Asc Notarization

Name: Asc Notarization
Author: rudrankriyam

rudrankriyam/asc-skills

Archive, sign with Developer ID, export, and notarize a macOS app for distribution outside the Mac App Store using xcodebuild and asc.

Overview

Asc-notarization is an agent skill for the Ship phase that walks through Developer ID signing, archive/export, and Apple notarization for macOS apps distributed outside the App Store.

Install

npx skills add https://github.com/rudrankriyam/asc-skills --skill asc-notarization

What is this skill?

Preflight codesigning identity check via security find-identity for Developer ID Application
Archive and export flow with xcodebuild plus asc CLI for notarization
Documents broken trust settings remediation (dump-trust-settings, remove-trusted-cert)
Requires ASC auth and Developer ID cert—not creatable via App Store Connect API alone
Explicit preconditions: Xcode CLI, macOS target, keychain certificate

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 914 installs on skills.sh; 845 GitHub stars; 2/3 security scanners passed (skills.sh audits).

What problem does it solve?

You have a macOS Xcode project ready to ship direct-download but Gatekeeper requires a notarized Developer ID build and the signing chain keeps failing.

Who is it for?

Solo Mac app authors distributing DMGs or zip builds with Developer ID and asc already in their toolchain.

Skip if: iOS App Store submission-only flows, Windows/Linux packaging, or teams without a paid Apple Developer Program and local signing cert.

When should I use this skill?

Need to archive, export, and notarize a macOS app for non–App Store distribution with Developer ID signing and asc.

What do I get? / Deliverables

You follow a verified preflight, archive, export, and asc notarization sequence—and fix trust-settings issues—so users can open your app outside the Mac App Store.

Notarized macOS build ready for staple and distribution

Recommended Skills

Release Skillsjimliu/baoyu-skills

release-skills is a universal agent workflow for solo and indie builders who are ready to ship a new version instead of …19.5k installs·20.9k stars

Changelog Automationwshobson/agents

Changelog Automation is an agent skill for solo and indie builders who ship software on a regular cadence and want relea…8.9k installs·36.5k stars

Msstore Cligithub/awesome-copilot

Microsoft Store Developer CLI (msstore) is an agent skill that teaches coding agents how to operate Microsoft’s Store pu…6.8k installs·34.6k stars

Changelog Generatorcomposiohq/awesome-claude-skills

Changelog-generator is an agent skill that automates the tedious translation from git commits to readable release docume…4.4k installs·63.7k stars

Shopify App Store Reviewshopify/shopify-ai-toolkit

Shopify App Store Review is an agent skill from Shopify’s AI toolkit that helps solo and indie builders stress-test a Sh…3.8k installs·373 stars

Shipping And Launchaddyosmani/agent-skills

shipping-and-launch is an agent skill that walks solo builders through deploying to production with discipline: every la…3.8k installs·49.1k stars

Journey fit

Primary fit

Ship phase covers the release gate where binaries are signed, exported, and submitted for Apple notarization. Launch subphase reflects getting a build into users’ hands via direct distribution after notarization succeeds.

How it compares

macOS notarization runbook with asc—not a generic cross-platform CI template or TestFlight-only guide.

Common Questions / FAQ

Who is asc-notarization for?

Indie macOS developers using Xcode and the asc CLI to notarize Developer ID builds for direct distribution.

When should I use asc-notarization?

In ship when preparing a release build for download outside the Mac App Store, after feature work is done and you need Apple notarization stapling.

Is asc-notarization safe to install?

The skill instructs shell, keychain, and signing operations you should run only on trusted machines; review the Security Audits panel on this page before install.

SKILL.md

READMESKILL.md - Asc Notarization

# macOS Notarization

Use this skill when you need to notarize a macOS app for distribution outside the App Store.

## Preconditions
- Xcode installed and command line tools configured.
- Auth is configured (`asc auth login` or `ASC_*` env vars).
- A Developer ID Application certificate in the local keychain.
- The app's Xcode project builds for macOS.

## Preflight: Verify Signing Identity

Before archiving, confirm a valid Developer ID Application identity exists:

```bash
security find-identity -v -p codesigning | grep "Developer ID Application"
```

If no identity is found, create one at https://developer.apple.com/account/resources/certificates/add (the App Store Connect API does not support creating Developer ID certificates).

### Fix Broken Trust Settings

If `codesign` or `xcodebuild` fails with "Invalid trust settings" or "errSecInternalComponent", the certificate may have custom trust overrides that break the chain:

```bash
# Check for custom trust settings
security dump-trust-settings 2>&1 | grep -A1 "Developer ID"

# If overrides exist, export the cert and remove them
security find-certificate -c "Developer ID Application" -p ~/Library/Keychains/login.keychain-db > /tmp/devid-cert.pem
security remove-trusted-cert /tmp/devid-cert.pem
```

### Verify Certificate Chain

After fixing trust settings, verify the chain is intact:

```bash
codesign --deep --force --options runtime --sign "Developer ID Application: YOUR NAME (TEAM_ID)" /path/to/any.app 2>&1
```

The signing must show the chain: Developer ID Application → Developer ID Certification Authority → Apple Root CA.

## Step 1: Archive

```bash
xcodebuild archive \
  -scheme "YourMacScheme" \
  -configuration Release \
  -archivePath /tmp/YourApp.xcarchive \
  -destination "generic/platform=macOS"
```

## Step 2: Export with Developer ID

Create an ExportOptions plist for Developer ID distribution:

```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>method</key>
    <string>developer-id</string>
    <key>signingStyle</key>
    <string>automatic</string>
    <key>teamID</key>
    <string>YOUR_TEAM_ID</string>
</dict>
</plist>
```

Export the archive:

```bash
xcodebuild -exportArchive \
  -archivePath /tmp/YourApp.xcarchive \
  -exportPath /tmp/YourAppExport \
  -exportOptionsPlist ExportOptions.plist
```

This produces a `.app` bundle signed with Developer ID Application and a secure timestamp.

### Verify the Export

```bash
codesign -dvvv "/tmp/YourAppExport/YourApp.app" 2>&1 | grep -E "Authority|Timestamp"
```

Confirm:
- Authority chain starts with "Developer ID Application"
- A Timestamp is present

## Step 3: Create a ZIP for Notarization

```bash
ditto -c -k --keepParent "/tmp/YourAppExport/YourApp.app" "/tmp/YourAppExport/YourApp.zip"
```

## Step 4: Submit for Notarization

### Fire-and-forget
```bash
asc notarization submit --file "/tmp/YourAppExport/YourApp.zip"
```

### Wait for result
```bash
asc notarization submit --file "/tmp/YourAppExport/YourApp.zip" --wait
```

### Custom polling
```bash
asc notarization submit --file "/tmp/YourAppExport/YourApp.zip" --wait --poll-interval 30s --timeout 1h
```

## Step 5: Check Results

### Status
```bash
asc notarization status --id "SUBMISSION_ID" --output table
```

### Developer Log (for failures)
```bash
asc notarization log --id "SUBMISSION_ID"
```

Fetch the log URL to see detailed issues:
```bash
curl -sL "LOG_URL" | python3 -m json.tool
```

### List Previous Submissions
```bash
asc notarization list --output table
asc notarization list --limit 5 --output table
```

## Step 6: Staple (Optional)

After notarization succeeds, staple t

What is this skill?

Preflight codesigning identity check via security find-identity for Developer ID Application

Archive and export flow with xcodebuild plus asc CLI for notarization

Documents broken trust settings remediation (dump-trust-settings, remove-trusted-cert)

Requires ASC auth and Developer ID cert—not creatable via App Store Connect API alone

Explicit preconditions: Xcode CLI, macOS target, keychain certificate

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 914 installs on skills.sh; 845 GitHub stars; 2/3 security scanners passed (skills.sh audits).

SKILL.md

READMESKILL.md - Asc Notarization

# macOS Notarization

Use this skill when you need to notarize a macOS app for distribution outside the App Store.

## Preconditions
- Xcode installed and command line tools configured.
- Auth is configured (`asc auth login` or `ASC_*` env vars).
- A Developer ID Application certificate in the local keychain.
- The app's Xcode project builds for macOS.

## Preflight: Verify Signing Identity

Before archiving, confirm a valid Developer ID Application identity exists:

```bash
security find-identity -v -p codesigning | grep "Developer ID Application"
```

If no identity is found, create one at https://developer.apple.com/account/resources/certificates/add (the App Store Connect API does not support creating Developer ID certificates).

### Fix Broken Trust Settings

If `codesign` or `xcodebuild` fails with "Invalid trust settings" or "errSecInternalComponent", the certificate may have custom trust overrides that break the chain:

```bash
# Check for custom trust settings
security dump-trust-settings 2>&1 | grep -A1 "Developer ID"

# If overrides exist, export the cert and remove them
security find-certificate -c "Developer ID Application" -p ~/Library/Keychains/login.keychain-db > /tmp/devid-cert.pem
security remove-trusted-cert /tmp/devid-cert.pem
```

### Verify Certificate Chain

After fixing trust settings, verify the chain is intact:

```bash
codesign --deep --force --options runtime --sign "Developer ID Application: YOUR NAME (TEAM_ID)" /path/to/any.app 2>&1
```

The signing must show the chain: Developer ID Application → Developer ID Certification Authority → Apple Root CA.

## Step 1: Archive

```bash
xcodebuild archive \
  -scheme "YourMacScheme" \
  -configuration Release \
  -archivePath /tmp/YourApp.xcarchive \
  -destination "generic/platform=macOS"
```

## Step 2: Export with Developer ID

Create an ExportOptions plist for Developer ID distribution:

```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>method</key>
    <string>developer-id</string>
    <key>signingStyle</key>
    <string>automatic</string>
    <key>teamID</key>
    <string>YOUR_TEAM_ID</string>
</dict>
</plist>
```

Export the archive:

```bash
xcodebuild -exportArchive \
  -archivePath /tmp/YourApp.xcarchive \
  -exportPath /tmp/YourAppExport \
  -exportOptionsPlist ExportOptions.plist
```

This produces a `.app` bundle signed with Developer ID Application and a secure timestamp.

### Verify the Export

```bash
codesign -dvvv "/tmp/YourAppExport/YourApp.app" 2>&1 | grep -E "Authority|Timestamp"
```

Confirm:
- Authority chain starts with "Developer ID Application"
- A Timestamp is present

## Step 3: Create a ZIP for Notarization

```bash
ditto -c -k --keepParent "/tmp/YourAppExport/YourApp.app" "/tmp/YourAppExport/YourApp.zip"
```

## Step 4: Submit for Notarization

### Fire-and-forget
```bash
asc notarization submit --file "/tmp/YourAppExport/YourApp.zip"
```

### Wait for result
```bash
asc notarization submit --file "/tmp/YourAppExport/YourApp.zip" --wait
```

### Custom polling
```bash
asc notarization submit --file "/tmp/YourAppExport/YourApp.zip" --wait --poll-interval 30s --timeout 1h
```

## Step 5: Check Results

### Status
```bash
asc notarization status --id "SUBMISSION_ID" --output table
```

### Developer Log (for failures)
```bash
asc notarization log --id "SUBMISSION_ID"
```

Fetch the log URL to see detailed issues:
```bash
curl -sL "LOG_URL" | python3 -m json.tool
```

### List Previous Submissions
```bash
asc notarization list --output table
asc notarization list --limit 5 --output table
```

## Step 6: Staple (Optional)

After notarization succeeds, staple t

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is asc-notarization for?

When should I use asc-notarization?

Is asc-notarization safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is asc-notarization for?

When should I use asc-notarization?

Is asc-notarization safe to install?

SKILL.md