Releasing an OpenFL project on MacOS - code signing and notarization

Hey friends!

So you’ve built your killer app in OpenFL, compiled it to every target, and are ready to start selling it to the masses. You can’t believe how easy everything has been, and you’re riding high, but then Apple complains about something called “notarization” and you get a sinking feeling in your stomach.

If you were building your software in XCode, this would be handled for you, but you’re not; and so you’ll need to do it manually. There aren’t a lot of examples of this process documented, so I’ll walk you through it here. Unfortunately, this all has to be done on a computer running MacOS. Blame Apple.

  1. Build your app for the macos target with openfl build macos. This will create at Export/macos/bin

  2. Create a Developer ID Application certificate from the Certificates, Identifiers & Profiles section of the Apple Developer dashboard. Download the certificate and add it to your keychain

  3. Sign your app with your developer certificate. This command will likely work for you: codesign --force --deep --options runtime --timestamp --sign "Developer ID Application: YourCompany (TEAMID)" Export/macos/bin/ (replace YourCompany, TEAMID, and the path to as needed)

  4. Try to run If it now crashes on startup, you will need some hardened runtime exceptions. The following is optional, only if your app crashes now:

    1. Edit Entitlements.plist inside (right click the app and choose “Show Package Contents.” Entitlements.plist is just inside the Contents folder)
    2. Add necessary hardened runtime exceptions. I can’t say exactly which you will need, but these are the ones that worked for me:
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
    <plist version="1.0">
    1. Copy that Entitlements.plist file, and place it at your project root (or wherever you’re running your commands from). You’ll need it for signing.
    2. Sign your app with the additional --entitlements flag. No, I don’t know why it can’t just read the one inside the app. This worked for me: codesign --force --deep --entitlements Entitlements.plist --options runtime --timestamp --sign "Developer ID Application: YourCompany (TEAMID)" Export/macos/bin/
    3. Try running now. Hopefully it no longer crashes!
  5. Now that you have a signed app, you’re ready for notarization. The notarization tool wants a zipfile, so compress to

  6. You will need an Application Password, so generate one from the Sign-In and Security page.

  7. Run the notarization tool: xcrun notarytool submit --apple-id [email protected] --password YourAppPassword --team-id TEAMID --wait

  8. If everything goes well, your notarization request will be accepted! If not, the notarization log can be requested like this: xcrun notarytool log your-notarization-id --apple-id YourApp[email protected] --password YourAppPassword --team-id TEAMID

If all these steps went well, you should now have a signed and notarized application that you can deploy as you like! Good luck!


Thanks for sharing! Nicely detailed steps. This should really help some folks.


Wouldn’t have been possible without your help yesterday :black_heart:

1 Like

Can we add this to the docs somewhere?

1 Like