Notarize a plugin

With the introduction of macOS 10.15 Catalina, native apps and frameworks are automatically verified by the operating system to minimise the risk of running malicious code. If your plugin includes native frameworks or bundled binaries, notarization is mandatory.

Note: Plugins written purely in JavaScript and not containing bundled binaries do not require notarization.

Notarization is not App Review. Apple will not review your code, and the process shouldn’t delay your publishing workflow. For more information, see Notarizing Your App Before Distribution, at Apple’s Developer Site.

To notarize your plugin, you will need the following:

• A paid Apple Developer Account with two-factor authentication (2FA) enabled.
• An app-specific password for your plugin.

You can use three methods to notarize your plugin:

1. automatically using skpm
2. manually using the command-line
3. using a helper plugin: Sketch Notarizing Assistant

1. Use skpm

1. Open or create a new .skpmrc file next to your plugin’s package.json and add the notarization setting:

   notarization:
     authority: 'Developer ID Application: TEAM'
     username: 'AC_USERNAME'
     password: 'AC_PASSWORD'
   

2. Replace TEAM with the name of your team on App Store Connect.
3. Replace AC_USERNAME with your App Store Connect username (usually an email address).
4. Replace AC_PASSWORD with your app-specific password or keychain item as described in the Keychain password storage section.

Once all the information is there, skpm will automatically notarize your plugin whenever you publish it.

Quick tip: To use your own notarization mechanism and integrate with skpm, provide the command in the .skpmrc notarization settings:

notarization:
  command: './notarize-plugin.sh'

skpm will bundle your plugin, create a ZIP archive of it, and run your command automatically, passing the path to the archive as a parameter, e.g. ./notarize-plugin.sh path/to/select-shapes.sketchplugin-1.0.zip.

2. From the command-line

1. Code-sign the framework or binary using the following command in the terminal. The identifier must match the bundle identifier of your plugin framework in Xcode, which may be different from your plugin identifier in the manifest.

   codesign -f -s "Developer ID Application: Bob Ross" --timestamp --identifier "com.example.sketch.plugin.select-shapes.framework" --deep --options runtime path/to/select-shapes.sketchplugin/Content/Sketch/SelectShapes.framework
   

2. Create a ZIP archive of your .sketchplugin bundle including native frameworks or binaries.

   /usr/bin/ditto -c -k --keepParent path/to/select-shapes.sketchplugin path/to/select-shapes.sketchplugin-1.0.zip
   

3. Submit the ZIP archive to Apple for notarization. The identifier can be anything you want, as long as it is unique and makes sense to you (Apple only uses the identifier in their status reports).

   xcrun altool --notarize-app -f path/to/select-shapes.sketchplugin-1.0.zip --primary-bundle-id "com.example.sketch.plugin.select-shapes" -u "user@example.com" -p "app-specific-password"
   

4. Wait for a notarization email confirmation from Apple before releasing the plugin.

Note: If you make any changes to your plugin framework you’ll need to notarize again.

3. Sketch Notarizing Assistant

Sketch Notarizing Assistant is a Sketch plugin developed by Aby Nimbalkar that makes it trivial to notarize your plugin. To use it, just follow the instructions on the plugin’s page.

Note: Sketch Notarizing Assistant is not maintained or supported by Sketch.

Keychain password storage

Instead of storing the app-specific password as plain text in .skpmrc, you can also provide a reference to a local keychain item. Please note that skpm cannot access iCloud keychain items for security reasons.

The following example assumes the keychain holds a keychain item named AC_PASSWORD for an Account user@example.com:

notarization:
  authority: 'Developer ID Application: Your Team Name'
  username: 'user@example.com'
  password: '@keychain:AC_PASSWORD'

You can create the AC_PASSWORD keychain item using the command line, or the Keychain Access application.

Use security command-line utility

  security add-generic-password -a "user@example.com" -w "app-specific-password" -s "AC_PASSWORD"

Use Keychain Access

1. Open Applications › Utilities › Keychain Access.
2. Select File › New Password Item… and set these values on the dialog:
   • Keychain Item Name: AC_PASSWORD.
   • Account Name: user@example.com (your App Store Connect username).
   • Password: app specific password.
3. Click Add.

Related resources

• Notarizing Your App Before Distribution at Apple Developer Documentation.