HOWTO macOS notarization (plugins, app, pkg installers)

[hugoderwolf]

Xcode just sits on top of all the command line tools. Technically, once you've installed the tools, you can delete Xcode. The tools and SDKs live in /Library/Developer as copied out of the Xcode bundle.

Not exactly I think. You can install the Command Line Tools without installing Xcode, and they get installed in /Library/Developer. It's the whole purpose of that installer package. If you have Xcode, you don't need to install CLT, as they're then bundled within /Application/Xcode.app, including all the SDKs and stuff.

[syntonica]

Xcode just sits on top of all the command line tools. Technically, once you've installed the tools, you can delete Xcode. The tools and SDKs live in /Library/Developer as copied out of the Xcode bundle.

Not exactly I think. You can install the Command Line Tools without installing Xcode, and they get installed in /Library/Developer. It's the whole purpose of that installer package. If you have Xcode, you don't need to install CLT, as they're then bundled within /Application/Xcode.app, including all the SDKs and stuff.

Yup, you're right. I think you can install the CLTs without installing Xcode at all. I'm still figuring this stuff out--I've allowed myself to be too dependant on Xcode.

[newsonicarts]

Just migrated from altool to notarytool, seems to work ok
In case it saves others time, heres the relevant change in my script...

Code: Select all

#xcrun altool --notarize-app --primary-bundle-id "$BUNDLEID" --username "$USERNAME" --password "$PASSWORD" --file "$FILE" 

xcrun notarytool submit --apple-id "$USERNAME" --password "$PASSWORD" --team-id "$TEAMID" --wait "$FILE"

[quikquak]

Just migrated from altool to notarytool, seems to work ok
In case it saves others time, heres the relevant change in my script...

Code: Select all

#xcrun altool --notarize-app --primary-bundle-id "$BUNDLEID" --username "$USERNAME" --password "$PASSWORD" --file "$FILE" 

xcrun notarytool submit --apple-id "$USERNAME" --password "$PASSWORD" --team-id "$TEAMID" --wait "$FILE"

Hey, I've just started to use the norarytool. Still got some weirdness.
I'm getting an error:

Help: -d <key-id> App Store Connect API Key ID. Usually alphanumeric characters.

I don't use the Apple store, is that where that comes from? And my normal ID still brings up the error above. I don't know any other 10 letter/number key to use.

[mystran]

Yup, you're right. I think you can install the CLTs without installing Xcode at all. I'm still figuring this stuff out--I've allowed myself to be too dependant on Xcode.

If I recall correctly, take any fresh macOS system, open terminal and type "xcode-select --install" and it'll fetch and install the command line tools for you. You might have to click "agree" on some licence prompt, but that's it.

[quikquak]

I just set up a notary keychain profile, which I can use for everything.
I followed these instructions:

And it worked perfectly, the new notarytool is a lot faster than the old way.

[Markus Krause]

Some useful info for people on BigSur or those who do not want to migrate their current XCode version to XCode 13.2 or higher (as their projects might break).

You do not need to migrate your projects to XCode13 to be able to use notarytool. Instead you can stick with your old XCode version (in my case 12.5). You just need download and install the 'Command Line Tools for XCode 13.2' from Apple Developer.

Update:
Things seem to be buggy from Apple's side. I am getting weird errors (which can be ignored?):

objc[2131]: Class SPExecutionPolicy is implemented in both /System/Library/PrivateFrameworks/SystemPolicy.framework/Versions/A/SystemPolicy and /usr/sbin/spctl. One of the two will be used. Which one is undefined.
objc[2131]: Class AppWrapper is implemented in both /System/Library/PrivateFrameworks/SystemPolicy.framework/Versions/A/SystemPolicy and /usr/sbin/spctl. One of the two will be used. Which one is undefined.
...

[Markus Krause]

altool will stop working on November the 1st 2023. After this date you can not longer use it. You must use notarytool instead.

Here I a short tutorial how you can migrate from altool and notarize your stuff.

1) Compile your plugin or App

2) Codesign the App:

Code: Select all

codesign --force -s 'Developer ID Application: YourName (XYZ123456789)' -v "/YourApp.app" --deep --strict --options=runtime --timestamp

Codsign a VST3 plugin

Code: Select all

codesign -s 'Developer ID Application: YourName (XYZ123456789)' "/YourPlugin.vst3" --timestamp --force

3) Build the installer

4) Sign the installer:

Code: Select all

sudo productsign --sign 'Developer ID Installer: YourName (XYZ123456789))' 'unsigned.pkg' 'signed.pkg'

5) Upload and notarize:

Code: Select all

xcrun notarytool submit --apple-id "your@email.com" --password "abcd-defg-hijk-lmno" --team-id "XYZ123456789" --wait signed.pkg

6) Staple

Code: Select all

sudo xcrun stapler staple signed.pkg

Note: sudo is essential here. Otherwise this won't work.

7) Test

Code: Select all

spctl -a -vvv -t install "signed.pkg"

Further notes:
Things seem to be buggy from Apple's side.

[george]

The original post has been revised and updated, using the notary tool in place of the now-deprecated altool. This change has significantly expedited the process. Additionally, both the process and its verification are now accessible through the terminal.

[george]

6) Staple

Code: Select all

sudo xcrun stapler staple signed.pkg

Note: sudo is essential here. Otherwise this won't work.

Works here without sudo.

[fuo]

I have been receiving a few user reports lately getting "Apple cannot check it for malicious software" errors.
These are plugins notarized with altool a few month ago (when the service was still up), and distributed directly in zip files (ie not stapled).

This means Apple has to reach its gatekeeper service, and I insist in the installation instructions that the Mac must be online the first time the plugin is run.

So far I have had very few problems with this approach over the years, but the recent surge of user reports and the deprecation of the altool method (which is supposed not to impact already notarized software) makes me fear something might not be working properly on Apple's side.

Any similar experience out there?


EDIT: I just realized vst3/component files could indeed be stapled...
I don't why I was convinced only pkg and dmg could be stapled, and plugin distributed in zip had to resort to online checking.
Hopefully this will solve my problem, which I am probably alone to face as the one and only stupid enough person to notarize a plugin without stapling it

[george]

EDIT: I just realized vst3/component files could indeed be stapled...
I don't why I was convinced only pkg and dmg could be stapled, and plugin distributed in zip had to resort to online checking.
Hopefully this will solve my problem, which I am probably alone to face as the one and only stupid enough person to notarize a plugin without stapling it

If you choose to distribute your plugins via a simple ZIP file, it is still necessary to notarize them. While it's not possible to staple a ZIP file directly, you can staple the contents after the ZIP has been notarized and then proceed to package them.

[fuo]

Thank you for confirming this.
Do you reckon I can just run "xcrun stapler staple" each plugin that has been notarized months ago and it will work as intended.
The command does report a success and puts a 1.6KB "CodeRessources" file in the "Contents" directory. I simply hope it is okay to staple a software that was notarized with a now deprecated method.

[george]

It should work as intended. The command's success and the addition of a 1.6KB "CodeResources" file to the "Contents" directory are positive indicators. It should be acceptable to staple software that was notarized using a method that is now deprecated, provided the notarization remains valid. However, notarizing and stapling with the latest tools is indeed a wise approach to ensure safety.

[fuo]

I will definitely use the new tools for the next updates. Thank you for your help and for this thread!