Notarize a plugin
With the introduction of macOS 10.15 Catalina, native apps and frameworks are automatically verified by the operating system to minimise the risk of running malicious code. If your plugin includes native frameworks or bundled binaries, notarization is mandatory.
Notarization is not App Review. Apple will not review your code, and the process shouldn’t delay your publishing workflow. For more information, see Notarizing Your App Before Distribution, at Apple’s Developer Site.
To notarize your plugin, you will need the following:
- A paid Apple Developer Account with two-factor authentication (2FA) enabled.
- An app-specific password for your plugin.
You can use three methods to notarize your plugin:
- automatically using
- manually using the command-line
- using a helper plugin: Sketch Notarizing Assistant
Open or create a new
.skpmrcfile next to your plugin’s
package.jsonand add the notarization setting:
notarization: authority: 'Developer ID Application: TEAM' username: 'AC_USERNAME' password: 'AC_PASSWORD'
TEAMwith the name of your team on App Store Connect.
AC_USERNAMEwith your App Store Connect username (usually an email address).
AC_PASSWORDwith your app-specific password or keychain item as described in the Keychain password storage section.
Once all the information is there,
skpm will automatically notarize your plugin whenever you publish it.
Quick tip: To use your own notarization mechanism and integrate with
skpm, provide the command in the
notarization: command: './notarize-plugin.sh'
skpmwill bundle your plugin, create a ZIP archive of it, and run your command automatically, passing the path to the archive as a parameter, e.g.
2. From the command-line
Code-sign the framework or binary using the following command in the terminal. The identifier must match the bundle identifier of your plugin framework in Xcode, which may be different from your plugin identifier in the manifest.
codesign -f -s "Developer ID Application: Bob Ross" --timestamp --identifier "com.example.sketch.plugin.select-shapes.framework" --deep --options runtime path/to/select-shapes.sketchplugin/Content/Sketch/SelectShapes.framework
Create a ZIP archive of your
.sketchpluginbundle including native frameworks or binaries.
/usr/bin/ditto -c -k --keepParent path/to/select-shapes.sketchplugin path/to/select-shapes.sketchplugin-1.0.zip
Submit the ZIP archive to Apple for notarization. The identifier can be anything you want, as long as it is unique and makes sense to you (Apple only uses the identifier in their status reports).
xcrun altool --notarize-app -f path/to/select-shapes.sketchplugin-1.0.zip --primary-bundle-id "com.example.sketch.plugin.select-shapes" -u "email@example.com" -p "app-specific-password"
Wait for a notarization email confirmation from Apple before releasing the plugin.
Note: If you make any changes to your plugin framework you’ll need to notarize again.
3. Sketch Notarizing Assistant
Note: Sketch Notarizing Assistant is not maintained or supported by Sketch.
Keychain password storage
Instead of storing the app-specific password as plain text in
.skpmrc, you can also provide a reference to a local keychain item. Please note that
skpm cannot access iCloud keychain items for security reasons.
The following example assumes the keychain holds a keychain item named
AC_PASSWORD for an Account
notarization: authority: 'Developer ID Application: Your Team Name' username: 'firstname.lastname@example.org' password: '@keychain:AC_PASSWORD'
You can create the
AC_PASSWORD keychain item using the command line, or the
Keychain Access application.
security command-line utility
security add-generic-password -a "email@example.com" -w "app-specific-password" -s "AC_PASSWORD"
Use Keychain Access
- Open Applications › Utilities › Keychain Access.
- Select File › New Password Item… and set these values on the dialog:
- Keychain Item Name:
- Account Name:
firstname.lastname@example.org(your App Store Connect username).
app specific password.
- Keychain Item Name:
- Click Add.
- Notarizing Your App Before Distribution at Apple Developer Documentation.