[lunixbochs]

I auto notarize my app when I push to a release-candidate branch even if I don't deploy it. I also have a general code signing CI test that catches stuff before notarization would. I believe I've never, in thousands of pushes to this branch, hit a non-obvious notarization issue.

The main annoying thing so far for me using notarization long term is the terms and conditions signing step, which is silly because they're only updating the paid apps contract and we're notarizing explicitly so we can distribute outside the app store.

[marcprux]

Smoke-testing your code signing is a good idea, and would probably catch most notarization issues. Aside from those, through, I've encountered numerous issues with embedded frameworks and app extensions whose error reporting wouldn't be described as obvious. Catching those right away rather than right before you are trying to deploy a release is critical.

[lunixbochs]

`spctl -v --assess -t execute` is crucial.

My app layout is fairly complicated, so I'm sure I'm exercising a lot of the corner cases: https://news.ycombinator.com/item?id=26996223

I check that executables don't depend on libraries from outside the app, I check that I successfully shipped everything as universal2, and I check for stuff like .DS_Store and vim .swp files.

Here's my final stage check script, which staples notarization and checks the stapled dmg at the end as well: https://gist.github.com/lunixbochs/3d5eaf04e789932f8a19ca0fc...

I shared notary.sh in another comment: https://news.ycombinator.com/item?id=26996457