codesign-app.sh
Sign, notarize, and ship your Mac app in one command.
An interactive shell script that walks you through the entire macOS code signing and notarization process—from certificate selection to stapled ticket. No Xcode project required. No build system dependencies. Just your .app bundle and a terminal.
================================================
macOS App Signing & Notarization Tool
================================================
[INFO] Checking prerequisites...
[OK] Xcode CLI tools found.
[OK] codesign found.
[INFO] Available signing identities:
1) Developer ID Application: Your Name (XXXXXXXXXX)
Use 'Developer ID Application: Your Name'? (y/n): y_
No Xcode project. No Fastlane. No CI pipeline. Just bash codesign-app.sh and follow the prompts.
The entire signing workflow, guided.
The script handles every step Apple requires for distributing apps outside the Mac App Store—from identity detection to ticket stapling.
Detect Identity
Finds Developer ID certificates in your keychain automatically
Deep Sign
Signs frameworks, dylibs, helpers, and XPC services before the main bundle
Verify
Runs codesign verify, deep strict check, and Gatekeeper assessment
Package
Creates a ZIP or signed DMG with Applications symlink, ready to ship
Notarize & Staple
Submits to Apple, waits for approval, and staples the ticket automatically
Everything Apple requires, nothing you don’t need.
Auto Identity Detection
Queries your keychain for Developer ID Application certificates. If only one exists, it offers to use it. Multiple? You pick.
Deep Embedded Signing
Scans Frameworks, PlugIns, Helpers, and MacOS for dylibs, frameworks, XPC services, and helper binaries—signs each before the main bundle.
Entitlements Generator
Bring your own entitlements file, or let the script generate a hardened runtime plist. Review it before signing—no silent defaults.
ZIP or Signed DMG
Package as a ZIP archive or a DMG disk image with an Applications symlink for drag-and-drop install. DMGs get code-signed too.
Notarization & Stapling
Submits to Apple’s notary service via Apple ID or App Store Connect API key, waits for the result, then staples the ticket and re-packages.
Zero Dependencies
Pure bash. No Homebrew packages, no Ruby gems, no Node modules. Just Xcode CLI tools that ship with every Mac developer setup.
Built for indie devs who ship outside the App Store.
If you distribute a macOS app via your website, GitHub releases, or direct download, Apple requires it to be signed with a Developer ID certificate and notarized—or Gatekeeper blocks it.
Xcode handles this automatically for App Store builds. But if you’re building with Swift Package Manager, CMake, Electron, PyInstaller, or anything else that produces a .app bundle, you’re on your own.
This script fills that gap.
Electron & Tauri apps
Built outside Xcode, needs manual signing
Swift PM & CMake builds
No Xcode project to handle signing for you
PyInstaller & py2app bundles
Python apps packaged for macOS distribution
CI/CD pipelines
Drop into GitHub Actions or any shell-based workflow
Apps with embedded helpers
XPC services, frameworks, dylibs—all signed in correct order
What you need before running the script
- macOS with Xcode Command Line Tools installed (
xcode-select --install) - A Developer ID Application certificate from the Apple Developer Program ($99/year)
- A built .app bundle ready to sign
- For notarization: an app-specific password or App Store Connect API key
Ship your Mac app with confidence.
One script. Signed, notarized, stapled, packaged. Gatekeeper approved.
Built by Metahuman Network · Supporting the people behind the technology.