Notarize a plugin
With the introduction of macOS 10.15 Catalina, native apps and frameworks are automatically verified by the operating system to minimise the risk of running malicious code. If your plugin includes native frameworks or bundled binaries, notarization is mandatory.
Notarization is not App Review. Apple will not review your code, and the process shouldn’t delay your publishing workflow. For more information, see Notarizing Your App Before Distribution, at Apple’s Developer Site.
To notarize your plugin, you will need the following:
- An Apple Developer Account with two-factor authentication (2FA) enabled.
- An app-specific password for your plugin.
You can use two methods to notarize your plugin: automatically using
skpm, or manually using the command-line.
Open or create a new
.skpmrcfile next to your plugin’s
package.jsonand add the notarization setting:
notarization: authority: 'Developer ID Application: TEAM' username: 'AC_USERNAME' password: 'AC_PASSWORD'
TEAMwith the name of your team on App Store Connect.
AC_USERNAMEwith your App Store Connect username (usually an email address).
AC_PASSWORDwith your app-specific password or keychain item as described in the Keychain password storage section.
Once all the information is there,
skpm will automatically notarize your plugin whenever you publish it.
Quick tip: To use your own notarization mechanism and integrate with
skpm, provide the command in the
notarization: command: './notarize-plugin.sh'
skpmwill bundle your plugin, create a ZIP archive of it, and run your command automatically, passing the path to the archive as a parameter, e.g.
2. From the command-line
- Create a ZIP archive of your
.sketchpluginbundle including native frameworks or binaries.
Code-sign the ZIP archive using the following command in the terminal. The identifier must match the bundle identifier of your plugin framework in Xcode, which may be different from your plugin identifier in the manifest.
codesign -f -s "Developer ID Application: Bob Ross" --timestamp --identifier "com.example.sketch.plugin.select-shapes" path/to/select-shapes.sketchplugin-1.0.zip
Submit the ZIP archive to Apple for notarization:
xcrun altool --notarize-app -f path/to/select-shapes.sketchplugin-1.0.zip --primary-bundle-id "com.example.sketch.plugin.select-shapes" -u "firstname.lastname@example.org" -p "app-specific-password"
- Wait for a notarization email confirmation from Apple before releasing the plugin.
Note: If you make any changes to your plugin framework you’ll need to notarize again.
Keychain password storage
Instead of storing the app-specific password as plain text in
.skpmrc, you can also provide a reference to a local keychain item. Please note that
skpm cannot access iCloud keychain items for security reasons.
The following example assumes the keychain holds a keychain item named
AC_PASSWORD for an Account
notarization: authority: 'Developer ID Application: Your Team Name' username: 'email@example.com' password: '@keychain:AC_PASSWORD'
You can create the
AC_PASSWORD keychain item using the command line, or the
Keychain Access application.
security command-line utility
security add-generic-password -a "firstname.lastname@example.org" -w "app-specific-password" -s "AC_PASSWORD"
Use Keychain Access
- Open Applications › Utilities › Keychain Access.
- Select File › New Password Item… and set these values on the dialog:
- Keychain Item Name:
- Account Name:
email@example.com(your App Store Connect username).
app specific password.
- Keychain Item Name:
- Click Add.
- Notarizing Your App Before Distribution at Apple Developer Documentation