Skip to content
Latchkey

notarytool "Invalid credentials" submitting to notarization in CI

xcrun notarytool could not authenticate the notarization request. The Apple Notary Service accepts either an App Store Connect API key (key id, issuer, .p8) or an Apple ID with team id and an app-specific password; a mismatch in any field returns Invalid credentials.

What this error means

notarytool submit or notarytool store-credentials fails with "Error: HTTP status code: 401. Invalid credentials. Username or password is incorrect" or "Invalid API key". The .dmg or .pkg never enters the notarization queue.

notarytool
Error: HTTP status code: 401. Invalid credentials. Username or password is incorrect.
Use the developer ID and a valid app-specific password, or an App Store Connect API key.

Common causes

A plain Apple ID password instead of an app-specific one

notarytool rejects the account password. Apple ID auth requires an app-specific password generated at appleid.apple.com, plus the team id.

A wrong or revoked API key trio

The key id, issuer id, or .p8 do not match an active App Store Connect API key with notarization access.

How to fix it

Store working credentials in a keychain profile

  1. Generate an app-specific password or an App Store Connect API key.
  2. Store it once with notarytool store-credentials.
  3. Reference the profile on submit so the secret is not on the command line.
Terminal
xcrun notarytool store-credentials ci-profile \
  --apple-id "$APPLE_ID" --team-id "$TEAM_ID" --password "$APP_SPECIFIC_PASSWORD"
xcrun notarytool submit App.dmg --keychain-profile ci-profile --wait

Submit with an API key instead

Pass the key trio directly when you prefer API key auth over an Apple ID password.

Terminal
xcrun notarytool submit App.dmg \
  --key AuthKey_$KEY_ID.p8 --key-id "$KEY_ID" --issuer "$ISSUER_ID" --wait

How to prevent it

  • Use an app-specific password or API key, never the raw Apple ID password.
  • Keep credentials in CI secrets and load them at runtime.
  • Verify the key has notarization access before relying on it in a release job.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →