CodeSign & Notary Script
An interactive shell script that walks you through the entire macOS code signing and notarization process—from certificate selection to stapled ticket. No Xcode project required. No build system dependencies. Just your .app bundle and a terminal.
================================================
macOS App Signing & Notarization Tool
================================================
[INFO] Checking prerequisites...
[OK] Xcode CLI tools found.
[OK] codesign found.
[INFO] Available signing identities:
1) Developer ID Application: Your Name (XXXXXXXXXX)
Use 'Developer ID Application: Your Name'? (y/n): y_
No Xcode project. No Fastlane. No CI pipeline. Just bash codesign-app.sh and follow the prompts.
The script handles every step Apple requires for distributing apps outside the Mac App Store—from identity detection to ticket stapling.
Finds Developer ID certificates in your keychain automatically
Signs frameworks, dylibs, helpers, and XPC services before the main bundle
Runs codesign verify, deep strict check, and Gatekeeper assessment
Creates a ZIP or signed DMG with Applications symlink, ready to ship
Submits to Apple, waits for approval, and staples the ticket automatically
Queries your keychain for Developer ID Application certificates. If only one exists, it offers to use it. Multiple? You pick.
Scans Frameworks, PlugIns, Helpers, and MacOS for dylibs, frameworks, XPC services, and helper binaries—signs each before the main bundle.
Bring your own entitlements file, or let the script generate a hardened runtime plist. Review it before signing—no silent defaults.
Package as a ZIP archive or a DMG disk image with an Applications symlink for drag-and-drop install. DMGs get code-signed too.
Submits to Apple’s notary service via Apple ID or App Store Connect API key, waits for the result, then staples the ticket and re-packages.
Pure bash. No Homebrew packages, no Ruby gems, no Node modules. Just Xcode CLI tools that ship with every Mac developer setup.
If you distribute a macOS app via your website, GitHub releases, or direct download, Apple requires it to be signed with a Developer ID certificate and notarized—or Gatekeeper blocks it.
Xcode handles this automatically for App Store builds. But if you’re building with Swift Package Manager, CMake, Electron, PyInstaller, or anything else that produces a .app bundle, you’re on your own.
This script fills that gap.
Electron & Tauri apps
Built outside Xcode, needs manual signing
Swift PM & CMake builds
No Xcode project to handle signing for you
PyInstaller & py2app bundles
Python apps packaged for macOS distribution
CI/CD pipelines
Drop into GitHub Actions or any shell-based workflow
Apps with embedded helpers
XPC services, frameworks, dylibs—all signed in correct order
- macOS with Xcode Command Line Tools installed (
xcode-select --install) - A Developer ID Application certificate from the Apple Developer Program ($99/year)
- A built .app bundle ready to sign
- For notarization: an app-specific password or App Store Connect API key
One script. Signed, notarized, stapled, packaged. Gatekeeper approved.
Built by Metahuman Network · Supporting the people behind the technology.
