How to notarize & sign your macOSX Godot app

In case you're running into trouble getting your MacOS app build signed & notarized in Godot 3.5, I solved it for my own app this week and wanted to share how I did it to help others.

First, follow the online guides for filling out the default export template (https://docs.godotengine.org/en/3.5/tutorials/export/exporting_for_macos.html).

Be sure to use proper credentials for the Code Signing section as mentioned in @minosvasilias comment here (https://github.com/godotengine/godot/issues/64544). Specifically:

open a Terminal window.

from the command line, run:
security find-identity -v -p codesigning

This gives you a list of your certificates.

Make sure there's a valid Developer ID Application listed. If not, log into your Apple Developer page and generate one, then download and install into your keychain.

Before the certificate name is a long string (like E1F1A15711B192C192761940Z1E18EFE1ABD1146). This is your certificate/codesigning identity for the export template in Godot.

You'll ALSO need to create an app-specific password. You do this on appleid.apple.com. Create a new app-specific password, give it any random name, and the website will spit back an auto-generated password in the format XXXX-XXXX-XXXX-XXXX. Copy and paste this password, you'll use this in the Notarization pane for the "Apple ID Password".

See discussion here: https://ask.godotengine.org/146388/macos-notarization-fails-due-to-package-invalid?show=146388#q146388

Once the information in the export template is complete, export the app as a DMG file.

It will run through the export, prompt you for your computer's password to access the keychain access keys (for me it prompted me 3 times in all), then finally spit out the DMG and a message that notarization failed.

Don't lose hope, we'll solve this in the command line.

How I notarized & stapled the macOS dmg file:

• export project as DMG from godot, get message that notarization fails

• open terminal, cd to directory where exported DMG file is

• xcrun notarytool submit <project>.dmg --apple-id <apple-id> --password <app-specific password> --team-id <team id>

got following response:

Conducting pre-submission checks for <project>.dmg and initiating connection to the Apple notary service...
Submission ID received
id: e27a4827-5036-4baa-8ac2-aaac2e165636
Upload progress: 100.00% (77.7 MB of 77.7 MB)
Successfully uploaded file
id: e27a4827-5036-4baa-8ac2-aaac2e165636
path: <path>/<project>.dmg

• xcrun notarytool log e27a4827-5036-4baa-8ac2-aaac2e165636 --apple-id <apple-id> --password <password> --team-id <team-id>

got following response:

{
"logFormatVersion": 1,
"jobId": "e27a4827-5036-4baa-8ac2-aaac2e165636",
"status": "Accepted",
"statusSummary": "Ready for distribution",
"statusCode": 0,
"archiveFilename": "<project>.dmg",
"uploadDate": "2023-10-24T18:27:20.677Z",
"sha256": "318f6eebcb7a9d3a69e43d86cb0a026114c22b0591750ced3598251f5df46a7a",
"ticketContents": [
{
"path": "<project>.dmg",
"digestAlgorithm": "SHA-256",
"cdhash": "fb63dfb1f6bc4340f9444837ae8f892b9be5e447"
},
{
"path": "<project>.dmg/<project>.app",
"digestAlgorithm": "SHA-256",
"cdhash": "4592e5cb11a14daac3d4e34887d968e7c5b47b9b",
"arch": "x86_64"
},
{
"path": "<project>.dmg/<project>.app",
"digestAlgorithm": "SHA-256",
"cdhash": "b8bfa05f6e125710f58dffa51a5266592f8fb75f",
"arch": "arm64"
},
{
"path": "<project>.dmg/<project>.app/Contents/MacOS/<project>",
"digestAlgorithm": "SHA-256",
"cdhash": "4592e5cb11a14daac3d4e34887d968e7c5b47b9b",
"arch": "x86_64"
},
{
"path": "<project>.dmg/<project>.app/Contents/MacOS/<project>",
"digestAlgorithm": "SHA-256",
"cdhash": "b8bfa05f6e125710f58dffa51a5266592f8fb75f",
"arch": "arm64"
}
],
"issues": null
}

• xcrun stapler staple <project>.dmg

got following response:

Processing: <path>/<project>.dmg
Processing: <path>/<project>.dmg
The staple and validate action worked!

Congrats! You have an app you can distribute.

Hope this helps.