HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

DSP, Plug-in and Host development discussion.
e-phonic
KVRian
506 posts since 16 Sep, 2002 from Amsterdam, the Netherlands

Post Sat Oct 19, 2019 11:16 am

So, my findings are the following:
- If you are using an installer, use the method as described by George.
- If you are distributing a .vst / .component without installer, notarize the plugin.
You can do this by creating a zip file containing the plugin.
Then run:

Code: Select all

xcrun altool --notarize-app --primary-bundle-id "com.company.vst.plugin" --username "USERNAME" --password "PASSWORD" --asc-provider "SHORT_PROVIDER_NAME" --file plugin.zip
You will receive the RequestUUID if all goes well.
To check the status of the RequestUUID:

Code: Select all

xcrun altool --notarization-history 0 -u "USERNAME" -p "PASSWORD"
PJ

Markus Krause
KVRist
222 posts since 2 Jul, 2018

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Sat Oct 19, 2019 12:45 pm

If i distribute a .vst within a .pkg do i have to notarize both or just the .pkg that contains the .vst ?
Tone2 Audiosoftware https://www.tone2.com

User avatar
Richard_Synapse
KVRian
947 posts since 20 Dec, 2010

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Sun Oct 20, 2019 1:17 am

Just the package should work fine. :)

Richard
Synapse Audio Software - www.synapse-audio.com

Markus Krause
KVRist
222 posts since 2 Jul, 2018

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Sun Oct 20, 2019 1:29 am

Thank you Richard!

Markus
Tone2 Audiosoftware https://www.tone2.com

User avatar
discoDSP
KVRAF
4390 posts since 18 Jul, 2002

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Sun Oct 20, 2019 2:04 am

Does that apply to a .app contained on a .pkg too? It will be a real time saver then.

Markus Krause
KVRist
222 posts since 2 Jul, 2018

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Sun Oct 20, 2019 2:35 am

We don't distribute .app withing the pkg. So i did not test it.

From running tests i disovered this:

- the .vst as well as the .component have both to be code-signed. Otherwise the notarisation does fail

- the vst as well as the component should not contain symbolic links. Otherwise the notarisation fails

- do not use hyphens for your passwords when you use the command-line tools and do not copy&paste Unicode text to the bash. Othwise you will get an error message the the password is incorrect. After a couple of tryes with 'incorrect' passwords you will get an error message that your developer account has been disabled
Tone2 Audiosoftware https://www.tone2.com

User avatar
audiothing
KVRian
1368 posts since 13 Apr, 2011

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Sun Oct 20, 2019 2:49 am

discoDSP wrote:
Sun Oct 20, 2019 2:04 am
Does that apply to a .app contained on a .pkg too? It will be a real time saver then.
Yep. From my previous post:
The notary service generates a ticket for the top-level file that you specify, as well as each nested file. For example, if you submit a disk image that contains a signed installer package with an app bundle inside, the notarization service generates tickets for the disk image, installer package, and app bundle.
AudioThing (VST, AU, AAX Plugins)
Instagram | Facebook | Twitter

User avatar
discoDSP
KVRAF
4390 posts since 18 Jul, 2002

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Sun Oct 20, 2019 3:25 am

Thanks guys, will update the OP ASAP with your valuable info :tu:

User avatar
stian
KVRian
988 posts since 1 Jan, 2005 from Norway

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Tue Oct 22, 2019 4:04 am

Thanks for providing this info, George! If anybody are signed into multiple teams through the Apple ID, you'll get an error message that your "Apple ID account is attached to other iTunes providers" and that you'll need to specify an -itc_provider. It wasn't clear to me what an ITC provider is, but using the "Team ID" worked for me.

Best,
Stian

User avatar
Richard_Synapse
KVRian
947 posts since 20 Dec, 2010

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Wed Oct 23, 2019 5:14 am

Today I noticed another problem, after successful notarization.

For a brief period I was unable to open a notarized package. Has anyone else experienced this, and does opening notarized packages require an online connection?

Richard
Synapse Audio Software - www.synapse-audio.com

User avatar
Tale
KVRian
500 posts since 12 Apr, 2010 from The Netherlands

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Wed Oct 23, 2019 6:31 am

Richard_Synapse wrote:
Wed Oct 23, 2019 5:14 am
For a brief period I was unable to open a notarized package. Has anyone else experienced this, and does opening notarized packages require an online connection?
Well, I believe that the package can be verified without an internet connection, but only when you've stapled the package. If it's not stapled, then I think you do need an internet connection.

BobDog
KVRian
718 posts since 2 Apr, 2015

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Mon Oct 28, 2019 3:46 am

Richard_Synapse wrote:
Wed Oct 23, 2019 5:14 am
Today I noticed another problem, after successful notarization.

For a brief period I was unable to open a notarized package. Has anyone else experienced this, and does opening notarized packages require an online connection?

Richard
You need to staple the pkg for it to work offline.

Whoops missed earlier post!

BobDog
KVRian
718 posts since 2 Apr, 2015

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Mon Oct 28, 2019 3:55 am

I have been doing some tests here with some hosting software, this has been built with the hardened runtime to allow full compliance. Currently testing this on Mojave.

Not one of the VSTs on my system loads in 64 bit, all with code sign errors. 32 bit is fine.

All AUs load fine in both 32 and 64, so there are no codesign checks on AU only on VST.

when calling CFBundleLoadExecutable() to load the VST, for example Buchla Easel:

Code: Select all

Error loading /Library/Audio/Plug-Ins/VST/Buchla Easel V.vst/Contents/MacOS/Buchla Easel V:  dlopen(/Library/Audio/Plug-Ins/VST/Buchla Easel V.vst/Contents/MacOS/Buchla Easel V, 262): no suitable image found.  Did find:
	/Library/Audio/Plug-Ins/VST/Buchla Easel V.vst/Contents/MacOS/Buchla Easel V: code signature in (/Library/Audio/Plug-Ins/VST/Buchla Easel V.vst/Contents/MacOS/Buchla Easel V) not valid for use in process using Library Validation: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.
Funny that Apple bypass this for audio units!

The same code with non-hardened runtime and no notarisation, just full signing works absolutely fine on Catalina. I think we need to be aware that testing stuff currently on Catalina that Apple are not enforcing the full shitstorm yet!

User avatar
adammonroe
KVRer
20 posts since 17 Oct, 2012

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Mon Oct 28, 2019 10:14 pm

Does anyone know what the deal is with AAX? Signing AU and VST seems trivial, but I can't seem to get AAX to codesign and verify that it's been codesigned, either via x-code or the terminal. Even if I did, I suspect doing the iLok signing on top of that will invalidate the original codesign when it throws the pace_eden bundle in there. Friggin' mess.

User avatar
Urs
u-he
24092 posts since 8 Aug, 2002 from Berlin

Re: HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

Post Thu Oct 31, 2019 6:07 am

adammonroe wrote:
Mon Oct 28, 2019 10:14 pm
Does anyone know what the deal is with AAX? Signing AU and VST seems trivial, but I can't seem to get AAX to codesign and verify that it's been codesigned, either via x-code or the terminal. Even if I did, I suspect doing the iLok signing on top of that will invalidate the original codesign when it throws the pace_eden bundle in there. Friggin' mess.
I found that AAX plug-ins are codesigned automatically using the 5.x Eden SDK. Verifying with codesign seemed to work just fine.

Return to “DSP and Plug-in Development”