HOWTO macOS notarization (plugins, app, pkg installers)
- KVRAF
- 4290 posts since 31 Oct, 2004
I'm slowly trying to understand the process of how to sign my plugins and notarize the pkg installers. So far, it seems overly complex for something that shouldn't be hard. I have the feeling that each time I want to do something, there's an added layer of complexities. It's to a point where it feels almost like a joke.
The tutorial in this thread helps a lot, but it's certainly not complete, at least not for a beginner like me.
I have the feeling that Apple wants to make the process so complex that it's not worth it for the small guys to keep developing on their OS.
The process is so convoluted that I feel like I'm chasing ghosts.
In any case, thanks to all the people who are contributing to this thread. Hopefully, they'll be a clean process to go through, otherwise I have no idea how I'll be able to release plugins on macOS in the future.
Edit: If anyone knows how to get a valid certificate in Keychain, let me know. I've been googling for a couple of hours and can't seem to find anything on the subject. Any help appreciated!
The tutorial in this thread helps a lot, but it's certainly not complete, at least not for a beginner like me.
I have the feeling that Apple wants to make the process so complex that it's not worth it for the small guys to keep developing on their OS.
The process is so convoluted that I feel like I'm chasing ghosts.
In any case, thanks to all the people who are contributing to this thread. Hopefully, they'll be a clean process to go through, otherwise I have no idea how I'll be able to release plugins on macOS in the future.
Edit: If anyone knows how to get a valid certificate in Keychain, let me know. I've been googling for a couple of hours and can't seem to find anything on the subject. Any help appreciated!
-
- KVRAF
- Topic Starter
- 5426 posts since 18 Jul, 2002
Thanks ¿which part did you found uncompleted?SampleScience wrote: ↑Tue Mar 10, 2020 3:31 am The tutorial in this thread helps a lot, but it's certainly not complete, at least not for a beginner like me.
I think it can be managed thru XCode https://help.apple.com/xcode/mac/current/#/dev154b28f09Edit: If anyone knows how to get a valid certificate in Keychain, let me know. I've been googling for a couple of hours and can't seem to find anything on the subject. Any help appreciated!
- KVRAF
- 4290 posts since 31 Oct, 2004
There must be something I'm missing because if I create a certificate, the codesigned process doesn't work. So I need a certificate that is recognized by an authority, but it requires a file and data I don't have. I've searched on Google to find an answer on how to acquire a valid certificate but no luck. All I find is other developers (in other fields) with the same problem.discoDSP wrote: ↑Tue Mar 10, 2020 10:30 amThanks ¿which part did you found uncompleted?SampleScience wrote: ↑Tue Mar 10, 2020 3:31 am The tutorial in this thread helps a lot, but it's certainly not complete, at least not for a beginner like me.
I think it can be managed thru XCode https://help.apple.com/xcode/mac/current/#/dev154b28f09Edit: If anyone knows how to get a valid certificate in Keychain, let me know. I've been googling for a couple of hours and can't seem to find anything on the subject. Any help appreciated!
In any case, thank you for your reply and for the thread.
- KVRAF
- 1873 posts since 13 Apr, 2011 from EU
You need a certificate issued by Apple: https://developer.apple.com/support/code-signing/SampleScience wrote: ↑Tue Mar 10, 2020 4:13 pmThere must be something I'm missing because if I create a certificate, the codesigned process doesn't work. So I need a certificate that is recognized by an authority, but it requires a file and data I don't have. I've searched on Google to find an answer on how to acquire a valid certificate but no luck. All I find is other developers (in other fields) with the same problem.
In any case, thank you for your reply and for the thread.
Apple Developer Program annual fee is $99: https://developer.apple.com/support/pur ... ctivation/
- KVRAF
- 4290 posts since 31 Oct, 2004
Thank you for your answer.audiothing wrote: ↑Tue Mar 10, 2020 4:28 pmYou need a certificate issued by Apple: https://developer.apple.com/support/code-signing/SampleScience wrote: ↑Tue Mar 10, 2020 4:13 pmThere must be something I'm missing because if I create a certificate, the codesigned process doesn't work. So I need a certificate that is recognized by an authority, but it requires a file and data I don't have. I've searched on Google to find an answer on how to acquire a valid certificate but no luck. All I find is other developers (in other fields) with the same problem.
In any case, thank you for your reply and for the thread.
Apple Developer Program annual fee is $99: https://developer.apple.com/support/pur ... ctivation/
I've paid the 99$, but I don't know how to retrieve the certificate and add it to my keyring. I'm really new to all of this and I feel I'm missing things that are obvious to other people. For instance, my plugins are compiled in Maize Sampler, so how XCode can be used to sign my plugins if I don't use it to compile? Sorry if the question is silly, but I'm really lost. I think I'll re-read the thread to see if there's something I might have overlooked.
- KVRAF
- 1873 posts since 13 Apr, 2011 from EU
To request and download your certificates, sign in to your Apple Developer account: https://developer.apple.com/SampleScience wrote: ↑Fri Mar 13, 2020 5:54 amThank you for your answer.
I've paid the 99$, but I don't know how to retrieve the certificate and add it to my keyring. I'm really new to all of this and I feel I'm missing things that are obvious to other people. For instance, my plugins are compiled in Maize Sampler, so how XCode can be used to sign my plugins if I don't use it to compile? Sorry if the question is silly, but I'm really lost. I think I'll re-read the thread to see if there's something I might have overlooked.
Click on the Certificates, Identifiers & Profiles link in the left menu, then click on the + sign and follow the steps to create your certificates. You need a Developer ID Application certificate for your plugins, and if you are distributing with an installer (.pkg) you also need a Developer ID Installer certificate.
You can sign your plugins via command line, check the section "PLUGIN FILES" in OP.
- KVRAF
- 4290 posts since 31 Oct, 2004
Thank you very much, I was able to retrieve my certificate with success.audiothing wrote: ↑Fri Mar 13, 2020 1:07 pmTo request and download your certificates, sign in to your Apple Developer account: https://developer.apple.com/SampleScience wrote: ↑Fri Mar 13, 2020 5:54 amThank you for your answer.
I've paid the 99$, but I don't know how to retrieve the certificate and add it to my keyring. I'm really new to all of this and I feel I'm missing things that are obvious to other people. For instance, my plugins are compiled in Maize Sampler, so how XCode can be used to sign my plugins if I don't use it to compile? Sorry if the question is silly, but I'm really lost. I think I'll re-read the thread to see if there's something I might have overlooked.
Click on the Certificates, Identifiers & Profiles link in the left menu, then click on the + sign and follow the steps to create your certificates. You need a Developer ID Application certificate for your plugins, and if you are distributing with an installer (.pkg) you also need a Developer ID Installer certificate.
You can sign your plugins via command line, check the section "PLUGIN FILES" in OP.
However, I followed the instructions in the OP and codesigned one of my free plugin (Oberom) using the terminal, but when I test it I get the error "component damaged, can't load". At least it doesn't reject the plugin right away when scanning, a problem I had before with my other attempts.
Technically, I'm not even sure it's possible to codesigned Maize made plugins, but I see that Beatskillz has done it with his Maize made drum modules. So I guess it's possible.
One question: when I codesigned my plugin, should I wait for a confirmation that it was successfully signed? When I codesigned my plugins, nothing happens. I don't get any messages in the terminal.
I've tried to signed my plugins with Hancock, a utility to sign apps visually, but it doesn't recognize my component files, it just says that there's no file there.
Any hints appreciated.
- KVRAF
- 4290 posts since 31 Oct, 2004
OK, I've re-read the whole thread again and things are getting clearer.
When I try to codesign my plugins, it doesn't work but I think it's because I'm making newbie errors. Here's what I do.
1. I have a folder named "Plugins" on my macOS desktop, my plugins are in it (as you would guess)
2. I right-click and chose "New terminal at folder"
3. I copy/paste this code, but with my personal Apple Dev information in it (Team name and Team ID) + the name of the plugin I want to code sign:
I get this error:
I change the directory to:
and get this error:
I'm sure the solution is very simple for more experienced developers but at this point I've tried removing all the quotes and it didn't worked. I'm stuck there. Any hints on what I'm doing would be appreciated.
When I try to codesign my plugins, it doesn't work but I think it's because I'm making newbie errors. Here's what I do.
1. I have a folder named "Plugins" on my macOS desktop, my plugins are in it (as you would guess)
2. I right-click and chose "New terminal at folder"
3. I copy/paste this code, but with my personal Apple Dev information in it (Team name and Team ID) + the name of the plugin I want to code sign:
Code: Select all
codesign -s "Developer ID Application: Team Name (Team ID)" "/path/Oberom.component" --timestamp
Code: Select all
No such file or directory
Code: Select all
/Plugins/Oberom.component
Code: Select all
dquote>
- KVRAF
- 4290 posts since 31 Oct, 2004
Yeah, but I got the same result. I'll try again in case I made a silly mistake. I'm really not used to macOS at all, so even the basic use can be tricky for me.
- KVRAF
- 4290 posts since 31 Oct, 2004
I managed to codesigned my plugin, but it failed the validation process when I try to load it in Garageband. I now need to notarize my plugin by compressing it to zip and run the notarization process, but it fails because altool doesn't have an app specific password. I generated an app specific password in my Apple account but I have no idea how to change my altool password. I get this error when I try to notarize:
I guess that I have to change altool password that in the terminal but with which command? I tried doing it in the keychain, without success unfortunately.
Code: Select all
Error: Unable to validate your application. We are unable to create an authentication session.
-
- KVRAF
- Topic Starter
- 5426 posts since 18 Jul, 2002
I was trying to notarize a PKG that previously wasn't giving any issues. It didn't have any .app executable requiring hardened runtime and all it's just .component/.vst/.vst3 correctly code signed in a flat package.
WhiteBox Packages signs the PKG with secure time stamp but the service gives me a Status Code: 2 Package Invalid. Any ideas?
WhiteBox Packages signs the PKG with secure time stamp but the service gives me a Status Code: 2 Package Invalid. Any ideas?
- KVRAF
- 1873 posts since 13 Apr, 2011 from EU
What does the log say?discoDSP wrote: ↑Sun Apr 05, 2020 12:40 pm I was trying to notarize a PKG that previously wasn't giving any issues. It didn't have any .app executable requiring hardened runtime and all it's just .component/.vst/.vst3 correctly code signed in a flat package.
WhiteBox Packages signs the PKG with secure time stamp but the service gives me a Status Code: 2 Package Invalid. Any ideas?
Code: Select all
xcrun altool --notarization-info REQUEST_ID -u ACCOUNT -p PASSWORD
-
- KVRAF
- Topic Starter
- 5426 posts since 18 Jul, 2002
Thanks for pointing up. Several issues:
Code: Select all
The binary is not signed with a valid Developer ID certificate.
The signature does not include a secure timestamp.
Anyway, I think I had this issue before and fix is relatively simple.
Thanks again. Really appreciated!
-
- KVRer
- 9 posts since 23 Jan, 2009
I am having the same issue, where the .dmg I happily notarized a few weeks ago now gives me the error. The errors are pointing at a MIDI driver file that's separate from the AAX bundle. My usual method is: Create .pkg with Packages, sign .pkg with Developer ID Installer, create DMG, notarize DMG in terminal with altool. But now, whatever combination I'm trying is not working with exactly the same files as before. Very frustrating.discoDSP wrote: ↑Sun Apr 05, 2020 2:16 pmThanks for pointing up. Several issues:This is from inside the .vst and .vst3 (/<span class="skimlinks-unlinked">Plugin.vst3/Contents/MacOS/Plugin</span>) pathCode: Select all
The binary is not signed with a valid Developer ID certificate. The signature does not include a secure timestamp.
Anyway, I think I had this issue before and fix is relatively simple.
Thanks again. Really appreciated!
It seems like the MIDI driver needs to be signed separately, but does it need to be?
Thanks for any pointers.
Cheers
Vedat