Apple developer tools are frustrating

Posted on Sat 27 February 2021 posted in apple

I've never done any MacOS or iOS development work myself but over the last week at work I've been attempting to package up a Python command line utility into a single executable MacOS binary to make it easier for people to use without them having to setup a virtualenv and install various packages, etc and I feel like I'm seeing how the sausage is made and it's maddening.

Here's just an example of the quality of the Apple developer tooling I've been dealing with, and I assume MacOS and iOS developers have to often battle with.

Essentially when using an API key and certificate to authenticate with the notorization service, rather than an AppleID username and password, the --output-format=json option to xcrun altool now prints out a line of plaintext followed by a JSON blob instead of just a JSON blob.

I used to get this when authenticating using username and password credentials:

{"json-blob"}

Now I get this:

b'Generated JWT: xxxxxxxx\n{"json-blob"}\n\n'

Another example of something basic not working as documented is list of directories which are searched for your API private key certificate. The xcrun altool command is supposed to search the following directories for the certificate your specify:

 ./private_keys
 ~/private_keys
 ~/.private_keys
 ~/.appstoreconnect/private_keys

In reality ./private_keys is not searched.

To make things even weirder this only seems to occur if you attempt to run xcrun altool with the --notarize-app or --upload options, although I believe the bug is actually just in the --upload code path since --notarize-app actually prints out a JWT string and seems to then explode when I assume it attemps to upload your package for notorization.

When I first discussed this with a colleague they came back to me saying that their certs were found correctly, it's only after we discovered that I was using the --notorize-app option and they were using --validate-app option that we figured out that the bug was dependant upon the option passed to altool.

Luckily I found this StackOverflow post to confirm I wasn't going crazy and it's definitely a thing.