Does notarytool replace altool for notarization?

Yes for new automation. Apple has deprecated legacy altool flows; notarytool (shipped with Xcode command-line tools) is the supported path for submit, log, history, and staple integration in CI.

Why do notarytool uploads time out only from one office or CI region?

Long RTT tails, lossy cross-border paths, corporate TLS inspection, or saturated egress often affect large multipart uploads more than small API calls. Routing the same job to a physical Mac in a region with cleaner TLS RTT and stable loss usually collapses the tail.

Should I use --wait on notarytool submit in CI?

Often yes for simplicity: --wait blocks until Apple returns Accepted or a definitive failure, which pairs cleanly with a single CI step. If your orchestrator cannot hold a long-lived step, omit --wait, capture the submission id, and poll with notarytool log until terminal state—while keeping job timeouts above your measured P99.

Can I staple on a different Mac than the one that submitted?

You should staple the same artifact you notarized. Practically that means download the notarized output (or keep it on shared storage) and run stapler there; avoid re-signing or repackaging between submit and staple or the ticket will not match.

DevOps 2026-04-01

2026 Cross-Border Apple Delivery: notarytool Notarization Upload Timeouts & Long-Tail Pipelines—Multi-Region Physical Mac Node Selection (Matrix + CLI + FAQ)

Release engineers in multiple countries often see notarytool uploads stall, CI jobs die just before Accepted, and “random” long tails that are actually geographic. This guide names who is affected, gives two threshold decision matrices (symptom routing and regional pool pick), copy-paste notarytool invocations, a seven-step rollout, quotable timing numbers, and an FAQ—so you can standardize on physical Mac pools per region instead of one overloaded hop.

2026 notarytool notarization upload timeouts and multi-region physical Mac CI pipeline

About 14 min read

1. Pain points: notarytool is sensitive to the path, not just the binary

Single-region Mac behind a bad Apple-facing path. Small Git operations can succeed while multi-hundred-megabyte notarization uploads retry for hours—especially when loss or bufferbloat spikes on cross-border segments.
CI timeouts shorter than your notarization P99. Teams size jobs for compile, then forget that --wait may sit in queue plus scan time; the tail dominates weekly SLO breaches.
Implicit cost of flaky retries. Each resubmit creates new submission IDs, confuses dashboards, and burns human time triaging “ghost” failures that are really network policy.
Proxy and inspection policies. Corporate TLS middleboxes that work for browsers sometimes break long-lived CLI uploads unless Apple endpoints are allow-listed—an audit and security discussion, not a quick firewall ticket.

For how multi-region governance intersects with CapEx vs OpEx on Mac pools, see 2026 Cross-Border Apple Teams: buy vs rent multi-region nodes (TCO matrix).

2. Symptom → likely cause → action matrix

Use this table during incident review; it keeps discussion on measurable signals instead of “Apple was slow today.”

Symptom	Likely cause	First action
Progress freezes at upload; CPU idle	RTT tail, loss, or proxy buffering	Re-run from a labeled Mac in the nearest clean region; capture TLS connect timings (see section 4).
Instant auth errors	Bad app-specific password, wrong Team ID, expired keychain item	Fix credentials; do not confuse with network—verify with `notarytool history`.
Accepted in log but users see Gatekeeper warnings	Stapler skipped or wrong bundle	Staple the exact artifact returned / built; verify with `stapler validate`.
Intermittent HTTP 5xx from tool	Apple-side or middle-path congestion	Exponential backoff (see section 6); avoid parallel duplicate submits for the same build id.

3. Multi-region physical Mac pool decision matrix

Label runners (for example notary:eu, notary:us-west) and route jobs by measured TLS performance from that Mac, not by where PM sits.

Measured from candidate Mac	Pool decision	Notes
Median TLS connect to Apple host ≤ 80 ms, loss < 0.3%	Primary notary pool	Schedule default release and nightly signed builds here.
P95 TLS connect 80–200 ms, stable	Secondary / DR pool	Keep for overflow; widen CI timeout +10–20 min vs primary.
P95 > 200 ms or loss > 1%	Do not attach notary	Use for compile-only or route through regional relay Mac; re-measure after carrier changes.

End-to-end iOS delivery faces the same question: where does the signed archive actually leave the network? Pool labels should follow upload paths, not org-chart regions.

4. Executable notarytool & stapler parameters

Replace placeholders; store secrets in Keychain and reference with @keychain: items where possible. Paths assume Xcode CLT installed.

4.1 Baseline TLS timing from the Mac that will notarize

# Repeat during peak office hours; log to your metrics stack
for i in {1..60}; do
  curl -o /dev/null -s -w "%{time_connect} %{time_appconnect} %{time_total}\n" \
    "https://developer.apple.com/"
  sleep 2
done | tee /tmp/apple-tls-mac.txt

4.2 Submit and block until terminal state

xcrun notarytool submit ./Release/MyApp.zip \
  --apple-id "[email protected]" \
  --password "@keychain:AC_NOTARY_PASSWORD" \
  --team-id "ABCDE12345" \
  --wait \
  --verbose

Flags: --wait keeps the process open until Accepted/Rejected; --verbose surfaces HTTP-layer retries for log correlation.

4.3 Submit without blocking (orchestrator-friendly)

xcrun notarytool submit ./Release/MyApp.zip \
  --apple-id "[email protected]" \
  --password "@keychain:AC_NOTARY_PASSWORD" \
  --team-id "ABCDE12345" \
  --verbose
# Capture submission id from stdout, then:
xcrun notarytool log <submission-id> \
  --apple-id "[email protected]" \
  --password "@keychain:AC_NOTARY_PASSWORD" \
  --team-id "ABCDE12345"

4.4 Staple and validate

xcrun stapler staple "./build/MyApp.app"
xcrun stapler validate "./build/MyApp.app"

For a full build-to-upload narrative on remote Mac mini, walk through Building and publishing iOS apps with a remote Mac mini (2026).

5. Seven-step rollout

Instrument every candidate Mac with the TLS loop in section 4.1 for one business week; store P50/P95 connect time.
Create runner labels that encode region + role (notary-primary-eu), never generic macos-latest for release.
Standardize one notary script checked into the repo: submit, capture submission id to artifact, staple, validate.
Set CI timeouts to measured P99 + 25% headroom; alert when wall clock crosses warning threshold before hard kill.
Add retry policy only for transport-class failures (see section 6), with deduplication on build id.
Document proxy rules with security: which Apple hostnames must bypass inspection, with packet capture proof.
Quarterly re-baseline after carrier or office SD-WAN changes; move default pool when medians shift more than 20%.

6. Quotable thresholds (starting points for SLO docs)

Wall clock with --wait: budget 25–50 minutes for typical app archives during busy hours; enterprise monoliths or huge binaries may need more—plot your own histogram.
CI job timeout: set hard timeout to P99 + 30–45 minutes of observed notary steps, not compile time alone.
Retry backoff for transport errors: 3 attempts at 5 / 15 / 45 minutes before paging on-call; never parallel-submit the same artifact blindly.

7. FAQ

Is notarytool mandatory now?

For new automation, treat it as yes. Legacy altool paths are deprecated; standardize on notarytool submit|log|history plus stapler in the same script.

Can I notarize from Linux or Windows?

Not with Apple’s supported CLI. You need macOS for notarytool/stapler; remote physical Mac pools exist exactly to host this step legally and reproducibly.

Does moving Mac regions violate Apple ID rules?

Follow your org’s Apple Developer Program agreements and account security policies. Operationally, keep credentials in managed keychains, rotate app-specific passwords, and audit which machines can submit.

What if only one region’s pool is healthy?

Temporarily route all notarization there, increase concurrency limits carefully, and open a carrier ticket for the bad region—your matrix in section 3 should already show which path is green.

8. Why Mac mini-class hardware fits notarization pipelines

Notarization is not CPU-heavy for long, but it is extremely sensitive to stable TLS sessions, trustworthy keychain access, and macOS-native toolchains. Apple Silicon Mac mini systems deliver strong single-thread performance for signing, unified memory for Xcode-sized workloads, and standby power on the order of a few watts—ideal for always-on regional runners.

macOS also stacks Gatekeeper, SIP, and FileVault in ways that reduce tampering risk versus ad-hoc VMs, which matters when credentials can submit software on behalf of your developer program.

If you are standardizing multi-region physical nodes specifically to shave notarization tails, a fleet of Mac mini–class machines is usually the lowest-friction way to get identical OS builds, predictable networking, and room to grow into full iOS compile clusters later.

If you want this pipeline on hardware that stays cool under 24/7 CI load, Mac mini M4 is one of the most cost-effective ways to anchor each region’s notary pool—pair it with the matrices above and promote the healthiest region to primary.

Limited Time Offer

Need physical Mac nodes per region for notarization?

Rent dedicated macOS hosts close to your teams so notarytool uploads land on clean paths—without buying hardware in every country.

Multi-region pools Native notarytool Pay as you grow