In the developer documentation Customizing the notarization workflow it states that the notarytool
supports a --webhook
flag. When the notarization is complete the Apple notarization server will send the following webhook payload to the webserver that I configured.
{
"payload": "{\"completed_time\":\"2024-02-13T17:24:37.911Z\",\"event\":\"processing-complete\",\"start_time\":\"2024-02-13T17:24:02.743Z\",\"submission_id\":\"<submission-id>\",\"team_id\":\"<team-id>\"}",
"signature": "<signature>",
"cert_chain": "<base64-certchain>"
}
My question is how can I validate that this Webhook is coming from Apple?
In that same developer documentation it states the various IP addresses that the stapler
requires access too but those are not the same addresses that the notarytool webhook results are coming from.
Presumably I should be able to use the signature to validate that the request is coming from Apple, however I have been unable to find any documentation about this webhook flag at all beyond the documentation stating that it exists.