Skip to content

Notarize macOS binaries

GoReleaser can sign & notarize macOS binaries (and Universal Binaries) using anchore/quill.

To use it, you'll need:

  • An Apple Developer Account ($99/year).
  • A certificate from said account. It should be of "Developer ID Application" type. This will give you a .cer file. You'll need to import it into KeyChain.app, and then export it as a .p12 file. It'll will have a password.
  • An App Store Connect API key. This will give you a .p8 file.

So you should end up with:

  1. a Certificates.p12 file and the password to open it
  2. a ApiKey_AAABBBCCC.p8 file

Read the commented configuration excerpt below to learn how to use these files.

# .goreleaser.yaml
notarize:
  macos:
    - # Whether this configuration is enabled or not.
      #
      # Default: false.
      # Templates: allowed.
      enabled: '{{ isEnvSet "MACOS_SIGN_P12" }}'

      # IDs to use to filter the built binaries.
      #
      # Default: the project name.
      ids:
        - build1
        - build2

      # Before notarizing, we need to sign the binary.
      # This blocks defines the configuration for doing so.
      sign:
        # The .p12 certificate file path or its base64'd contents.
        certificate: "{{.Env.MACOS_SIGN_P12}}"

        # The password to be used to open the certificate.
        password: "{{.Env.MACOS_SIGN_PASSWORD}}"

      # Then, we notarize the binaries.
      notarize:
        # The issuer ID.
        # Its the UUID you see when creating the App Store Connect key.
        issuer_id: "{{.Env.MACOS_NOTARY_ISSUER_ID}}"

        # Key ID.
        # You can see it in the list of App Store Connect Keys.
        # It will also be in the ApiKey filename.
        key_id: "{{.Env.MACOS_NOTARY_KEY_ID}}"

        # The .p8 key file path or its base64'd contents.
        key: "{{.Env.MACOS_NOTARY_KEY}}"

        # Whether to wait for the notarization to finish.
        # Not recommended, as it could take a really long time.
        wait: true

        # Timeout for the notarization.
        # Beware of the overall `--timeout` time.
        # This only has any effect if `wait` is true.
        #
        # Default: 10m.
        timeout: 20m

Tip

Discover more about the name template engine.

base64

To base64 a file, you run this:

base64 -w0 < ./Certificates.p12
base64 -w0 < ./ApiKey_AAABBBCCC.p8

Signing only

Since v2.1.

If you want to only sign the binaries, but not notarize them, you can simply leave the notarize section of your configuration empty.