fix(notarize): auto-retrieve notarytool log on status: Invalid (#1251)

TimeToBuildBob · web-flow · commit c94ac70b53ec · 2026-04-09T15:39:49.000+02:00
* fix(notarize): auto-retrieve notarytool log on status: Invalid

When Apple's notarization returns 'status: Invalid', the rejection
reason is only available via 'xcrun notarytool log &lt;UUID&gt;'. Previously
this required running the command manually after CI failed, adding a
debugging round-trip.

Now the script captures the submission output, extracts the UUID, and
automatically fetches the rejection log from Apple's server. The full
JSON log (which lists every rejected binary with the specific error) is
printed directly in CI output, making the next failure self-diagnosing.

* fix(notarize): stream notarytool output in real-time via tee

Addresses Greptile P1: the $() subshell was buffering all notarytool
submit --wait output until completion (~minutes), silencing CI progress.

Fix: pipe through tee to a temp file so output streams in real-time,
then read the temp file for pattern matching. Use PIPESTATUS[0] to
capture the true exit status through the pipe.

Also fixes non-POSIX \s → [[:space:]] in grep pattern.
diff --git a/scripts/notarize.sh b/scripts/notarize.sh
@@ -8,15 +8,33 @@ bundleid=net.activitywatch.ActivityWatch # Match aw.spec
 app=dist/ActivityWatch.app
 dmg=dist/ActivityWatch.dmg
 
-# XCode >= 13 
+# XCode >= 13
 run_notarytool() {
     dist=$1
     # Setup the credentials for notarization
     xcrun notarytool store-credentials $keychain_profile --apple-id $applemail --team-id $teamid --password $password
-    # Notarize and wait
+    # Notarize and wait; tee to a temp file so output streams in real-time
+    # while we can still inspect it afterward for failure details.
     echo "Notarization: starting for $dist"
     echo "Notarization: in progress for $dist"
-    xcrun notarytool submit $dist --keychain-profile $keychain_profile --wait
+    tmpfile=$(mktemp)
+    xcrun notarytool submit $dist --keychain-profile $keychain_profile --wait 2>&1 | tee "$tmpfile"
+    submission_exit=${PIPESTATUS[0]}
+    submission_output=$(cat "$tmpfile")
+    rm -f "$tmpfile"
+    # On failure, retrieve the detailed rejection log from Apple's server.
+    # This avoids having to run 'notarytool log' manually after the fact.
+    if echo "$submission_output" | grep -q "status: Invalid"; then
+        uuid=$(echo "$submission_output" | grep '^[[:space:]]*id:' | head -1 | awk '{print $NF}')
+        if [ -n "$uuid" ]; then
+            echo ""
+            echo "=== Notarization rejected (status: Invalid) — fetching rejection log for $uuid ==="
+            xcrun notarytool log "$uuid" --keychain-profile $keychain_profile 2>&1 || true
+            echo "=== End of rejection log ==="
+        fi
+        return 1
+    fi
+    return $submission_exit
 }
 
 # XCode < 13 
