bashmacosnotarize

How do you procedurally obtain the submission ID from notarytool?

I'm writing a script to notarize a ZIP archive of an application I previously signed on macos. The docs for notarytool state that a submission ID is required to get the logs from the last submission. However, it doesn't really describe how to get that value. Upon a test run of notarytool submit, I see that it outputs something like id: xxx-xxx-xxx-xxx (or something of similar formatting). Is that the submission ID?

And for scripting purposes, is there an easier (more procedural) way to obtain the submission ID, or am I required to parse the string output? If the latter, what would be the best way to parse it out?

Here's an example of the script I've got so far:

#!/usr/bin/env bash
user="$1"
pass="$2"
teamId="$3"
archivePath="$4"

xcrun notarytool submit --wait \
  --apple-id "$user" \
  --password "$pass" \
  --team-id "$teamId" \
  "$archivePath"

submissionId="???"

xcrun notarytool log --apple-id "$user" --password "$pass" "$submissionId"

Obviously I need a real value for submissionId in the example above.

Solution

  • I ended up solving this myself using the script below. Sadly this ended up being something I had to "invent" from scratch, so there's no real useful tooling to automate this that I could point people towards, unfortunately.

    To give an overview of what the script does, you basically pass in the notarization credentials needed as arguments, as well as a path to the archive you want to sign. In my case, my script is hard-coded to use a specific named TAR file, since this is for my project and not really written to be general purpose.

    The submit() function returns the submission ID needed for the notarytool log command, which is the pertinent portion of the script.

    #!/usr/bin/env bash
set -e

user="$1"
pass="$2"
teamId="$3"
archivePath="$4"

function submit() {
  xcrun notarytool submit --wait --no-progress -f json \
    --apple-id "$user" \
    --password "$pass" \
    --team-id "$teamId" \
    recyclarr.zip | \
    jq -r .id
}

function log() {
  xcrun notarytool log \
    --apple-id "$user" \
    --password "$pass" \
    --team-id "$teamId" \
    "$1"
}

tar -cvf recyclarr.tar -C "$(dirname "$archivePath")" "$(basename "$archivePath")"
zip recyclarr.zip recyclarr.tar
submissionId="$(submit)"
rm recyclarr.zip recyclarr.tar

if [[ -z "$submissionId" ]]; then
  exit 1
fi

echo "Submission ID: $submissionId"

until log "$submissionId"
do
  sleep 2
done