npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@electron/notarize

v2.5.0

Published

Notarize your Electron app

Downloads

2,073,043

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

electron-cfaelectron-cfa

Keywords

Readme

Electron Notarize

Notarize your Electron apps seamlessly for macOS

CircleCI status NPM package

Installation

npm install @electron/notarize --save-dev

What is app "notarization"?

From Apple's docs in XCode:

A notarized app is a macOS app that was uploaded to Apple for processing before it was distributed. When you export a notarized app from Xcode, it code signs the app with a Developer ID certificate and staples a ticket from Apple to the app. The ticket confirms that you previously uploaded the app to Apple.

On macOS 10.14 and later, the user can launch notarized apps when Gatekeeper is enabled. When the user first launches a notarized app, Gatekeeper looks for the app’s ticket online. If the user is offline, Gatekeeper looks for the ticket that was stapled to the app.

As macOS 10.15 (Catalina), Apple has made notarization a hard requirement for all applications distributed outside of the Mac App Store. App Store applications do not need to be notarized.

Prerequisites

For notarization, you need the following things:

  1. Xcode 13 or later installed on your Mac.
  2. An Apple Developer account.
  3. An app-specific password for your ADC account’s Apple ID.
  4. Your app may need to be signed with hardenedRuntime: true option, with the com.apple.security.cs.allow-jit entitlement.

[!NOTE] If you are using Electron 11 or below, you must add the com.apple.security.cs.allow-unsigned-executable-memory entitlement too. When using version 12+, this entitlement should not be applied as it increases your app's attack surface.

Notarization on older macOS versions

Xcode 13 is available from macOS 11.3, but notarization can be performed on systems down to macOS 10.15 (see TN3147 for more information).

To achieve this, you can copy notarytool binary from a newer macOS version and provide its path as notarytoolPath option.

API

@electron/notarize exposes a single notarize function that accepts the following parameters:

  • appPath — the absolute path to your codesigned and packaged Electron application.
  • notarytoolPath - String (optional) - Path of the notarytool binary (more details)
  • additional options required for authenticating your Apple ID (see below)

The method returns a void Promise once app notarization is complete. Please note that notarization may take many minutes.

If the notarization process is unusually log for your application, see Apple Developer's docs to Avoid long notarization response times and size limits.

Usage with app-specific password

You can generate an app-specific password for your Apple ID to notarize your Electron applications.

This method also requires you to specify the Team ID of the Developer Team you want to notarize under. An Apple ID may be part of multiple Teams.

import { notarize } from '@electron/notarize';

await notarize({
  appPath,
  appleId, // Login name of your Apple Developer account
  appleIdPassword, // App-specific password
  teamId, // Team ID for your developer team
});

[!IMPORTANT] Never hard code your app-specific password into your packaging scripts. Use an environment variable at a minimum.

Usage with App Store Connect API key

Alternatively, you can also authenticate via JSON Web Token (JWT) with App Store Connect.

You can obtain an API key from App Store Connect. Create a Team Key (not an Individual Key) with App Manager access.

Note down the Issuer ID (UUID format) and Key ID (10-character alphanumeric string), and download the .p8 API key file (AuthKey_<appleApiKeyId>.p8). For security purposes, the private key can only be downloaded once.

Provide the absolute path to your API key as the appleApiKey argument.

import { notarize } from '@electron/notarize';

await notarize({
  appPath,
  appleApiKey, // Absolute path to API key (e.g. `/path/to/AuthKey_X0X0X0X0X0.p8`)
  appleApiIssuer, // Issuer ID (e.g. `d5631714-a680-4b4b-8156-b4ed624c0845`)
});

Usage with Keychain credentials

As an alternative to passing authentication options, you can also store your authentication credentials (for both API key and app-specific password strategies) in the macOS Keychain via the xcrun notarytool command-line utility.

This method has the advantage of validating your notarization credentials before submitting your application for notarization.

For example:

# App-specific password strategy
xcrun notarytool store-credentials "my-app-password-profile"
  --apple-id "<AppleID>"
  --team-id <DeveloperTeamID>
  --password <app_specific_password>
# App Store Connect API key strategy
xcrun notarytool store-credentials "my-api-key-profile"
  --key "<PathToAPIKey>"
  --key-id <KeyID>
  --issuer <IssuerID>

Successful storage of your credentials will look like this:

This process stores your credentials securely in the Keychain. You reference these credentials later using a profile name.

Validating your credentials...
Success. Credentials validated.
Credentials saved to Keychain.
To use them, specify `--keychain-profile "my-api-key-profile"`

After successfully storing your credentials, pass the keychain profile name into the keychainProfile parameter.

import { notarize } from '@electron/notarize';

await notarize({
  appPath,
  keychainProfile,
});

Troubleshooting

Debug logging

debug is used to display logs and messages. Run your notarization scripts with the DEBUG=electron-notarize* environment variable to log additional debug information from this module.

Validating credentials

When notarizing your application, you may run into issues with validating your notarization credentials.

Error: HTTP status code: 401. Invalid credentials. Username or password is incorrect.
Use the app-specific password generated at appleid.apple.com. Ensure that all authentication arguments are correct.

Storing your credentials in Keychain will validate your credentials before even GitHub.

Validating app notarization

To validate that notarization worked, you can use the stapler command-line utility:

stapler validate path/to/notarized.app

Apple documentation

Apple also provides additional debugging documentation on Resolving common notarization issues.