Add a MacOsNotarizationCredentials variant to use a keychain profile for notarytool settings and password. (#353)

trepidacious · lucasfernog-crabnebula · web-flow · commit d49b606ba8a6 · 2025-08-06T10:51:40.000-03:00
* Add a `MacOsNotarizationCredentials` variant to use a keychain profile for notarytool settings and password. This allows notarytool to use an Apple ID, Team ID and app-specific password stored in the keychain, by just providing the keychain profile as an env var. This reduces the number of env vars needed, and means the password isn't in a variable as plain text. This approach is described under "Upload your app to the notarization service" here: https://developer.apple.com/documentation/security/customizing-the-notarization-workflow * Apply suggestions from code review * add change file --------- Co-authored-by: Lucas Nogueira <118899497+lucasfernog-crabnebula@users.noreply.github.com>
diff --git a/.changes/notarize-keychain.md b/.changes/notarize-keychain.md
@@ -0,0 +1,6 @@
+---
+"cargo-packager": patch
+"@crabnebula/packager": patch
+---
+
+Allow using notarization credentials stored on the Keychain by providing the `APPLE_KEYCHAIN_PROFILE` environment variable. See `xcrun notarytool store-credentials` for more information.
diff --git a/crates/packager/src/codesign/macos.rs b/crates/packager/src/codesign/macos.rs
@@ -410,72 +410,79 @@ impl NotarytoolCmdExt for Command {
                 .arg(key_path)
                 .arg("--issuer")
                 .arg(issuer),
+            MacOsNotarizationCredentials::KeychainProfile { keychain_profile } => {
+                self.arg("--keychain-profile").arg(keychain_profile)
+            }
         }
     }
 }
 
 #[tracing::instrument(level = "trace")]
 pub fn notarize_auth() -> crate::Result<MacOsNotarizationCredentials> {
-    match (
-        std::env::var_os("APPLE_ID"),
-        std::env::var_os("APPLE_PASSWORD"),
-        std::env::var_os("APPLE_TEAM_ID"),
-    ) {
-        (Some(apple_id), Some(password), Some(team_id)) => {
-            Ok(MacOsNotarizationCredentials::AppleId {
-                apple_id,
-                password,
-                team_id,
-            })
-        }
-        _ => {
-            match (
-                std::env::var_os("APPLE_API_KEY"),
-                std::env::var_os("APPLE_API_ISSUER"),
-                std::env::var("APPLE_API_KEY_PATH"),
-            ) {
-                (Some(key_id), Some(issuer), Ok(key_path)) => {
-                    Ok(MacOsNotarizationCredentials::ApiKey {
-                        key_id,
-                        key_path: key_path.into(),
-                        issuer,
-                    })
-                }
-                (Some(key_id), Some(issuer), Err(_)) => {
-                    let mut api_key_file_name = OsString::from("AuthKey_");
-                    api_key_file_name.push(&key_id);
-                    api_key_file_name.push(".p8");
-                    let mut key_path = None;
-
-                    let mut search_paths = vec!["./private_keys".into()];
-                    if let Some(home_dir) = dirs::home_dir() {
-                        search_paths.push(home_dir.join("private_keys"));
-                        search_paths.push(home_dir.join(".private_keys"));
-                        search_paths.push(home_dir.join(".appstoreconnect/private_keys"));
-                    }
-
-                    for folder in search_paths {
-                        if let Some(path) = find_api_key(folder, &api_key_file_name) {
-                            key_path = Some(path);
-                            break;
-                        }
-                    }
-
-                    if let Some(key_path) = key_path {
+    if let Some(keychain_profile) = std::env::var_os("APPLE_KEYCHAIN_PROFILE") {
+        Ok(MacOsNotarizationCredentials::KeychainProfile { keychain_profile })
+    } else {
+        match (
+            std::env::var_os("APPLE_ID"),
+            std::env::var_os("APPLE_PASSWORD"),
+            std::env::var_os("APPLE_TEAM_ID"),
+        ) {
+            (Some(apple_id), Some(password), Some(team_id)) => {
+                Ok(MacOsNotarizationCredentials::AppleId {
+                    apple_id,
+                    password,
+                    team_id,
+                })
+            }
+            _ => {
+                match (
+                    std::env::var_os("APPLE_API_KEY"),
+                    std::env::var_os("APPLE_API_ISSUER"),
+                    std::env::var("APPLE_API_KEY_PATH"),
+                ) {
+                    (Some(key_id), Some(issuer), Ok(key_path)) => {
                         Ok(MacOsNotarizationCredentials::ApiKey {
                             key_id,
-                            key_path,
+                            key_path: key_path.into(),
                             issuer,
                         })
-                    } else {
-                        Err(Error::ApiKeyMissing {
-                            filename: api_key_file_name
-                                .into_string()
-                                .expect("failed to convert api_key_file_name to string"),
-                        })
                     }
+                    (Some(key_id), Some(issuer), Err(_)) => {
+                        let mut api_key_file_name = OsString::from("AuthKey_");
+                        api_key_file_name.push(&key_id);
+                        api_key_file_name.push(".p8");
+                        let mut key_path = None;
+
+                        let mut search_paths = vec!["./private_keys".into()];
+                        if let Some(home_dir) = dirs::home_dir() {
+                            search_paths.push(home_dir.join("private_keys"));
+                            search_paths.push(home_dir.join(".private_keys"));
+                            search_paths.push(home_dir.join(".appstoreconnect/private_keys"));
+                        }
+
+                        for folder in search_paths {
+                            if let Some(path) = find_api_key(folder, &api_key_file_name) {
+                                key_path = Some(path);
+                                break;
+                            }
+                        }
+
+                        if let Some(key_path) = key_path {
+                            Ok(MacOsNotarizationCredentials::ApiKey {
+                                key_id,
+                                key_path,
+                                issuer,
+                            })
+                        } else {
+                            Err(Error::ApiKeyMissing {
+                                filename: api_key_file_name
+                                    .into_string()
+                                    .expect("failed to convert api_key_file_name to string"),
+                            })
+                        }
+                    }
+                    _ => Err(Error::MissingNotarizeAuthVars),
                 }
-                _ => Err(Error::MissingNotarizeAuthVars),
             }
         }
     }
diff --git a/crates/packager/src/config/mod.rs b/crates/packager/src/config/mod.rs
@@ -680,6 +680,17 @@ pub enum MacOsNotarizationCredentials {
         /// Path to the API key file.
         key_path: PathBuf,
     },
+    /// Keychain profile with a stored app-specific password for notarytool to use
+    /// Passwords can be generated at https://account.apple.com when signed in with your developer account.
+    /// The password must then be stored in your keychain for notarytool to access,
+    /// using the following, with the appopriate Apple and Team IDs:
+    /// `xcrun notarytool store-credentials --apple-id "name@example.com" --team-id "ABCD123456"`
+    /// This will prompt for a keychain profile name, and the password itself.
+    /// This setting can only be provided as an environment variable "APPLE_KEYCHAIN_PROFILE"
+    KeychainProfile {
+        /// The keychain profile name (as provided when the password was stored using notarytool)
+        keychain_profile: OsString,
+    },
 }
 
 /// The macOS configuration.
