No local hardware: runbook for submit, logs, staple, and offline validation on a cloud Mac
Shipping a DMG, PKG, or signed tool outside the Mac App Store is a different contract than uploading an iOS build. Gatekeeper and Apple notarization push failures left: signing consistency, hardened runtime, ticket materialization, and stapling. On a leased cloud Mac, the hard part is rarely “missing notarytool” and often evidence: submission UUIDs, complete notarytool log JSON, same-user Keychain items, and a clock that agrees with TLS. This article targets Windows-first or Linux-first teams: pain points, a three-path matrix (SSH-only, mixed, VNC-led), an eight-step runbook, four ticket-grade conclusions, and a twenty-minute same-user VNC grid. Cross-links: first-run checklist, clock skew runbook, Fastlane Match matrix, emergency hotfix operating room.
Outside the store, users judge your binary with Gatekeeper heuristics you do not control. A leased Mac removes the “I do not own Apple Silicon” constraint but introduces operational risk: session split (build user A, notarize user B), clock drift after sleep or image restore, proxy paths that break long-lived TLS to Apple services, and lease boundaries that delete intermediate zips if you never promoted artifacts to durable storage. Teams also confuse “Accepted” with “done”: stapling and validating the carrier still matter for many DMG workflows, and skipping validation turns release engineering into folklore.
Lost logs, blind resubmits: without archiving notarytool log, you burn quota on the same entitlement mistake.
Store vs outside-store: Organizer flows do not replace notary evidence; credentials and failure semantics differ.
SSH-only Keychain theater: commands return zero while UI consent never happened for the signing identity you think you used.
Runtime drift: hardened runtime and sandbox flags must be resolved in Xcode, not by tweaking zip flags.
No frozen fingerprint row: reviewers cannot reproduce sw_vers, Xcode build, and notarytool versions you used.
Disk pressure: notary zips plus Archives consume SSD fast; pair this runbook with disk cleanup policies.
| Step / evidence | SSH-only | Mixed (SSH build + VNC finish) | VNC-led |
|---|---|---|---|
| Archive signed .app | Usually fine | Fine | Best for beginners who need visual confirmation |
| Zip and submit | Fine | Fine | Fine |
| Poll info / fetch log | Fine | Fine | Fine |
| Keychain / Apple ID / 2FA | High risk | Recommended | Recommended |
| Staple + validate | Partial | Recommended | Recommended |
| Explain failure to non-engineers | Weak | Strong | Strongest |
Mixed mode is usually the cost sweet spot: automate packaging over SSH, then switch to the same macOS user in VNC for Keychain-bound steps, stapling, and a recorded smoke open. If your organization mandates auditable releases, treat “VNC mandatory steps” as first-class fields in the change ticket, not tribal knowledge. When corporate proxies sit between the rented Mac and Apple, capture curl -v handshakes and proxy bypass rules before you blame entitlements.
Your currency is submission UUID + log JSON + same-user Keychain evidence.
Fingerprint row: record sw_vers, xcodebuild -version, notarytool version, lease id; if clocks were touched, attach the three-step screen flow from the clock skew article.
Pre-flight signing: codesign -dv --verbose=4 and spctl -a -vv on the app; if Match is in play, reconcile identities with the Match runbook first.
Build the upload zip: preserve symlinks intentionally; compute SHA256 for the ticket.
Submit: prefer stored credentials over shell-echoed app passwords; paste submission ids verbatim into the ticket.
Pull logs on any non-success: save JSON before rebuilding; map each issue to code signing, hardened runtime, or packaging.
Fix in Xcode, not in zip duct tape: entitlements mismatches need project settings, not another compression pass.
Staple and validate: xcrun stapler staple then validate per Apple guidance for your carrier.
Smoke and promote: double-click on a clean profile or second machine; upload artifacts and logs to durable storage decoupled from the hourly node. For App Store parallel work, keep notary credentials separate from store session tokens to avoid rotation collisions.
xcodebuild -version notarytool --version codesign -dv --verbose=4 "Your.app" ditto -c -k --keepParent "Your.app" "Your.zip" notarytool submit "Your.zip" --apple-id "$APPLE_ID" --team-id "$TEAM_ID" \ --password "$APP_SPECIFIC" --wait notarytool log "$SUBMISSION_ID" > notary-log.json xcrun stapler staple "Your.dmg" xcrun stapler validate "Your.dmg"
Operational detail: on shared hosts, rotate app-specific passwords through a named owner and log the rotation event next to your Match repo ACL changes. If automation and manual notarization share one home directory, namespace zip output paths away from DerivedData to prevent accidental inclusion of debug symbols. When logs implicate networking, verify whether split-tunnel rules send Apple traffic through an intercepting proxy that requires human login pages; that failure mode mimics entitlement errors but clears once the path is clean.
Regional incidents happen: record where you submitted from and where customers consume, so you can tell a partial Apple outage from a bad build. For multi-product shops, index bundle id + submission UUID in your release database instead of scattering files across personal Downloads folders. Finally, rehearse rollback: keep the last known-good stapled DMG and its log bundle immutable once shipped; if you must hot-patch, branch evidence rather than overwriting the prior UUID archive.
| Check | VNC evidence | SSH evidence | Pass |
|---|---|---|---|
| Same user | Menu bar name | id -un | Matches ticket |
| Clock and TLS | Date & Time pane | sntp / curl probe | Aligned with runbook |
| Submit ok | Optional doc browser | submission id line | UUID stored |
| Log clean | Visual JSON scan | jq issues empty | Accepted reproducible |
| Staple valid | Optional screen recording | stapler validate ok | Offline open clean |
Timestamp alignment ends debates: staple time, submission time, and NTP screenshots should fit a short narrative your PM can forward. If you run parallel CI lanes, attach listener tables to prove no ghost notarytool processes competed for credentials overnight.
Apple’s own flag reference remains authoritative; this article optimizes for leased remote Mac operations and VNC evidence. Keep App Store uploads on a separate change record from notary submissions to reduce credential coupling.
Connect, clipboard, minimal Xcode path.
Read →NTP, timezone, certificate validity.
Read →Certificates and SSH vs VNC matrix.
Read →For typical DMG distribution, stapling materially helps offline validation; confirm carrier rules in Apple docs and archive validate output.
Submit and poll often work; use same-user VNC for Keychain and visual consent chains.
Clock skew, proxies, lease expiry, split-user Keychain. Run the grid before deep log reading.
Freeze submission id, save log JSON, map to signing and entitlements, avoid blind resubmits.
The expensive part of notarization is not upload minutes; it is whether a third engineer can reproduce your evidence bundle next quarter. SSH-heavy automation is excellent for throughput, yet the boundary where macOS expects consent and Keychain continuity still wants a graphical session under the same account that owns the signing identity. Owning hardware shifts depreciation, office bandwidth, and on-call “who clicks Allow” scheduling onto you; for episodic macOS release work, that overhead often exceeds predictable hourly rent.
Leasing an Apple Silicon remote Mac keeps baseline images and uptime with a provider while preserving your control over project directories and secrets policies. You can align notarytool log with Date & Time settings and browser checks in one desktop session, which is the same engineering language we use across Xcode signing articles on this site.
To run the same acceptance style on a remote Mac, use VNCMac: primary button to the English purchase page; connection guidance lives in the help center.