Docs should talk about how to staple the Apple notarization ticket to the application

[hakanai]

The docs for Signing and notarization on macOS talk about how to send the notarisation request to Apple, but this is only step one of the process.

Step two is to staple the resulting ticket to the app, but steps for doing this in the build are currently undocumented.

On top of that, the order of operations seems different to what you'd gather from reading Apple's docs.

The flow as the docs here currently describe it:

• Build the DMG
• Notarize the DMG
• Staple the ticket to the DMG (not mentioned but obviously a necessary part of the build)

The flow as Apple describe it:

• Build the app
• Notarize the app
• Staple the ticket to the app
• Put the app into the DMG

I know the notarisation process takes a while as well ("within an hour") which does stall the build for however long that takes to happen, but I guess tests and other things can still be run while that sits in Apple's queue.

[sdercolin]

Thanks for the information, saved my day!
Here are some extra information and practices for people doing signing and notarization on macOS:

On your local machine

1. Make sure all settings are finished as the tutorial described.
2. Run notarizeDmg task
3. Wait for the notarization process to be finished (will be notified via email)
4. Run command xcrun stapler staple <path_to_your_dmg> (this command seems to get errors before the notarization is done)
5. Finished! 🎉

On remote machines e.g. GitHub Actions

Since the notarizeDmg task doesn't wait for the process to be finished, I used the xcrun notarytool submit command instead.

1. Make sure all settings are finished as the tutorial described. (same as the local case)
2. Run packageDmg task
3. Run command xcrun notarytool submit <path_to_your_dmg> --apple-id ${{ secrets.APPLE_ID }} --password ${{ secrets.APP_PASSWORD }} --team-id ${{ secrets.TEAM_ID }} --wait. It blocks until the notarization process has finished. (This example uses GitHub project secrets to provide private info. You can choose other ways to provide the password as written in Apple's documentation)
4. Run command xcrun stapler staple <path_to_your_dmg>
5. Finished! 🎉

[hakanai]

Obviously we'd want this automated though.

I guess this plugin could run the command to staple the ticket as well, but we'd need a new name for the task unless people are fine with modifying the existing task to do it.

For my own purposes, if notarizeDmg waited for it to finish and stapled it for me that would be perfect. For work purposes, we might have other options... I'm not really sure.

[AlexeyTsvetkov]

On top of that, the order of operations seems different to what you'd gather from reading Apple's docs.

The discussions on Apple's developer forums seem to imply that stapling a Dmg should work https://developer.apple.com/forums/thread/671514

We will definitely document stapling.

For my own purposes, if notarizeDmg waited for it to finish and stapled it for me that would be perfect. For work purposes, we might have other options... I'm not really sure.

We might also add a task to wait for the end of notarization and staple the resulting container. However, I am also not sure that it would be a universal solution