teamID</key>
    <string>YOUR_TEAM_ID</string>
</dict>
</plist>
```

Export the archive:

```bash
xcodebuild -exportArchive \
  -archivePath /tmp/YourApp.xcarchive \
  -exportPath /tmp/YourAppExport \
  -exportOptionsPlist ExportOptions.plist
```

This produces a `.app` bundle signed with Developer ID Application and a secure timestamp.

### Verify the Export

```bash
codesign -dvvv "/tmp/YourAppExport/YourApp.app" 2>&1 | grep -E "Authority|Timestamp"
```

Confirm:
- Authority chain starts with "Developer ID Application"
- A Timestamp is present

## Step 3: Create a ZIP for Notarization

```bash
ditto -c -k --keepParent "/tmp/YourAppExport/YourApp.app" "/tmp/YourAppExport/YourApp.zip"
```

## Step 4: Submit for Notarization

### Fire-and-forget
```bash
asc notarization submit --file "/tmp/YourAppExport/YourApp.zip"
```

### Wait for result
```bash
asc notarization submit --file "/tmp/YourAppExport/YourApp.zip" --wait
```

### Custom polling
```bash
asc notarization submit --file "/tmp/YourAppExport/YourApp.zip" --wait --poll-interval 30s --timeout 1h
```

## Step 5: Check Results

### Status
```bash
asc notarization status --id "SUBMISSION_ID" --output table
```

### Developer Log (for failures)
```bash
asc notarization log --id "SUBMISSION_ID"
```

Fetch the log URL to see detailed issues:
```bash
curl -sL "LOG_URL" | python3 -m json.tool
```

### List Previous Submissions
```bash
asc notarization list --output table
asc notarization list --limit 5 --output table
```

## Step 6: Staple (Optional)

After notarization succeeds, staple t

What is this skill?

End-to-end macOS notarization workflow with xcodebuild archive/export plus asc

Preflight codesign identity check and guidance when Developer ID certs are missing

Trust-settings troubleshooting for Invalid trust settings and errSecInternalComponent

Requires asc auth (login or ASC_* env) and Xcode command line tools

Explicit note that App Store Connect API cannot create Developer ID certificates

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 2k installs on skills.sh; 845 GitHub stars; 1/3 security scanners passed (skills.sh audits).

Journey fit

Primary fit

Also useful

SKILL.md

READMESKILL.md - Asc Notarization

# macOS Notarization

Use this skill when you need to notarize a macOS app for distribution outside the App Store.

## Preconditions
- Xcode installed and command line tools configured.
- Auth is configured (`asc auth login` or `ASC_*` env vars).
- A Developer ID Application certificate in the local keychain.
- The app's Xcode project builds for macOS.

## Preflight: Verify Signing Identity

Before archiving, confirm a valid Developer ID Application identity exists:

```bash
security find-identity -v -p codesigning | grep "Developer ID Application"
```

If no identity is found, create one at https://developer.apple.com/account/resources/certificates/add (the App Store Connect API does not support creating Developer ID certificates).

### Fix Broken Trust Settings

If `codesign` or `xcodebuild` fails with "Invalid trust settings" or "errSecInternalComponent", the certificate may have custom trust overrides that break the chain:

```bash
# Check for custom trust settings
security dump-trust-settings 2>&1 | grep -A1 "Developer ID"

# If overrides exist, export the cert and remove them
security find-certificate -c "Developer ID Application" -p ~/Library/Keychains/login.keychain-db > /tmp/devid-cert.pem
security remove-trusted-cert /tmp/devid-cert.pem
```

### Verify Certificate Chain

After fixing trust settings, verify the chain is intact:

```bash
codesign --deep --force --options runtime --sign "Developer ID Application: YOUR NAME (TEAM_ID)" /path/to/any.app 2>&1
```

The signing must show the chain: Developer ID Application → Developer ID Certification Authority → Apple Root CA.

## Step 1: Archive

```bash
xcodebuild archive \
  -scheme "YourMacScheme" \
  -configuration Release \
  -archivePath /tmp/YourApp.xcarchive \
  -destination "generic/platform=macOS"
```

## Step 2: Export with Developer ID

Create an ExportOptions plist for Developer ID distribution:

```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>method</key>
    <string>developer-id</string>
    <key>signingStyle</key>
    <string>automatic</string>
    <key>teamID</key>
    <string>YOUR_TEAM_ID</string>
</dict>
</plist>
```

Export the archive:

```bash
xcodebuild -exportArchive \
  -archivePath /tmp/YourApp.xcarchive \
  -exportPath /tmp/YourAppExport \
  -exportOptionsPlist ExportOptions.plist
```

This produces a `.app` bundle signed with Developer ID Application and a secure timestamp.

### Verify the Export

```bash
codesign -dvvv "/tmp/YourAppExport/YourApp.app" 2>&1 | grep -E "Authority|Timestamp"
```

Confirm:
- Authority chain starts with "Developer ID Application"
- A Timestamp is present

## Step 3: Create a ZIP for Notarization

```bash
ditto -c -k --keepParent "/tmp/YourAppExport/YourApp.app" "/tmp/YourAppExport/YourApp.zip"
```

## Step 4: Submit for Notarization

### Fire-and-forget
```bash
asc notarization submit --file "/tmp/YourAppExport/YourApp.zip"
```

### Wait for result
```bash
asc notarization submit --file "/tmp/YourAppExport/YourApp.zip" --wait
```

### Custom polling
```bash
asc notarization submit --file "/tmp/YourAppExport/YourApp.zip" --wait --poll-interval 30s --timeout 1h
```

## Step 5: Check Results

### Status
```bash
asc notarization status --id "SUBMISSION_ID" --output table
```

### Developer Log (for failures)
```bash
asc notarization log --id "SUBMISSION_ID"
```

Fetch the log URL to see detailed issues:
```bash
curl -sL "LOG_URL" | python3 -m json.tool
```

### List Previous Submissions
```bash
asc notarization list --output table
asc notarization list --limit 5 --output table
```

## Step 6: Staple (Optional)

After notarization succeeds, staple t

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is asc-notarization for?

When should I use asc-notarization?

Is asc-notarization safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is asc-notarization for?

When should I use asc-notarization?

Is asc-notarization safe to install?

SKILL.md