As Catalina’s release date approaches, I find myself faced with a dilemma that many others are facing. At Malwarebytes, we have a number of AppleScript applets that we can provide to customers, for troubleshooting, gathering logs, incident response, etc. Come Catalina, those customers will be unable to run these scripts without special instructions… unless we notarize them.
So, they must be notarized. The next question is, “How?” Fortunately, Rich Trouton has published an excellent document on notarizing Automator applications, which is just as applicable to AppleScript applets.
I have little to add to Rich’s instructions, but did stumble across one special case. It’s sometehing that most people probably won’t see… but if you do, it’ll bring your notarization attempt to a screeching halt.
The problem
For most independent developers, their Apple developer account will stand alone, while companies will probably have multiple developer accounts all associated with a single master account. In such cases, there’s no problem… it’s unambiguous what account is going to be used for notarization.
However, if you’re reading this, you’re probably like me, and your account is associated with more than one master account (or “provider”) that can do signing and notarization. You may not even know about that, if it was set up for you or happened so long ago that you forgot.
In such a case, on attempting to submit your app for notarization using xcrun, you will will see an error message containing the following text:
Your Apple ID account is attached to other iTunes providers. You will need to specify which provider you intend to submit content to by using the -itc_provider command.
The solution
Most likely, even if you knew your account was associated with multiple “providers,” you probably don’t know the correct short name for the desired provider to use with the -itc_provider command. Fortunately, there’s a simple way to find out. If you’re using Xcode 10 or earlier, run the following, using your developer account e-mail address and the app-specific password you have created for notarization (see Rich’s instructions):
/Applications/Xcode.app/Contents/Applications/Application\ Loader.app/Contents/itms/bin/iTMSTransporter -m provider -u you@company.com -p app-password-here
This will not work on Xcode 11, where you’ll need to do this instead:
xcrun iTMSTransporter -m provider -u you@company.com -p app-password-here
The output will be very long, and will end with a provider listing looking like this:
- Long Name - - Short Name - 1 Your Corporation YourCorporation 2 Another Group AnotherGroup
There may be more than two, and they may be different groups at your current company, different companies, etc, and may even include some stuff you are not supposed to still have access to from a previous job (oops!).
Note the short name of the one you want to use, then run xcrun again, but add the -itc_provider like so:
xcrun altool --notarize-app --primary-bundle-id "com.apple.ScriptEditor.id.MyScript" --username "you@company.com" --password "app-password-here" -itc_provider "ProviderShortName" --file MyScript.zip
Of course, if your applet isn’t called “MyScript”, you’ll want to make some changes there, but you get the idea. 🙂