HOWTO macOS notarization (plugins, app, pkg installers)

[SPC Plugins]

Maybe it's because two factor authentication is off.

I've got two-factor authentication set up.

[discoDSP]

Strange. Perhaps there is something related to the account that's not making Security section appear. I'd contact Apple on this regard.

[Lind0n]

OK quick question:

codesign -s "Developer ID Application: Your Name" "/path/plugin.component" --timestamp


What's "Your Name" here? My Apple Developer ID?

[discoDSP]

What's "Your Name" here? My Apple Developer ID?

I'm using Team Name (Team ID). Will update accordingly to avoid confusions, thanks.

[Markus Krause]

Software notarization fails, although codesign and productsign are without errors. I always get the same error "The signature of the binary is invalid." It is currently impossible to notarize .component files .

This problem was not present when I notarized my stuff in December.

Please note that code-signing works without errors on my computer.
I also checked and passed codesign -vvv --deep --strict

{
"logFormatVersion": 1,
"jobId": "b53c7d5e-67ba-4c97-95c0-7364db008307",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "plugin.zip",
"uploadDate": "2020-02-27T18:19:25Z",
"sha256": "6ad9b8a131df05ab468984619eda6cff00eceb3078ebda336a8a8fdab2a9c1a7",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "plugin.zip/Saurus.component/Contents/MacOS/Symbiosis",
"message": "The signature of the binary is invalid.",
"docUrl": null,
"architecture": "i386"
},
{
"severity": "error",
"code": null,
"path": "plugin.zip/Saurus.component/Contents/MacOS/Symbiosis",
"message": "The signature of the binary is invalid.",
"docUrl": null,
"architecture": "x86_64"
}
]
}

[discoDSP]

Markus, have you tried signing with the —timestamp flag? Apple added this requirement recently.

[Markus Krause]

Tried again. It does not seem to be related to the timestamp. I used --timestamp

[SPC Plugins]

Strange. Perhaps there is something related to the account that's not making Security section appear.

Problem solved: I was making the dumb mistake of signing in to Apple Developer account, not my Apple ID account I followed your instructions and my (test) installer pkg successfully notorised on the first try. Now all I need to do is work out what all that 'stapler' stuff is about.

[Markus Krause]

Building towards which MacOSX Base SDK is the best choice?
(I am using MacOSX10.11.sdk)

What macOS Deployment Target is the best choice?
(I am using 10.7)

What are the minimum system requirements for my combination of Deployment Target and Base SDK?

—————————

Further findings:

If you copy a file with a post-build-script the code signing is removed

Add --force to the arguments of your codesign command to make it re-sign something.
Example:
codesign -s 'Developer ID Application: YourName (X12234768)’ Plugin.component --timestamp --force

There is also an undocumented —remove command to remove existing timestamps. However it seems to be unreliable. You should use —force instead.

The symbiosis-AU-wrapper does not longer work with the Notarization since February 2020. The notarization seems to be buggy. This seems to affect all plugins that use the wrapper. Plug-ins with embedded symbiosis seem to pass.

---------------

The main difficulty seems to be to pass .component files through the Notarization. To speed up the testing you can:

1) codesign the .component
codesign -s 'Developer ID Application: YourName (X12234768)’ Plugin.component --timestamp --force

2) then zip it then

3) Notarize it:
xcrun altool --notarize-app -f plugin.zip --primary-bundle-id com.mycompany.myplugin --username “yourname” --password “your password”

4) Check the status via command line instead of waiting for the email. If there is a 0 on top it passed.
xcrun altool --notarization-history 0 -u “your name” -p “yourpassword”

——

I hope this helps a bit to get through Apples nighmare-desaster of Notarization.
Markus

[quikquak]

FYI. If you didn't get the email, Eden 5.2.1 SDK is out.

[Markus Krause]

Further findings:

- Since February 2020 it does not longer work to have a .component file which creates files within it dynamically. It will fail the notarisation. This affects mainly wrappers that use a .VST to convert it to AU or AAX

- Symlinks within the .component do not longer work.

- codesigning does not seem to protect against hacks and viruses. I found a way to modify an existing .component file that was already codesgined. I will not post further details here in the public.

[Fender19]

- codesigning does not seem to protect against hacks and viruses. I found a way to modify an existing .component file that was already codesgined. I will not post further details here in the public.

In the amount of time it took us to figure this stuff out and get our products working on Catalina hackers have surely figured out how to circumvent it. IMO, the only thing this "exercise" did was frustrate Apple customers and developers. Newcomers with new Macs probably don't care too much but people with existing systems that "upgraded" to it...

[trackbout]

Thank you to everyone here, especially the homie at DiscoDSP for getting this rolling. This thread was a huge help.

Apple, if you are listening, this was a massive pain in the dick. I hope you all stub your toes, really, really hard.

[discoDSP]

Thank you to everyone here, especially the homie at DiscoDSP for getting this rolling. This thread was a huge help.

You're welcome I was also told to ask forum mods to set this thread sticky but I'm not sure about it. Thoughts?

Cheers,
George.

[trackbout]

You're welcome I was also told to ask forum mods to set this thread sticky but I'm not sure about it. Thoughts?

Cheers,
George.

Sounds like a good idea to me. Until everyone is out of the woods on this transition we might as well make this post easy to find.