The problem is the following: We create a keychain item called NotaryTool (There are multiple accounts that use Notary tool and we created it for all of them ) This is created in the following way: $ xcrun notarytool store-credentials This process stores your credentials securely in the Keychain. You reference these credentials later using a profile name. Profile name: NotaryTool We recommend using App Store Connect API keys for authentication. If you'd like to authenticate with an Apple ID and app-specific password instead, leave this unspecified. Path to App Store Connect API private key: //AuthKey_ABCDEFGH.p8 App Store Connect API Key ID: <ABCDEFGH> App Store Connect API Issuer ID: ABCDEF-ABCD-1234-1234-1234567 Validating your credentials... Success. Credentials validated. Credentials saved to Keychain. To use them, specify `--keychain-profile "NotaryTool"` The key is downloaded from Apple and some other IDs are provided alongside. These should remain in the keychain for as long as the user process is running (just like any other process) A few runs are successful when we run with the profile that was created. After a few runs we start seeing a failure. Now we are seeing the following issue where the keychain item just vanishes: Error: No Keychain password item found for profile: NotaryTool\n\nRun 'notarytool store-credentials' to create another credential profile.\nError during the not process\nTue Aug 26 06:02:09 2025 Notarization failed with notarytool with exit code 17664: \nTue Aug 26 06:02:09 2025 could not upload for notarization!!!

Here is the situation: We are shipping an application bundle which is submitted to the notarization service for approval. The application bundle adheres to the notarization standards and is approved. Problem: We need to ship a zip file inside this application. This zip file has all the files that are signed. Most of the files are signed by us. However there are some 3P zip files which are not signed by us. We would rather not open these 3P zip files as there might be SLAs involved here. As a result we end up with a zip file which contains mixed signatures. This zip file needs to be part of that application that needs to be notarized. Question: What is the best way to do this in order for the notarization service to approve the application and ship the zip file as part of the application? Note: We don't know if all the files inside the 3P zips are correctly signed (example: With Hardened Runtime). They are all signed though Also, when the zip files contents are laid out onto the customer machine, they are all signed and validated. However, some files might not have hardened runtime. Thanks in advance.

We have an organization with multiple developers trying to develop apps. There are times where they want to find out if their app will pass notarization or not? We have a Developer ID Application certificate that we use to sign files right before production deployment and then for notarization approval. But this is not possible when developers are working in their sandboxes. Providing each developer their own Developer ID Application certificate for distribution is both not feasible and perhaps not very secure. Is there a way in which they can find out if their apps would pass the notarization tests without actually uploading to Apple?

I am in the process of notarizing a dmg file. We are getting some errors in the process. These errors can be retrieved from the notarytool -log option. However, I would like to get the error in a link form like we used to get with altool so that I could share it with my team. Does anyone know how to get a link for the failure log?

Hi everyone, Been working with Apple's notarization process for a while, and we've recently noticed some unexpected behavior. It seems like the notarization service might be looking inside ZIP archives contained within my app's distribution package. In the past, we don't recall the notarization process digging into ZIP files like this—only the main app bundle and its contents were scanned for signatures. Has there been a recent change or update to the notarization service that now includes inspecting files within ZIP archives? If so, are there specific guidelines or documentation updates regarding this change? Can anyone point me to what to expect and how to adjust my workflow accordingly. While "signing all the files" is the default answer, is there a more cohesive answer to this question? Thanks