Notarize a plugin

With the introduction of macOS 10.15 Catalina, native apps and frameworks are automatically verified by the operating system to minimise the risk of running malicious code. If your plugin includes native frameworks or bundled binaries, notarization is mandatory.

Note: Plugins written purely in JavaScript and not containing bundled binaries do not require notarization.

Notarization is not App Review. Apple will not review your code, and the process shouldn’t delay your publishing workflow. For more information, see Notarizing Your App Before Distribution, at Apple’s Developer Site.

To notarize your plugin, you will need the following:

You can use two methods to notarize your plugin: automatically using skpm, or manually using the command-line.

1. Use skpm

  1. Open or create a new .skpmrc file next to your plugin’s package.json and add the notarization setting:

    notarization:
      authority: 'Developer ID Application: TEAM'
      username: 'AC_USERNAME'
      password: 'AC_PASSWORD'
    
  2. Replace TEAM with the name of your team on App Store Connect.
  3. Replace AC_USERNAME with your App Store Connect username (usually an email address).
  4. Replace AC_PASSWORD with your app-specific password or keychain item as described in the Keychain password storage section.

Once all the information is there, skpm will automatically notarize your plugin whenever you publish it.

Quick tip: To use your own notarization mechanism and integrate with skpm, provide the command in the .skpmrc notarization settings:

notarization:
  command: './notarize-plugin.sh'

skpm will bundle your plugin, create a ZIP archive of it, and run your command automatically, passing the path to the archive as a parameter, e.g. ./notarize-plugin.sh path/to/select-shapes.sketchplugin-1.0.zip.

2. From the command-line

  1. Create a ZIP archive of your .sketchplugin bundle including native frameworks or binaries.
  2. Code-sign the ZIP archive using the following command in the terminal. The identifier must match the bundle identifier of your plugin framework in Xcode, which may be different from your plugin identifier in the manifest.

    codesign -f -s "Developer ID Application: Bob Ross" --timestamp --identifier "com.example.sketch.plugin.select-shapes" path/to/select-shapes.sketchplugin-1.0.zip
    
  3. Submit the ZIP archive to Apple for notarization:

    xcrun altool --notarize-app -f path/to/select-shapes.sketchplugin-1.0.zip --primary-bundle-id "com.example.sketch.plugin.select-shapes" -u "user@example.com" -p "app-specific-password"
    
  4. Wait for a notarization email confirmation from Apple before releasing the plugin.

Note: If you make any changes to your plugin framework you’ll need to notarize again.

Keychain password storage

Instead of storing the app-specific password as plain text in .skpmrc, you can also provide a reference to a local keychain item. Please note that skpm cannot access iCloud keychain items for security reasons.

The following example assumes the keychain holds a keychain item named AC_PASSWORD for an Account user@example.com:

notarization:
  authority: 'Developer ID Application: Your Team Name'
  username: 'user@example.com'
  password: '@keychain:AC_PASSWORD'

You can create the AC_PASSWORD keychain item using the command line, or the Keychain Access application.

Use security command-line utility

  security add-generic-password -a "user@example.com" -w "app-specific-password" -s "AC_PASSWORD"

Use Keychain Access

  1. Open ApplicationsUtilitiesKeychain Access.
  2. Select FileNew Password Item… and set these values on the dialog:
    • Keychain Item Name: AC_PASSWORD.
    • Account Name: user@example.com (your App Store Connect username).
    • Password: app specific password.
  3. Click Add.
See something wrong or incomplete? Improve this page.