HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

DSP, Plug-in and Host development discussion.
Markus Krause
KVRist
218 posts since 2 Jul, 2018

Post Wed Oct 16, 2019 6:54 am

...and waste lots of development time by jumping though many hoops to make it work
Tone2 Audiosoftware https://www.tone2.com

e-phonic
KVRian
506 posts since 16 Sep, 2002 from Amsterdam, the Netherlands

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Fri Oct 18, 2019 9:53 pm

discoDSP wrote:
Sat Sep 14, 2019 4:26 am

AFAIK Plugins are not required/able to be notarized but they have to be digitally signed else they won't load in the DAW.
As far I know, plugins also need to be notarized. I couldn't run my signed plugins after they are downloaded from the internet. After notarization they run fine.

PJ

User avatar
discoDSP
KVRAF
4389 posts since 18 Jul, 2002

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Sat Oct 19, 2019 12:17 am

e-phonic wrote:
Fri Oct 18, 2019 9:53 pm
discoDSP wrote:
Sat Sep 14, 2019 4:26 am

AFAIK Plugins are not required/able to be notarized but they have to be digitally signed else they won't load in the DAW.
As far I know, plugins also need to be notarized. I couldn't run my signed plugins after they are downloaded from the internet. After notarization they run fine.

PJ
Are you referring to .app or .component/vst/vst3/aax?

I have the latter signed only and they run fine on Catalina.

Markus Krause
KVRist
218 posts since 2 Jul, 2018

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Sat Oct 19, 2019 1:56 am

To be safe that the notarized software works:
Is is sufficient to run only the check "spctl -a -vvv -t install "/Users/home/Desktop/Install.pkg"
or do i have to first upload then download and install it?
Tone2 Audiosoftware https://www.tone2.com

User avatar
discoDSP
KVRAF
4389 posts since 18 Jul, 2002

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Sat Oct 19, 2019 2:17 am

Markus Krause wrote:
Sat Oct 19, 2019 1:56 am
Is is sufficient to run only the check "spctl -a -vvv -t install "/Users/home/Desktop/Install.pkg"
I think it should be enough.

Markus Krause
KVRist
218 posts since 2 Jul, 2018

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Sat Oct 19, 2019 2:18 am

Thanks a lot for all your info!

Markus
Tone2 Audiosoftware https://www.tone2.com

e-phonic
KVRian
506 posts since 16 Sep, 2002 from Amsterdam, the Netherlands

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Sat Oct 19, 2019 2:36 am

discoDSP wrote:
Sat Oct 19, 2019 12:17 am
e-phonic wrote:
Fri Oct 18, 2019 9:53 pm
discoDSP wrote:
Sat Sep 14, 2019 4:26 am

AFAIK Plugins are not required/able to be notarized but they have to be digitally signed else they won't load in the DAW.
As far I know, plugins also need to be notarized. I couldn't run my signed plugins after they are downloaded from the internet. After notarization they run fine.

PJ
Are you referring to .app or .component/vst/vst3/aax?

I have the latter signed only and they run fine on Catalina.
It’s a .vst.
When it’s signed it seems to run fine first. But when I upload it and download it again, it will not run anymore. I’ve read somewhere in the documentation that all software needs to be notarized. They specifically mention plugins too.

User avatar
discoDSP
KVRAF
4389 posts since 18 Jul, 2002

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Sat Oct 19, 2019 3:15 am

What's the host? No issues like that here with only signed plugin files.

I don't think .component/.vst/.vst3/.aax can be notarized. Only .app and .pkg.

e-phonic
KVRian
506 posts since 16 Sep, 2002 from Amsterdam, the Netherlands

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Sat Oct 19, 2019 4:49 am

I tested in Reaper and Studio One.
You can notarize a plugin by zipping it and using the commandline tool to send it to the notarization service.

You can find some info about notarizing plugins here:
https://developer.apple.com/documentati ... n_workflow

User avatar
Richard_Synapse
KVRian
945 posts since 20 Dec, 2010

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Sat Oct 19, 2019 6:43 am

Our plugins seem to work fine under OS X 10.15 thus far, seems we just need to update all the packages/installers. I'm not sure how/why Studio One or Reaper would check notarization? Perhaps your problem is simply that you don't use an installer.

Richard
Synapse Audio Software - www.synapse-audio.com

e-phonic
KVRian
506 posts since 16 Sep, 2002 from Amsterdam, the Netherlands

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Sat Oct 19, 2019 6:53 am

Hmmm. Not sure too. And yes, I’m not using an installer. It’s just a vst file that needs to be copied to the VST folder. I started getting emails from users about ‘unidentified developer’ popups blocking the loading of Drumatic after updating to Catalina. I tried signing the plugin first. That didn’t resolve the issue for plugins that were downloaded from my website. Then after notarizing, all issues are fixed.
Last edited by e-phonic on Sat Oct 19, 2019 6:56 am, edited 1 time in total.

Sam-U
KVRist
65 posts since 8 Jan, 2018

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Sat Oct 19, 2019 6:54 am

Richard_Synapse wrote:
Sat Oct 19, 2019 6:43 am
I'm not sure how/why Studio One or Reaper would check notarization?
Probably a noob question: if the DAW doesn't check the notarization, what'S the use of notarization and how does that prevent piracy? Couldn't you just provide cracked plugin binaries without any installer like in a zip file or so?

User avatar
audiothing
KVRian
1366 posts since 13 Apr, 2011

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Sat Oct 19, 2019 7:38 am

e-phonic wrote:
Sat Oct 19, 2019 4:49 am
You can find some info about notarizing plugins here:
https://developer.apple.com/documentati ... n_workflow
From that link:
The notary service generates a ticket for the top-level file that you specify, as well as each nested file. For example, if you submit a disk image that contains a signed installer package with an app bundle inside, the notarization service generates tickets for the disk image, installer package, and app bundle.
I only submit the dmg with a pkg installer containing the plugins and I can confirm that the PKG gets notarized as well. If I check the notarization for the plugins with the command

Code: Select all

spctl --assess --verbose 
I get this:

Code: Select all

rejected (the code is valid but does not seem to be an app)
I don't know if there's a specific command to check notarization for plugins, but according to that document, by submitting a pkg or a dmg with a pkg inside, we should be good to go. :shrug:
AudioThing (VST, AU, AAX Plugins)
Instagram | Facebook | Twitter

User avatar
Richard_Synapse
KVRian
945 posts since 20 Dec, 2010

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Sat Oct 19, 2019 8:48 am

Sam-U wrote:
Sat Oct 19, 2019 6:54 am
Probably a noob question: if the DAW doesn't check the notarization, what'S the use of notarization and how does that prevent piracy? Couldn't you just provide cracked plugin binaries without any installer like in a zip file or so?
Good question, interestingly this does not seem to be working as e-phonic wrote above. Perhaps there is a mechanism in OS X 10.15 blocking Audio Units that have not been installed via a notarized package.

Richard
Synapse Audio Software - www.synapse-audio.com

mystran
KVRAF
5432 posts since 12 Feb, 2006 from Helsinki, Finland

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Sat Oct 19, 2019 9:22 am

Richard_Synapse wrote:
Sat Oct 19, 2019 6:43 am
Our plugins seem to work fine under OS X 10.15 thus far, seems we just need to update all the packages/installers. I'm not sure how/why Studio One or Reaper would check notarization? Perhaps your problem is simply that you don't use an installer.
I would imagine (and a Google search seems to support this) that the runtime just fails dlopen() if you try load something that Gatekeeper isn't happy with.

That said, what seems fundamentally broken about this whole concept (as far as audio plugins go) is that plugins apparently don't get to have any entitlements, so if you need to do something like dynamic code generation that the runtime isn't happy with by default, then it looks like you will have to convince every host vendor to add the relevant entitlements to their application.
If you'd like Signaldust to return, please ask Katinka Tuisku to resign.

Return to “DSP and Plug-in Development”