HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

DSP, Plug-in and Host development discussion.
User avatar
discoDSP
KVRAF
4382 posts since 18 Jul, 2002

Post Fri Sep 20, 2019 8:53 am

daniel_noiseash wrote:
Fri Sep 20, 2019 8:22 am
Today I rebuilt Packages installer. Signed, Notarized and retried timestamp. This time I saw successful message in Terminal after timestamp attempt (yesterday there was no message after timestamp attempt).
Perhaps you got lucky or Apple changed something on their side. I was never able to timestamp a pkg signed with Packages 1.2.6.

User avatar
daniel_noiseash
KVRer
13 posts since 13 Feb, 2017

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Fri Sep 20, 2019 11:06 am

discoDSP wrote:
Fri Sep 20, 2019 8:53 am
daniel_noiseash wrote:
Fri Sep 20, 2019 8:22 am
Today I rebuilt Packages installer. Signed, Notarized and retried timestamp. This time I saw successful message in Terminal after timestamp attempt (yesterday there was no message after timestamp attempt).
Perhaps you got lucky or Apple changed something on their side. I was never able to timestamp a pkg signed with Packages 1.2.6.
I think Apple changed something, did you try again lately?
Last edited by daniel_noiseash on Fri Sep 20, 2019 11:10 am, edited 1 time in total.

User avatar
daniel_noiseash
KVRer
13 posts since 13 Feb, 2017

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Fri Sep 20, 2019 11:09 am

BlueprintInc wrote:
Fri Sep 20, 2019 8:37 am
So I may need to upload a multiple gigabyte big app everytime to notarize it? That's really hilarious :D
Absolutely :D :pray:

User avatar
discoDSP
KVRAF
4382 posts since 18 Jul, 2002

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Sat Sep 21, 2019 2:00 am

daniel_noiseash wrote:
Fri Sep 20, 2019 11:06 am
I think Apple changed something, did you try again lately?
No, I just signed the pkg via productsign and haven't made any test. I'll wait until Packages 1.2.7 which hopefully is going to be released in 1-2 weeks.
BlueprintInc wrote:
Fri Sep 20, 2019 8:37 am
So I may need to upload a multiple gigabyte big app everytime to notarize it? That's really hilarious :D
There are ways to circumvent that. For example, downloading the content via plugin once it's installed, using a https link for the data content, etc.

User avatar
daniel_noiseash
KVRer
13 posts since 13 Feb, 2017

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Thu Sep 26, 2019 12:32 pm

I get "notarization is successful" mail from Apple.
Then I useTerminal for time stamp. I see this message in Terminal "The staple and validate action worked!"
But when I check the .pkg Notarization, it's been rejected.

Could that be about timestamp? Or what am I missing? (I am using Whitebox Packages 1.2.6)

User avatar
Zaphod (giancarlo)
KVRAF
2475 posts since 23 Jun, 2006

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Thu Sep 26, 2019 3:12 pm

daniel_noiseash wrote:
Thu Sep 26, 2019 12:32 pm
I get "notarization is successful" mail from Apple.
Then I useTerminal for time stamp. I see this message in Terminal "The staple and validate action worked!"
But when I check the .pkg Notarization, it's been rejected.

Could that be about timestamp? Or what am I missing? (I am using Whitebox Packages 1.2.6)
Check the log, basically it is a JSON reporting all issues.
You need timestamp, you need to remove the debug entitlement

User avatar
discoDSP
KVRAF
4382 posts since 18 Jul, 2002

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Fri Sep 27, 2019 12:56 am

I had issues with code signed PKG installers using Packages 1.2.6. After the developer himself told me secure time stamp isn't supported until 1.2.7 (which should to be released this month) I used productsign and voilá, everything got fixed.

yannb
KVRer
1 posts since 3 Oct, 2019

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Thu Oct 03, 2019 4:34 am

Hi, I have managed to notarize one .pkg thanks to your tutorial :)
I am now thinking how to automize this task in the whole build process without losing too much time. Because waiting for Apple's response for each product takes a lot of time. Has someone already thought about this problem ?

User avatar
discoDSP
KVRAF
4382 posts since 18 Jul, 2002

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Thu Oct 03, 2019 9:39 am

Glad to be of help :) One issue is the notarization time after uploading to Apple's servers may vary depending of the binaries size and the measurement for a timer is complex. There is also a validation check that could be run on a periodic basics but I can't think about a ideal solution right now.

User avatar
daniel_noiseash
KVRer
13 posts since 13 Feb, 2017

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Fri Oct 04, 2019 10:52 am

Zaphod (giancarlo) wrote:
Thu Sep 26, 2019 3:12 pm
daniel_noiseash wrote:
Thu Sep 26, 2019 12:32 pm
I get "notarization is successful" mail from Apple.
Then I useTerminal for time stamp. I see this message in Terminal "The staple and validate action worked!"
But when I check the .pkg Notarization, it's been rejected.

Could that be about timestamp? Or what am I missing? (I am using Whitebox Packages 1.2.6)
Check the log, basically it is a JSON reporting all issues.
You need timestamp, you need to remove the debug entitlement
I checked the log, it says that

Code: Select all

assessment denied for Installer_v1.2.7.pkg

com.apple.message.domain: com.apple.security.assessment.outcome2

com.apple.message.signature2: bundle:UNBUNDLED

com.apple.message.signature3: Installer_v1.2.7.pkg

com.apple.message.signature5: UNKNOWN

com.apple.message.signature4: 2

com.apple.message.signature: denied:Notarized Developer ID

User avatar
daniel_noiseash
KVRer
13 posts since 13 Feb, 2017

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Fri Oct 04, 2019 10:53 am

yannb wrote:
Thu Oct 03, 2019 4:34 am
Hi, I have managed to notarize one .pkg thanks to your tutorial :)
I am now thinking how to automize this task in the whole build process without losing too much time. Because waiting for Apple's response for each product takes a lot of time. Has someone already thought about this problem ?
Which packaging tool are you using? I am using Whitebox Packages. The Apple email says that notarization is successful but when I check it, notarization is being rejected.

@discoDSP have you managed to notarize and verify successfully with Whitebox Packages? I an using productsign.

User avatar
Lind0n
KVRist
92 posts since 2 Feb, 2005 from UK

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Sat Oct 05, 2019 1:15 am

daniel_noiseash wrote:
Fri Oct 04, 2019 10:53 am
yannb wrote:
Thu Oct 03, 2019 4:34 am
Hi, I have managed to notarize one .pkg thanks to your tutorial :)
I am now thinking how to automize this task in the whole build process without losing too much time. Because waiting for Apple's response for each product takes a lot of time. Has someone already thought about this problem ?
Which packaging tool are you using? I am using Whitebox Packages. The Apple email says that notarization is successful but when I check it, notarization is being rejected.

@discoDSP have you managed to notarize and verify successfully with Whitebox Packages? I an using productsign.
If you look thru the forum for recent posts about notarizing, you will see that you are best waiting for WhiteBox Packages v 1.2.7
VST/AU Developer for Hire

User avatar
discoDSP
KVRAF
4382 posts since 18 Jul, 2002

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Sat Oct 05, 2019 1:46 am

Lind0n wrote:
Sat Oct 05, 2019 1:15 am
If you look thru the forum for recent posts about notarizing, you will see that you are best waiting for WhiteBox Packages v 1.2.7
I answered him via PM. Right now a good choice is building PKG with WhiteBox Packages 1.2.6 without digital signing and after that apply the signature with productsign as described at OP. They should be notarized correctly.

User avatar
daniel_noiseash
KVRer
13 posts since 13 Feb, 2017

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Sat Oct 05, 2019 4:41 am

Lind0n wrote:
Sat Oct 05, 2019 1:15 am
daniel_noiseash wrote:
Fri Oct 04, 2019 10:53 am
yannb wrote:
Thu Oct 03, 2019 4:34 am
Hi, I have managed to notarize one .pkg thanks to your tutorial :)
I am now thinking how to automize this task in the whole build process without losing too much time. Because waiting for Apple's response for each product takes a lot of time. Has someone already thought about this problem ?
Which packaging tool are you using? I am using Whitebox Packages. The Apple email says that notarization is successful but when I check it, notarization is being rejected.

@discoDSP have you managed to notarize and verify successfully with Whitebox Packages? I an using productsign.
If you look thru the forum for recent posts about notarizing, you will see that you are best waiting for WhiteBox Packages v 1.2.7
Yeah I know it is possible with version 1.2.6 because some people notarized successfully like George. If you look thru you can see it :)

User avatar
daniel_noiseash
KVRer
13 posts since 13 Feb, 2017

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Sat Oct 05, 2019 4:42 am

discoDSP wrote:
Sat Oct 05, 2019 1:46 am
Lind0n wrote:
Sat Oct 05, 2019 1:15 am
If you look thru the forum for recent posts about notarizing, you will see that you are best waiting for WhiteBox Packages v 1.2.7
I answered him via PM. Right now a good choice is building PKG with WhiteBox Packages 1.2.6 without digital signing and after that apply the signature with productsign as described at OP. They should be notarized correctly.

I am following this procedure, am I missing something?
  • Sign the plugins with codesign
  • Build the .pkg without digital signing
  • Signing the .pkg

    Code: Select all

    productsign --sign "Developer ID Installer: XXXXXXX" "/Volumes/Data/Installer v1.1.0.pkg" "/Volumes/Data/Signed/Installer v1.1.0.pkg"
  • Notarization

    Code: Select all

    xcrun altool --notarize-app -f "/Volumes/Data/Signed/Installer v1.1.0.pkg" --primary-bundle-id com.xxxxinstaller.pkg --username "xxxx" --password "xxxx"
  • After a couple of minutes, I get "Notarization is successful" mail from Apple
  • Time Staple - The staple and validate action worked!

    Code: Select all

    xcrun stapler staple "/Volumes/Data/Signed/Installer v1.1.0.pkg"
  • Till now I don't get any error message from any of these process
  • Now it's time for checking - Code Sign Check - it is successful - Status: signed by a certificate trusted by Mac OS X

    Code: Select all

    pkgutil --check-signature "/Volumes/Data/Signed/Installer v1.1.0.pkg"
  • But when it comes Notarization check - Rejected!

    Code: Select all

    spctl -a -vvv -t install "/Volumes/Data/Signed/Installer v1.1.0.pkg"
I really can't figure it out why it says "rejected" at the end :/

Return to “DSP and Plug-in Development”