Preparing Certificates for Notarisation

The steps below should be familiar if you've been building applications targeting macOS. I was recently working on a client project involving a privileged `launchd` service and a companion desktop application, which made me revisit the process and refine the steps below for the current version of Xcode 16.

The procedure is largely the same for any binary executable targeting macOS, regardless if it was written in Swift, Rust, or another language.

The process begins by preparing one's development environment to include the necessary certificates and keychain configuration. This is the case for both local development, as well as a CI agent runner.

In order to sign and notarise a binary for distribution outside Apple's App Store, you need to have a `Developer ID Application` and `Developer ID Installer` certificates for the team and organisation under which you're distributing the app. You can obtain these from the Apple's Developer Portal > Certificates, IDs & Profiles > Certificates.

To verify the certificates have been correctly installed on the system, you can run the following command, you should see both entries listed:

The notarisation process is carried out by the notary tool, which needs access to an active developer account. To securely allow access, the notary tool allows one to use a dedicated keychain profile created with an app-specific password, as described here.

To create an app-specific password for the AppleID associated with your developer account, head to your Apple ID page at account.apple.com. The process is described in more detail in an Apple Support article.

With the installer and application certificates installed and your app-specific password in hand, we can finally create a keychain profile for use with `notarytool` on the system.

Note: The Team ID you choose to provide here should be the one where the Application and Installer certificates have been created. That is the team for which you wish to sign and notarise the package.