HOWTO macOS notarization (plugins, app, pkg installers)

[Markus Krause]

...and waste lots of development time by jumping though many hoops to make it work

[e-phonic]

AFAIK Plugins are not required/able to be notarized but they have to be digitally signed else they won't load in the DAW.

As far I know, plugins also need to be notarized. I couldn't run my signed plugins after they are downloaded from the internet. After notarization they run fine.

PJ

[george]

AFAIK Plugins are not required/able to be notarized but they have to be digitally signed else they won't load in the DAW.

As far I know, plugins also need to be notarized. I couldn't run my signed plugins after they are downloaded from the internet. After notarization they run fine.

PJ

Are you referring to .app or .component/vst/vst3/aax?

I have the latter signed only and they run fine on Catalina.

[Markus Krause]

To be safe that the notarized software works:
Is is sufficient to run only the check "spctl -a -vvv -t install "/Users/home/Desktop/Install.pkg"
or do i have to first upload then download and install it?

[george]

Is is sufficient to run only the check "spctl -a -vvv -t install "/Users/home/Desktop/Install.pkg"

I think it should be enough.

[Markus Krause]

Thanks a lot for all your info!

Markus

[e-phonic]

AFAIK Plugins are not required/able to be notarized but they have to be digitally signed else they won't load in the DAW.

As far I know, plugins also need to be notarized. I couldn't run my signed plugins after they are downloaded from the internet. After notarization they run fine.

PJ

Are you referring to .app or .component/vst/vst3/aax?

I have the latter signed only and they run fine on Catalina.

It’s a .vst.
When it’s signed it seems to run fine first. But when I upload it and download it again, it will not run anymore. I’ve read somewhere in the documentation that all software needs to be notarized. They specifically mention plugins too.

[george]

What's the host? No issues like that here with only signed plugin files.

I don't think .component/.vst/.vst3/.aax can be notarized. Only .app and .pkg.

[e-phonic]

I tested in Reaper and Studio One.
You can notarize a plugin by zipping it and using the commandline tool to send it to the notarization service.

You can find some info about notarizing plugins here:
https://developer.apple.com/documentati ... n_workflow

[Richard_Synapse]

Our plugins seem to work fine under OS X 10.15 thus far, seems we just need to update all the packages/installers. I'm not sure how/why Studio One or Reaper would check notarization? Perhaps your problem is simply that you don't use an installer.

Richard

[e-phonic]

Hmmm. Not sure too. And yes, I’m not using an installer. It’s just a vst file that needs to be copied to the VST folder. I started getting emails from users about ‘unidentified developer’ popups blocking the loading of Drumatic after updating to Catalina. I tried signing the plugin first. That didn’t resolve the issue for plugins that were downloaded from my website. Then after notarizing, all issues are fixed.

[Sam-U]

I'm not sure how/why Studio One or Reaper would check notarization?

Probably a noob question: if the DAW doesn't check the notarization, what'S the use of notarization and how does that prevent piracy? Couldn't you just provide cracked plugin binaries without any installer like in a zip file or so?

[audiothing]

You can find some info about notarizing plugins here:
https://developer.apple.com/documentati ... n_workflow

From that link:

The notary service generates a ticket for the top-level file that you specify, as well as each nested file. For example, if you submit a disk image that contains a signed installer package with an app bundle inside, the notarization service generates tickets for the disk image, installer package, and app bundle.

I only submit the dmg with a pkg installer containing the plugins and I can confirm that the PKG gets notarized as well. If I check the notarization for the plugins with the command

Code: Select all

spctl --assess --verbose 

I get this:

Code: Select all

rejected (the code is valid but does not seem to be an app)

I don't know if there's a specific command to check notarization for plugins, but according to that document, by submitting a pkg or a dmg with a pkg inside, we should be good to go.

[Richard_Synapse]

Probably a noob question: if the DAW doesn't check the notarization, what'S the use of notarization and how does that prevent piracy? Couldn't you just provide cracked plugin binaries without any installer like in a zip file or so?

Good question, interestingly this does not seem to be working as e-phonic wrote above. Perhaps there is a mechanism in OS X 10.15 blocking Audio Units that have not been installed via a notarized package.

Richard

[mystran]

Our plugins seem to work fine under OS X 10.15 thus far, seems we just need to update all the packages/installers. I'm not sure how/why Studio One or Reaper would check notarization? Perhaps your problem is simply that you don't use an installer.

I would imagine (and a Google search seems to support this) that the runtime just fails dlopen() if you try load something that Gatekeeper isn't happy with.

That said, what seems fundamentally broken about this whole concept (as far as audio plugins go) is that plugins apparently don't get to have any entitlements, so if you need to do something like dynamic code generation that the runtime isn't happy with by default, then it looks like you will have to convince every host vendor to add the relevant entitlements to their application.