Mac OS X notarization script

pk_notarize_app.sh

#!/bin/sh -u

ASC_PROVIDER="$1"
ASC_USERNAME="$2"
ASC_PASSWORD="$3"

BUNDLE_ID="$4"
BUNDLE_PKG="$5"


# create temporary files
NOTARIZE_APP_LOG=$(mktemp -t notarize-app)
NOTARIZE_INFO_LOG=$(mktemp -t notarize-info)

# delete temporary files on exit
function finish {
	rm "$NOTARIZE_APP_LOG" "$NOTARIZE_INFO_LOG"
}
trap finish EXIT


# submit app for notarization
if xcrun altool --notarize-app --primary-bundle-id "$BUNDLE_ID" --asc-provider "$ASC_PROVIDER" --username "$ASC_USERNAME" --password "$ASC_PASSWORD" -f "$BUNDLE_PKG" > "$NOTARIZE_APP_LOG" 2>&1; then
	cat "$NOTARIZE_APP_LOG"
	RequestUUID=$(awk -F ' = ' '/RequestUUID/ {print $2}' "$NOTARIZE_APP_LOG")

	# check status periodically
	while sleep 60 && date; do
		# check notarization status
		if xcrun altool --notarization-info "$RequestUUID" --asc-provider "$ASC_PROVIDER" --username "$ASC_USERNAME" --password "$ASC_PASSWORD" > "$NOTARIZE_INFO_LOG" 2>&1; then
			cat "$NOTARIZE_INFO_LOG"

			# once notarization is complete, run stapler and exit
			if ! grep -q "Status: in progress" "$NOTARIZE_INFO_LOG"; then
				xcrun stapler staple "$BUNDLE_PKG"
				exit
			fi
		else
			cat "$NOTARIZE_INFO_LOG" 1>&2
			exit 1
		fi
	done
else
	cat "$NOTARIZE_APP_LOG" 1>&2
	exit 1
fi

This script uploads an app for notarization by Apple, waits for notarization to complete, and if successful staples the notarization ticket to the DMG bundle.

Parameters:

1. Apple Developer Team ID (10-digit alphanumeric key from "Membership section")
2. Apple ID (the e-mail address used to sign into Apple Developer)
3. App-specific password for altool † (set this up at https://appleid.apple.com/)
4. Bundle identifier for the app
5. Location of the app to notarize (must be a ZIP or DMG file)

† Putting cleartext passwords in your script is sketchy, so I suggest installing the password into your Mac's keychain, with an ID like my-altool-password. Then, supply @keychain:my-altool-password as the password in the script.