Notarize & staple bundles/DMGs with Apple

notarize.sh

#!/usr/bin/env bash
set -uo pipefail

PROFILE="<keychain-profile-name>"

# Check for missing arguments
if [ "$#" -lt 1 ]
then
    echo
    echo "Usage: notarize <bundle/dmg>"
    echo
    exit 1
fi

bundle="$1"

# https://stackoverflow.com/a/78304619/14239936
function submit() {
    xcrun notarytool submit --no-progress -f json \
        --keychain-profile "$PROFILE" \
        "$bundle.zip" | \
        jq -r .id
}

function status() {
    xcrun notarytool log \
        --keychain-profile "$PROFILE" \
        "$submissionId" > /dev/null 2>&1
}

function log() {
    echo
    xcrun notarytool log \
        --keychain-profile "$PROFILE" \
        "$submissionId"
}

if [ -f "$bundle.zip" ]; then
    rm -i "$bundle.zip"
fi

echo

# Compress
echo -n "Compressing..."
/usr/bin/ditto -c -k --keepParent "$bundle" "$bundle.zip"
echo " Done"

# Upload
echo -n "Uploading..."
submissionId="$(submit)"
echo " Done"

if [[ -z "$submissionId" ]]; then
    exit 1
fi

# Notarize
echo
echo "Submission ID: $submissionId"
echo
echo -n "Notarizing..."

until status "$submissionId"
do
    sleep 2 || true
done

echo " Done"
log "$submissionId"

# Staple
echo
xcrun stapler staple "$bundle"

notarizeverify.sh

#!/usr/bin/env bash
set -euo pipefail

# Check for missing arguments
if [ "$#" -lt 1 ]
then
    echo
    echo "Usage: notarizeverify <bundle/dmg>"
    echo
    exit 1
fi

xcrun stapler validate "$1"