How to sign a macOS app without Xcode

Thanks to the apple-platform-rs project you can sign your app without Xcode.

Thanks to the amazing apple-platform-rs [GitHub] project with the rcodesign CLI you can sign your app without Xcode. But you still need a 100$ developer account. Here are the steps:

1) Create a private key, this one must be protected.

openssl genrsa -out privatekey.pem 2048

2) Creating CSR (Code Signing Request)

rcodesign generate-certificate-signing-request --pem-file privatekey.pem --csr-pem-file request_to_apple.csr

3) Visit Apple Developer Portal to create a new certificate

Select "Developer ID Application", upload the request_to_apple.csr and then Download the generated developerID_application.cer to the same location as the private key. The certificate does not need to be protected.

4) Sign the app, in the following example we have an in the same folder

rcodesign sign --certificate-der-file "developerID_application.cer" --pem-file "privatekey.key" --code-signature-flags runtime

5) Next we want to "notarize" the application which means we upload it to Apple it will be scanned for virus or malicious code and then marked as safe.

In the App Store Connect Portal [link] create a new API key with access "Developer". Download the Key file, replace the ISSUER_ID and KEY_ID in the following command and run it. This will create a appstoreconnect.json that combines the credentials used for the API.

rcodesign encode-app-store-connect-api-key -o appstoreconnect.json "ISSUER_ID" "KEY_ID" "AuthKey_XXXXXXX.p8"

6) Submit the app for notarization

rcodesign notary-submit --api-key-file appstoreconnect.json --staple

7) Zip the result

zip -9 -y -r -q ""

8) Test. If a mac downloads the zip file and opens it, there will be a confirmation dialog that mentions that the app is safe. 🎉

GitHub Action

To sign the app inside the Github Action

      - name: Mac Sign
          # secrets are stored in Settings > Secrets and Variables, base64 encoded
        shell: bash
        run: |
          set -ex
          echo $DEVELOPER_CERTIFICATE | base64 --decode > developerID_application.cer
          echo $DEVELOPER_PRIVATE_KEY | base64 --decode > privatekey.pem
          echo $APPSTORE_CONNECT_JSON | base64 --decode > appstoreconnect.json
          wget -q \
          && tar -xzvf apple-codesign-0.26.0-x86_64-unknown-linux-musl.tar.gz -C bin --strip-components=1          
          ./bin/rcodesign sign --verbose --certificate-der-file "developerID_application.cer" --pem-file "privatekey.pem" --code-signature-flags runtime ./build/mac/$
          ./bin/rcodesign notary-submit --api-key-file appstoreconnect.json --staple ./build/mac/$
          cd ./build/mac/
          zip -9 -y -r -q $ $