@electron/notarize
Advanced tools
@electron/notarize is an npm package designed to help developers notarize their Electron applications for macOS. Notarization is a process by which Apple scans your app for malicious content and checks for code-signing issues. This package simplifies the process of submitting your app to Apple's notarization service and retrieving the results.
Notarize an Electron App
This feature allows you to notarize your Electron application by providing the app bundle ID, the path to your app, and your Apple ID credentials. The function `notarize` handles the submission to Apple's notarization service.
const { notarize } = require('@electron/notarize');
async function notarizeApp() {
await notarize({
appBundleId: 'com.example.app',
appPath: '/path/to/your/app.app',
appleId: 'your-apple-id@example.com',
appleIdPassword: 'your-apple-id-password'
});
}
notarizeApp().catch(console.error);Check Notarization Status
This feature allows you to check the status of a notarization request by providing the request UUID and your Apple ID credentials. The function `checkNotarizationStatus` retrieves the current status of the notarization process.
const { checkNotarizationStatus } = require('@electron/notarize');
async function checkStatus(requestUUID) {
const status = await checkNotarizationStatus({
requestUUID,
appleId: 'your-apple-id@example.com',
appleIdPassword: 'your-apple-id-password'
});
console.log(status);
}
checkStatus('your-request-uuid').catch(console.error);Staple Notarization Ticket
This feature allows you to staple the notarization ticket to your Electron application. The function `stapleApp` ensures that the notarization ticket is attached to your app, which is required for distribution.
const { stapleApp } = require('@electron/notarize');
async function staple() {
await stapleApp({
appPath: '/path/to/your/app.app'
});
}
staple().catch(console.error);electron-osx-sign is a package that provides code-signing capabilities for macOS Electron applications. While it focuses on code-signing, it also offers notarization features. However, @electron/notarize is more specialized and streamlined for the notarization process.
electron-builder is a comprehensive package for building and packaging Electron applications. It includes features for code-signing and notarization, among many other functionalities. While it is more feature-rich, @electron/notarize is more focused and easier to use specifically for notarization tasks.
Notarize your Electron apps seamlessly for macOS
# npm
npm install @electron/notarize --save-dev
# yarn
yarn add @electron/notarize --dev
From Apple's docs in XCode:
A notarized app is a macOS app that was uploaded to Apple for processing before it was distributed. When you export a notarized app from Xcode, it code signs the app with a Developer ID certificate and staples a ticket from Apple to the app. The ticket confirms that you previously uploaded the app to Apple.
On macOS 10.14 and later, the user can launch notarized apps when Gatekeeper is enabled. When the user first launches a notarized app, Gatekeeper looks for the app’s ticket online. If the user is offline, Gatekeeper looks for the ticket that was stapled to the app.
Apple has made this a hard requirement as of 10.15 (Catalina).
For notarization, you need the following things:
hardened-runtime, including the following entitlement:
com.apple.security.cs.allow-jitIf you are using Electron 11 or below, you must add the com.apple.security.cs.allow-unsigned-executable-memory entitlement too.
When using version 12+, this entitlement should not be applied as it increases your app's attack surface.
notarize(opts): Promise<void>options Object
tool String - The notarization tool to use, default is notarytool. Can be legacy or notarytool. notarytool is substantially (10x) faster and legacy is deprecated and will stop working on November 1st 2023.appPath String - The absolute path to your .app fileappleId String - The username of your apple developer accountappleIdPassword String - The app-specific password (not your Apple ID password).teamId String - The team ID you want to notarize under.appleApiKey String - Required for JWT authentication. See Note on JWT authentication below.appleApiKeyId String - Required for JWT authentication. See Note on JWT authentication below.appleApiIssuer String - Issuer ID. Required if appleApiKey is specified.keychain String - The name of the keychain or path to the keychain you stored notarization credentials in.keychainProfile String - The name of the profile you provided when storing notarization credentials.appBundleId String - The app bundle identifier your Electron app is using. E.g. com.github.electronascProvider String (optional) - Your Team Short Name.appleId String - The username of your apple developer accountappleIdPassword String - The app-specific password (not your Apple ID password).appleApiKey String - Required for JWT authentication. See Note on JWT authentication below.appleApiIssuer String - Issuer ID. Required if appleApiKey is specified.appleIdPasswordconst password = `@keychain:"Application Loader: ${appleId}"`;
Another option is that you can add a new keychain item using either the Keychain Access app or from the command line using the security utility:
security add-generic-password -a "AC_USERNAME" -w <app_specific_password> -s "AC_PASSWORD"
where AC_USERNAME should be replaced with your Apple ID, and then in your code you can use:
const password = `@keychain:AC_PASSWORD`;
You can obtain an API key from Appstore Connect. Create a key with App Manager access. Note down the Issuer ID and download the .p8 file. This file is your API key and comes with the name of AuthKey_<api_key>.p8. This is the string you have to supply when calling notarize.
Based on the ApiKey, altool will look in the following places for that file:
./private_keys~/private_keys~/.private_keys~/.appstoreconnect/private_keysIf you are a member of multiple teams or organizations, you have to tell Apple on behalf of which organization you're uploading. To find your team's short name), you can ask iTMSTransporter, which is part of the now deprecated Application Loader as well as the newer Transporter.
With Transporter installed, run:
/Applications/Transporter.app/Contents/itms/bin/iTMSTransporter -m provider -u APPLE_DEV_ACCOUNT -p APP_PASSWORD
Alternatively, with older versions of Xcode, run:
/Applications/Xcode.app/Contents/Applications/Application Loader.app/Contents/itms/bin/iTMSTransporter -m provider -u APPLE_DEV_ACCOUNT -p APP_PASSWORD
If you use the new Notary Tool method you will need to set the teamId option. To get this ID, go to your Apple Developer Account, then clikc on "Membership details", and there you will find your Team ID. This link should get you there directly: https://developer.apple.com/account#MembershipDetailsCard
import { notarize } from '@electron/notarize';
async function packageTask () {
// Package your app here, and code sign with hardened runtime
await notarize({
appBundleId,
appPath,
appleId,
appleIdPassword,
ascProvider, // This parameter is optional
});
}
FAQs
Notarize your Electron app
The npm package @electron/notarize receives a total of 209,195 weekly downloads. As such, @electron/notarize popularity was classified as popular.
We found that @electron/notarize demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.
Security News
Research
Socket's threat research team has detected five malicious npm packages targeting Roblox developers, deploying malware to steal credentials and personal data.
Security News
vlt introduced its new package manager and a serverless registry this week, innovating in a space where npm has stagnated.