HOWTO macOS notarization (plugins, app, pkg installers)

[AnalogObsession]

Just checked log file and there are 2 errors.

"The binary is no signed with a valid Developer ID certificate"

"The signature does not include a secure timestamp"

But i did everything correct... Missing something?

Edit

Solved the issue. It was my bad. Used wrong cert.

But, Packages can't include timestamp and sign .pkg with correct cert. I had to manually sign .pkg file.

[discoDSP]

Packages can't include timestamp and sign .pkg with correct cert. I had to manually sign .pkg file.

Latest Whitebox Packages release has no issues with certificated signing.

[Fender19]

It sometimes seems that Apple made this process as difficult and convoluted as possible.

For example, you can't notarize individual plugin binaries - they have to be zipped first and then notarized.

But then you can't STAPLE that notarized zip file - you have to extract the notarized plugin binaries first - then staple - then re-zip.

WTF?

[quikquak]

I've started to not use zip files anymore for installers, it's a waste of time and possibly confusing for computer-illiterate Apple users.

[Lind0n]

OK I've been following the thread with trepidation/interest - now its time to start this whole process. First what I'm using:

Mojave
XCode 10
WhiteBox Packages 1.2.7
Apple Developer account/ID

What I want to distribute (all in the same single pkg....):
- AU
- VST
- Stand-Alone app
- a bunch of support files (none of them are executables)

What I think I need to do:

Codesign the AU
Codesign the VST
Codesign and Hardened Runtime enabled for the Stand-Alone App

Then I create the pkg, and submit that for notorization.
Then I staple the PKG

...and then I can zip this pkg up and load it onto the server

OK so where is this plan wrong?

[Tale]

OK so where is this plan wrong?

It isn't.

[FigBug]

.pkg are already compressed, why zip it?

[discoDSP]

Yep, you can submit .pkg directly. No need to zip.

[Lind0n]

OK great, didn't realise that about the pkg - thinking about it that make sense. So one less problem as a few Mac customers have had problems with zip files...

But thinking about it I realise I zip up the package as part of a bigger deliverable that includes the other materials and the windows installer... so zip is what its gotta be to have only one download archive...so thats why "zip the pkg"

[discoDSP]

I have received a PM with a heads up regarding timestamp now being a requirement for plugin files (.component, .vst, .vst3)
https://developer.apple.com/documentati ... es#3087733

Terminal commands for the first page have been updated accordingly.

It's yet to be confirmed that previously notarized stuff without timestamp still works properly.

[quikquak]

I got tripped up by Xcode using 'Mac Developer' instead of the correct 'Developer ID Application'
Mac Developer worked before, but they like moving goal posts.

[kv331]

A very big thank you for your contribution, George.

+1

[discoDSP]

Thank you! Appreciated

[SPC Plugins]

Thank you for posting these instructions

• Create a specific altool password.

I'm stuck on this part. On the linked Apple Developer page it says:

1. Sign in to your Apple ID account page.
2. In the Security section, click Generate Password below App-Specific Passwords.

I don't see any 'security' section on my developer account?

[discoDSP]

I don't see any 'security' section on my developer account?

Maybe it's because two factor authentication is off.

Screenshot 2020-02-27 at 10.41.07.png