Lately, I’ve heard several Apple related podcasters talk about how bad Xcode is, and how Apple needs to make vibe-coding Mac and iOS apps better by making Xcode less inscrutable. They’re not wrong, but also I don’t understand why they’re even opening Xcode in the first place. With a little bit of pre-work, you can vibe code Mac and iOS apps to your heart’s content without looking at Xcode anymore.
And if you’re ever in doubt about how to make any of the following work, point Claude Code or your LLM coding tool of choice to this blog post, and let it figure it out. That’s literally its job, figuring out things you don’t want to have to.
TL;DR
Xcode.app must be installed, but it never has to be open. xcodebuild, notarytool, stapler, and devicectl all live inside Xcode and run fine from a shell.
A few one-time steps do need the GUI (or an interactive terminal): sign into your Apple ID, create a Developer ID certificate, store a notarization password. After that, builds and deploys are fully headless.
The Mac app ships via one script — scripts/release.sh — which you write once. It runs the whole chain: archive → Developer ID sign → notarize → staple → install to /Applications.
Signing is certificate-and-keychain based. The signing key lives in the login keychain; xcodebuild finds it automatically. No secrets in the repo.
The one-time setup is the only part with any friction, so let’s get it out of the way first.
Install Xcode
You do have to have Xcode installed, there’s no getting around that, because build depends on tools that live inside Xcode.app.
Once Xcode is installed, make sure it’s the selected command line toolchain, and not /Library/Developer/CommandLineTools. If the output of the check is /Applications/Xcode.app/Contents/Developer, you’re in good shape:
❯ xcode-select -p/Applications/Xcode.app/Contents/Developer
❯ xcode-select -p
/Applications/Xcode.app/Contents/Developer
If it DOES return the path for the standalone CommandLineTools instead, point it to Xcode.
sudo xcode-select -s /Applications/Xcode.app/Contents/Developer
sudo xcode-select -s /Applications/Xcode.app/Contents/Developer
NOTE: The name “Command Line Tools” can be confusing.
This is because there’s a standalone Command Line Tools package, available with xcode-select –install, which is the /Library/Developer/CommandLineTools version. This contains clang and git, but not the iOS SDK, notarytool, devicectl, and other items needed for full app development.
The complete toolchain is inside Xcode.app, at /Applications/Xcode.app/Developer, and it has everything you need. If you have Xcode installed, you don’t need the standalone Command Line Tools.
Install XcodeGen
Xcode and its command line tools aren’t enough to generate and manage Xcode projects automatically. For that, you’re going to need XcodeGen. You can download it from Github or install it using homebrew:
brew install xcodegen
brew install xcodegen
Long story short, Xcode projects are actually folders that macOS makes appear as files, and they contain everything about your project needed to create and compile your app. Xcode constantly modifies the files and file references constantly, and it creates issues for git repositories.
Xcodegen creates a project.yml (YAML) file with all your project settings, and then on every build, it recreates the entire .xcodeproj folder using that project.yml file. Only the YAML file has to be committed to git, and the whole .xcodeproj can be ignored from git’s perspective.
Configure Xcode, Once
You do need to setup Xcode initially in order to never have to look at it again.
Xcode License and Additional Components
First, either accept its license and install its additional components, or do it through the command line:
sudo xcodebuild -license acceptsudo xcodebuild -runFirstLaunch
sudo xcodebuild -license accept
sudo xcodebuild -runFirstLaunch
Setup Your Apple Developer Account in Xcode
Next, open Xcode, click on Settings → Accounts and click on + to add your account.
NOTE: You have to have a paid Apple Developer account in order to distribute and notarize your apps.
And you will want them notarized in order to install them on you Mac and iOS devices and not have the OSes decided they’re malware and delete them.
Create a Developer ID Application Certificate
Once that’s done, create a Developer ID Application certificate (Settings → Accounts → your Apple ID → Manage Certificates… → + → Developer ID Application), which creates a cert for signing the shipped .app bundle.
Please note that a Developer ID Application certificate and your Apple Development certificate are two separate things.
The Apple Development identity is for building and running on your own devices — pushing to your iPhone, local debugging. The Developer ID Application identity is for the notarized .app that survives Gatekeeper and runs on someone else’s Mac. The release script wants that second one.
Creating the certificate in Xcode installs both the certificate and its private key into your login keychain. That private key is what actually does the signing, and it cannot be re-downloaded — so don’t delete it, and back up your keychain.
When in doubt, ask your LLM of choice about them and have it help you get set up. It’s the one that’s going to be using Xcode for you anyway.
And finally,
Store a Notarization Credential — Once, in Terminal
Notarization uploads your signed app to Apple for a malware scan. notarytool authenticates using a stored keychain profile that you create once, interactively — it prompts for an app-specific password, and there’s no way around the prompt:
xcrun notarytool store-credentials App-Name \ –apple-id “[email protected]” –team-id YOUR-TEAM-ID# paste an app-specific password when prompted
xcrun notarytool store-credentials App-Name \
–apple-id “[email protected]” –team-id YOUR-TEAM-ID
# paste an app-specific password when prompted
A few things worth knowing here:
Name the profile after the app. Don’t borrow another app’s profile — it’ll work on your machine and then silently break on someone else’s.
The app-specific password is not your Apple ID password. Generate one at appleid.apple.com → Sign-In & Security → App-Specific Passwords.
These passwords go stale silently whenever you change your Apple ID password. A 401 invalid credentials out of notarization almost always means “go make a fresh app-specific password,” not “your setup is broken.”
Confirm it’s stored:
xcrun notarytool history –keychain-profile App-Name
xcrun notarytool history –keychain-profile App-Name
Side topic here, I store my app-specific passwords in a 1Password vault that Claude Code has access to. That way whenever I’m creating a new app, I can tell IT to create the notarization credential for me, and it knows to check its 1Password vault for the password. The whole point of using the LLM in the first place is to avoid doing things manually that you don’t want to do.
Setup a Local.xconfig File and Add It to .gitignore
Real signing needs your team ID and bundle prefix, and I put those in a Local.xconfig file:
cp Local.xcconfig.example Local.xcconfig# then edit Local.xcconfig to set:# BUNDLE_PREFIX = your.real.prefix# DEVELOPMENT_TEAM = YOUR-TEAM-ID
cp Local.xcconfig.example Local.xcconfig
# then edit Local.xcconfig to set:
# BUNDLE_PREFIX = your.real.prefix
# DEVELOPMENT_TEAM = YOUR-TEAM-ID
Again, if in doubt, ask Claude Code or your LLM of choice to create this for you.
Set up the Agent Tools
Create the Deploy Script
Deployment on my apps is handled via a script called release.sh that lives in a scripts folder inside the repo. Without it, I don’t have an automated build pipeline.
I had Claude Code create mine: I told Claude, more or less: I want to archive, Developer ID-sign, notarize, staple, and install this app to /Applications without ever opening Xcode. Write me a script that does the whole chain and fails loudly if any step breaks.
It didn’t need me to explain the pipeline, because the pipeline isn’t a secret — archive with xcodebuild, export with -exportArchive and an ExportOptions.plist, submit with notarytool –wait, attach the ticket with stapler, check with spctl. That’s the documented, conventional way to ship a Developer ID Mac app, and the model knows it. What it needed from me was the project-specific stuff: the scheme name, the team ID, what to call the notary profile, where to install the result.
Then it wrote a first draft, we ran it, it broke, and we fixed it. That loop is not a failure mode, it’s just the process. I always look at AI workflows as works in progress, but it doesn’t take long before you can stop tweaking things and just start working.
This is the actual script from one of my app repos:
#!/usr/bin/env bash# scripts/release.sh — produce a Developer ID-signed, notarized MY-APP-NAME.app and# install it to /Applications.## Requires (one-time): Xcode signed into your Apple ID, the paid Developer# Program, and a notarytool credential profile. Defaults to the “MY-APP-NAME”# profile; override with MY-APP-NAME_NOTARY_PROFILE=<name>.## Usage: ./scripts/release.shset -euo pipefailPROJECT=“MY-APP-NAME.xcodeproj”SCHEME=“MY-APP-NAME-macOS”APP_NAME=“MY-APP-NAME”TEAM_ID=“YOURTEAMID”NOTARY_PROFILE=“${MY-APP-NAME_NOTARY_PROFILE:-MY-APP-NAME}“BUILD_DIR=“build”ARCHIVE_PATH=“$BUILD_DIR/$APP_NAME.xcarchive”EXPORT_PATH=“$BUILD_DIR/Export”APP_PATH=“$EXPORT_PATH/$APP_NAME.app”INSTALL_DIR=“/Applications”LSREGISTER=“/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister”cd “$(dirname “$0”)/..“step() { printf “\n\033[1;36m▸ %s\033[0m\n” “$*”; }fail() { printf “\n\033[1;31m✗ %s\033[0m\n” “$*” >&2; exit 1; }step “Pre-flight”command -v xcodegen >/dev/null || fail “xcodegen not installed (brew install xcodegen).“if ! xcrun notarytool history –keychain-profile “$NOTARY_PROFILE” >/dev/null 2>&1; then fail “notarytool profile ‘$NOTARY_PROFILE’ missing. Create it with xcrun notarytool store-credentials.“fistep “Regenerating project”xcodegen generaterm -rf “$BUILD_DIR”; mkdir -p “$BUILD_DIR”step “Archiving (Release)“xcodebuild -project “$PROJECT” -scheme “$SCHEME” -configuration Release \ -derivedDataPath “$BUILD_DIR/derived” -archivePath “$ARCHIVE_PATH” \ -allowProvisioningUpdates archivestep “Exporting Developer ID-signed app”cat > “$BUILD_DIR/ExportOptions.plist” <<EOF<?xml version=“1.0” encoding=“UTF-8″?><!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”><plist version=“1.0″><dict> <key>method</key><string>developer-id</string> <key>teamID</key><string>$TEAM_ID</string> <key>signingStyle</key><string>automatic</string></dict></plist>EOFxcodebuild -exportArchive -archivePath “$ARCHIVE_PATH” -exportPath “$EXPORT_PATH” \ -exportOptionsPlist “$BUILD_DIR/ExportOptions.plist” -allowProvisioningUpdates[ -d “$APP_PATH” ] || fail “Exported app not found at $APP_PATH.“step “Notarizing (submitting to Apple, may take a few minutes)“ditto -c -k –keepParent “$APP_PATH” “$BUILD_DIR/notarize.zip”xcrun notarytool submit “$BUILD_DIR/notarize.zip” –keychain-profile “$NOTARY_PROFILE” –waitstep “Stapling ticket”xcrun stapler staple “$APP_PATH”step “Verifying Gatekeeper acceptance”spctl -a -vvv -t exec “$APP_PATH”step “Installing to $INSTALL_DIR/$APP_NAME.app”pkill -x “$APP_NAME” 2>/dev/null || truerm -rf “$INSTALL_DIR/$APP_NAME.app”cp -R “$APP_PATH” “$INSTALL_DIR/“[ -x “$LSREGISTER” ] && “$LSREGISTER” -f “$INSTALL_DIR/$APP_NAME.app” >/dev/null 2>&1 || truestep “Verifying installed bundle”xcrun stapler validate “$INSTALL_DIR/$APP_NAME.app”spctl -a -vvv -t exec “$INSTALL_DIR/$APP_NAME.app”printf “\n\033[1;32m✓ %s notarized, stapled, installed.\033[0m\n” “$APP_NAME”
#!/usr/bin/env bash
# scripts/release.sh — produce a Developer ID-signed, notarized MY-APP-NAME.app and
# install it to /Applications.
#
# Requires (one-time): Xcode signed into your Apple ID, the paid Developer
# Program, and a notarytool credential profile. Defaults to the “MY-APP-NAME”
# profile; override with MY-APP-NAME_NOTARY_PROFILE=<name>.
#
# Usage: ./scripts/release.sh
set -euo pipefail
PROJECT=“MY-APP-NAME.xcodeproj”
SCHEME=“MY-APP-NAME-macOS”
APP_NAME=“MY-APP-NAME”
TEAM_ID=“YOURTEAMID”
NOTARY_PROFILE=“${MY-APP-NAME_NOTARY_PROFILE:-MY-APP-NAME}”
BUILD_DIR=“build”
ARCHIVE_PATH=“$BUILD_DIR/$APP_NAME.xcarchive”
EXPORT_PATH=“$BUILD_DIR/Export”
APP_PATH=“$EXPORT_PATH/$APP_NAME.app”
INSTALL_DIR=“/Applications”
LSREGISTER=“/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister”
cd “$(dirname “$0″)/..”
step() { printf “\n\033[1;36m▸ %s\033[0m\n” “$*”; }
fail() { printf “\n\033[1;31m✗ %s\033[0m\n” “$*” >&2; exit 1; }
step “Pre-flight”
command -v xcodegen >/dev/null || fail “xcodegen not installed (brew install xcodegen).”