HOWTO macOS notarization (plugins, app, pkg installers)

[mfa]

Thank you so much George! Your instructions worked perfectly. This really saved my day.

[keithwood]

From that link:

The notary service generates a ticket for the top-level file that you specify, as well as each nested file. For example, if you submit a disk image that contains a signed installer package with an app bundle inside, the notarization service generates tickets for the disk image, installer package, and app bundle.

Actually, in this case I think you only need to notarise the .dmg. The outmost container is what's notarised.

Thank you both, working well.

Just to give hope to those who want to compile to 32-bit on Catalina, I have been able to compile fat binaries (32/64 bit) on Catalina with xcode 10 (EDIT: also works in 11) in cmake by setting the DCMAKE_OSX_SYSROOT variable form the command line like so: cmake -DCMAKE_OSX_SYSROOT="path-to-earlier-sdk-that-supports-32-bit-builds" ...

[FigBug]

For anybody having trouble scripting the notarize process I wrote a tool that will do it, you can get it here: https://github.com/FigBug/Gin/releases

On the command line just do:

Code: Select all

notarize PATH USERNAME PASSWORD BUNDLE_ID

If it's an App it zip it up, notarize and then wait until finished.

[george]

WhiteBox Packages has been updated to 1.2.7

http://s.sudre.free.fr/Software/Package ... notes.html

It added support for trusted timestamp for CMS signatures (timestamps are required to notarize a package/distribution) and codesign via command line is not required anymore I will be updating the main post ASAP.

Also, it looks like notarizing a PKG should apply for all contained files (app, au, vst, vst3, etc.) can anyone confirm? I had no issues here, but some Catalina user feedback is appreciated

[daniel_noiseash]

Hi

With the new update, I am a little bit confused.

• So if we use an installer, we don't need to notarize plugins right? Only signing is enough.Then build pkg with signed plugins.....notarize.

• But if we don't use an installer, we need to notarize plugins? (As far as I know, we didn't need to notarize plugins before. But now, we need to do it?)

Anyone confirm this?

[audiothing]

Hi

With the new update, I am a little bit confused.

• So if we use an installer, we don't need to notarize plugins right? Only signing is enough.Then build pkg with signed plugins.....notarize.

• But if we don't use an installer, we need to notarize plugins? (As far as I know, we didn't need to notarize plugins before. But now, we need to do it?)

Anyone confirm this?

You can't notarize the plugins directly. You need to sign the plugins and then notarize either the installer or a .zip containing the plugins.

[daniel_noiseash]

Hi

With the new update, I am a little bit confused.

• So if we use an installer, we don't need to notarize plugins right? Only signing is enough.Then build pkg with signed plugins.....notarize.

• But if we don't use an installer, we need to notarize plugins? (As far as I know, we didn't need to notarize plugins before. But now, we need to do it?)

Anyone confirm this?

You can't notarize the plugins directly. You need to sign the plugins and then notarize either the installer or a .zip containing the plugins.

Yeah this is the same thing that I know before. But if you see the first post of this thread, George has revised that "plugins can be noterized". Now that make me confused.

viewtopic.php?t=531663

[audiothing]

Yeah this is the same thing that I know before. But if you see the first post of this thread, George has revised that "plugins can be noterized". Now that make me confused.

viewtopic.php?t=531663

As said in my previous post and in OP:

You can do this by creating a zip file containing the plugin.

[quikquak]

Sorry to bump this thread again. It's just that I keep getting locked out of my Apple account.
Can someone verify what password I'm supposed to use for the xcrun command for a pkg in the OP?
Do I go to Generate App-Specific Password and use "atool" as a label or do I use my apple account password?
I’m using the latest ‘packages’ and it’s all signed ready for notarisation.
Thanks for any help.

[george]

What password I'm supposed to use for the xcrun command for a pkg in the OP?

Your Apple ID password should work.

[quikquak]

@discpDSP Thanks, what ID do you use? Is it one you log into the Dev website with, or is it 'Mac developer' or is the Installer ID? Or perhaps the code string?

[george]

The first one (should be the e-mail used to log).

[quikquak]

Wow ok thanks, I haven’t had a chance to check. Someone on the Juce forum posted a script to fire off the software and wait for a result and staple it. So hopefully I’ll be all set.

[george]

This one, right? https://forum.juce.com/t/apple-gatekeep ... s/29952/82

Reminder: altool needs to get his own password as described at https://support.apple.com/en-us/HT204397

Code: Select all

#!/bin/bash

USERNAME="<my apple id username>"
PASSWORD="<the generated password>"

echo "Submitting to Apple..."
xcrun altool --notarize-app -f "$1" --primary-bundle-id $2 --username $USERNAME --password $PASSWORD &> notarisation.result

ASSET_UUID=`grep RequestUUID notarisation.result | cut -d" " -f 3`

echo -n "Checking result of notarisation.."

while true; do
	echo -n '.'
	if [[ `xcrun altool --notarization-info $ASSET_UUID --username $USERNAME --password $PASSWORD 2>&1  >/dev/null | grep -c "Package Approved"` == "1" ]]; then
		break
	fi
	sleep 30
done

echo
echo "Stapling package..."

xcrun stapler staple "$1"

[quikquak]

Yep, that’s it, sorry, thanks for linking it.