I've got two-factor authentication set up.
HOWTO macOS notarization (plugins, app, pkg installers)
- KVRist
- 103 posts since 28 Aug, 2011 from United Kingdom
- KVRist
- 376 posts since 2 Feb, 2005 from UK
OK quick question:
codesign -s "Developer ID Application: Your Name" "/path/plugin.component" --timestamp
What's "Your Name" here? My Apple Developer ID?
codesign -s "Developer ID Application: Your Name" "/path/plugin.component" --timestamp
What's "Your Name" here? My Apple Developer ID?
VST/AU Developer for Hire
-
- KVRAF
- Topic Starter
- 5426 posts since 18 Jul, 2002
- KVRAF
- 1748 posts since 2 Jul, 2018
Software notarization fails, although codesign and productsign are without errors. I always get the same error "The signature of the binary is invalid." It is currently impossible to notarize .component files .
This problem was not present when I notarized my stuff in December.
Please note that code-signing works without errors on my computer.
I also checked and passed codesign -vvv --deep --strict
{
"logFormatVersion": 1,
"jobId": "b53c7d5e-67ba-4c97-95c0-7364db008307",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "plugin.zip",
"uploadDate": "2020-02-27T18:19:25Z",
"sha256": "6ad9b8a131df05ab468984619eda6cff00eceb3078ebda336a8a8fdab2a9c1a7",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "plugin.zip/Saurus.component/Contents/MacOS/Symbiosis",
"message": "The signature of the binary is invalid.",
"docUrl": null,
"architecture": "i386"
},
{
"severity": "error",
"code": null,
"path": "plugin.zip/Saurus.component/Contents/MacOS/Symbiosis",
"message": "The signature of the binary is invalid.",
"docUrl": null,
"architecture": "x86_64"
}
]
}
This problem was not present when I notarized my stuff in December.
Please note that code-signing works without errors on my computer.
I also checked and passed codesign -vvv --deep --strict
{
"logFormatVersion": 1,
"jobId": "b53c7d5e-67ba-4c97-95c0-7364db008307",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "plugin.zip",
"uploadDate": "2020-02-27T18:19:25Z",
"sha256": "6ad9b8a131df05ab468984619eda6cff00eceb3078ebda336a8a8fdab2a9c1a7",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "plugin.zip/Saurus.component/Contents/MacOS/Symbiosis",
"message": "The signature of the binary is invalid.",
"docUrl": null,
"architecture": "i386"
},
{
"severity": "error",
"code": null,
"path": "plugin.zip/Saurus.component/Contents/MacOS/Symbiosis",
"message": "The signature of the binary is invalid.",
"docUrl": null,
"architecture": "x86_64"
}
]
}
- KVRAF
- 1748 posts since 2 Jul, 2018
Tried again. It does not seem to be related to the timestamp. I used --timestamp
- KVRist
- 103 posts since 28 Aug, 2011 from United Kingdom
Problem solved: I was making the dumb mistake of signing in to Apple Developer account, not my Apple ID account I followed your instructions and my (test) installer pkg successfully notorised on the first try. Now all I need to do is work out what all that 'stapler' stuff is about.
- KVRAF
- 1748 posts since 2 Jul, 2018
Building towards which MacOSX Base SDK is the best choice?
(I am using MacOSX10.11.sdk)
What macOS Deployment Target is the best choice?
(I am using 10.7)
What are the minimum system requirements for my combination of Deployment Target and Base SDK?
—————————
Further findings:
If you copy a file with a post-build-script the code signing is removed
Add --force to the arguments of your codesign command to make it re-sign something.
Example:
codesign -s 'Developer ID Application: YourName (X12234768)’ Plugin.component --timestamp --force
There is also an undocumented —remove command to remove existing timestamps. However it seems to be unreliable. You should use —force instead.
The symbiosis-AU-wrapper does not longer work with the Notarization since February 2020. The notarization seems to be buggy. This seems to affect all plugins that use the wrapper. Plug-ins with embedded symbiosis seem to pass.
---------------
The main difficulty seems to be to pass .component files through the Notarization. To speed up the testing you can:
1) codesign the .component
codesign -s 'Developer ID Application: YourName (X12234768)’ Plugin.component --timestamp --force
2) then zip it then
3) Notarize it:
xcrun altool --notarize-app -f plugin.zip --primary-bundle-id com.mycompany.myplugin --username “yourname” --password “your password”
4) Check the status via command line instead of waiting for the email. If there is a 0 on top it passed.
xcrun altool --notarization-history 0 -u “your name” -p “yourpassword”
——
I hope this helps a bit to get through Apples nighmare-desaster of Notarization.
Markus
(I am using MacOSX10.11.sdk)
What macOS Deployment Target is the best choice?
(I am using 10.7)
What are the minimum system requirements for my combination of Deployment Target and Base SDK?
—————————
Further findings:
If you copy a file with a post-build-script the code signing is removed
Add --force to the arguments of your codesign command to make it re-sign something.
Example:
codesign -s 'Developer ID Application: YourName (X12234768)’ Plugin.component --timestamp --force
There is also an undocumented —remove command to remove existing timestamps. However it seems to be unreliable. You should use —force instead.
The symbiosis-AU-wrapper does not longer work with the Notarization since February 2020. The notarization seems to be buggy. This seems to affect all plugins that use the wrapper. Plug-ins with embedded symbiosis seem to pass.
---------------
The main difficulty seems to be to pass .component files through the Notarization. To speed up the testing you can:
1) codesign the .component
codesign -s 'Developer ID Application: YourName (X12234768)’ Plugin.component --timestamp --force
2) then zip it then
3) Notarize it:
xcrun altool --notarize-app -f plugin.zip --primary-bundle-id com.mycompany.myplugin --username “yourname” --password “your password”
4) Check the status via command line instead of waiting for the email. If there is a 0 on top it passed.
xcrun altool --notarization-history 0 -u “your name” -p “yourpassword”
——
I hope this helps a bit to get through Apples nighmare-desaster of Notarization.
Markus
- KVRian
- 872 posts since 6 Aug, 2005 from England
- KVRAF
- 1748 posts since 2 Jul, 2018
Further findings:
- Since February 2020 it does not longer work to have a .component file which creates files within it dynamically. It will fail the notarisation. This affects mainly wrappers that use a .VST to convert it to AU or AAX
- Symlinks within the .component do not longer work.
- codesigning does not seem to protect against hacks and viruses. I found a way to modify an existing .component file that was already codesgined. I will not post further details here in the public.
- Since February 2020 it does not longer work to have a .component file which creates files within it dynamically. It will fail the notarisation. This affects mainly wrappers that use a .VST to convert it to AU or AAX
- Symlinks within the .component do not longer work.
- codesigning does not seem to protect against hacks and viruses. I found a way to modify an existing .component file that was already codesgined. I will not post further details here in the public.
-
- KVRian
- 624 posts since 30 Aug, 2012
In the amount of time it took us to figure this stuff out and get our products working on Catalina hackers have surely figured out how to circumvent it. IMO, the only thing this "exercise" did was frustrate Apple customers and developers. Newcomers with new Macs probably don't care too much but people with existing systems that "upgraded" to it...Markus Krause wrote: ↑Tue Mar 03, 2020 9:31 am - codesigning does not seem to protect against hacks and viruses. I found a way to modify an existing .component file that was already codesgined. I will not post further details here in the public.
- KVRist
- 446 posts since 29 Apr, 2019
Thank you to everyone here, especially the homie at DiscoDSP for getting this rolling. This thread was a huge help.
Apple, if you are listening, this was a massive pain in the dick. I hope you all stub your toes, really, really hard.
Apple, if you are listening, this was a massive pain in the dick. I hope you all stub your toes, really, really hard.
-
- KVRAF
- Topic Starter
- 5426 posts since 18 Jul, 2002
- KVRist
- 446 posts since 29 Apr, 2019
Sounds like a good idea to me. Until everyone is out of the woods on this transition we might as well make this post easy to find.