HOWTO macOS notarization (plugins, app, pkg installers)

[SampleScience]

I'm slowly trying to understand the process of how to sign my plugins and notarize the pkg installers. So far, it seems overly complex for something that shouldn't be hard. I have the feeling that each time I want to do something, there's an added layer of complexities. It's to a point where it feels almost like a joke.

The tutorial in this thread helps a lot, but it's certainly not complete, at least not for a beginner like me.

I have the feeling that Apple wants to make the process so complex that it's not worth it for the small guys to keep developing on their OS.

The process is so convoluted that I feel like I'm chasing ghosts.

In any case, thanks to all the people who are contributing to this thread. Hopefully, they'll be a clean process to go through, otherwise I have no idea how I'll be able to release plugins on macOS in the future.

Edit: If anyone knows how to get a valid certificate in Keychain, let me know. I've been googling for a couple of hours and can't seem to find anything on the subject. Any help appreciated!

[discoDSP]

The tutorial in this thread helps a lot, but it's certainly not complete, at least not for a beginner like me.

Thanks ¿which part did you found uncompleted?

Edit: If anyone knows how to get a valid certificate in Keychain, let me know. I've been googling for a couple of hours and can't seem to find anything on the subject. Any help appreciated!

I think it can be managed thru XCode https://help.apple.com/xcode/mac/current/#/dev154b28f09

[SampleScience]

The tutorial in this thread helps a lot, but it's certainly not complete, at least not for a beginner like me.

Thanks ¿which part did you found uncompleted?

Edit: If anyone knows how to get a valid certificate in Keychain, let me know. I've been googling for a couple of hours and can't seem to find anything on the subject. Any help appreciated!

I think it can be managed thru XCode https://help.apple.com/xcode/mac/current/#/dev154b28f09

There must be something I'm missing because if I create a certificate, the codesigned process doesn't work. So I need a certificate that is recognized by an authority, but it requires a file and data I don't have. I've searched on Google to find an answer on how to acquire a valid certificate but no luck. All I find is other developers (in other fields) with the same problem.

In any case, thank you for your reply and for the thread.

[audiothing]

There must be something I'm missing because if I create a certificate, the codesigned process doesn't work. So I need a certificate that is recognized by an authority, but it requires a file and data I don't have. I've searched on Google to find an answer on how to acquire a valid certificate but no luck. All I find is other developers (in other fields) with the same problem.

In any case, thank you for your reply and for the thread.

You need a certificate issued by Apple: https://developer.apple.com/support/code-signing/
Apple Developer Program annual fee is $99: https://developer.apple.com/support/pur ... ctivation/

[SampleScience]

There must be something I'm missing because if I create a certificate, the codesigned process doesn't work. So I need a certificate that is recognized by an authority, but it requires a file and data I don't have. I've searched on Google to find an answer on how to acquire a valid certificate but no luck. All I find is other developers (in other fields) with the same problem.

In any case, thank you for your reply and for the thread.

You need a certificate issued by Apple: https://developer.apple.com/support/code-signing/
Apple Developer Program annual fee is $99: https://developer.apple.com/support/pur ... ctivation/

Thank you for your answer.

I've paid the 99$, but I don't know how to retrieve the certificate and add it to my keyring. I'm really new to all of this and I feel I'm missing things that are obvious to other people. For instance, my plugins are compiled in Maize Sampler, so how XCode can be used to sign my plugins if I don't use it to compile? Sorry if the question is silly, but I'm really lost. I think I'll re-read the thread to see if there's something I might have overlooked.

[audiothing]

Thank you for your answer.

I've paid the 99$, but I don't know how to retrieve the certificate and add it to my keyring. I'm really new to all of this and I feel I'm missing things that are obvious to other people. For instance, my plugins are compiled in Maize Sampler, so how XCode can be used to sign my plugins if I don't use it to compile? Sorry if the question is silly, but I'm really lost. I think I'll re-read the thread to see if there's something I might have overlooked.

To request and download your certificates, sign in to your Apple Developer account: https://developer.apple.com/
Click on the Certificates, Identifiers & Profiles link in the left menu, then click on the + sign and follow the steps to create your certificates. You need a Developer ID Application certificate for your plugins, and if you are distributing with an installer (.pkg) you also need a Developer ID Installer certificate.

You can sign your plugins via command line, check the section "PLUGIN FILES" in OP.

[SampleScience]

Thank you for your answer.

I've paid the 99$, but I don't know how to retrieve the certificate and add it to my keyring. I'm really new to all of this and I feel I'm missing things that are obvious to other people. For instance, my plugins are compiled in Maize Sampler, so how XCode can be used to sign my plugins if I don't use it to compile? Sorry if the question is silly, but I'm really lost. I think I'll re-read the thread to see if there's something I might have overlooked.

To request and download your certificates, sign in to your Apple Developer account: https://developer.apple.com/
Click on the Certificates, Identifiers & Profiles link in the left menu, then click on the + sign and follow the steps to create your certificates. You need a Developer ID Application certificate for your plugins, and if you are distributing with an installer (.pkg) you also need a Developer ID Installer certificate.

You can sign your plugins via command line, check the section "PLUGIN FILES" in OP.

Thank you very much, I was able to retrieve my certificate with success.

However, I followed the instructions in the OP and codesigned one of my free plugin (Oberom) using the terminal, but when I test it I get the error "component damaged, can't load". At least it doesn't reject the plugin right away when scanning, a problem I had before with my other attempts.

Technically, I'm not even sure it's possible to codesigned Maize made plugins, but I see that Beatskillz has done it with his Maize made drum modules. So I guess it's possible.

One question: when I codesigned my plugin, should I wait for a confirmation that it was successfully signed? When I codesigned my plugins, nothing happens. I don't get any messages in the terminal.

I've tried to signed my plugins with Hancock, a utility to sign apps visually, but it doesn't recognize my component files, it just says that there's no file there.

Any hints appreciated.

[SampleScience]

OK, I've re-read the whole thread again and things are getting clearer.

When I try to codesign my plugins, it doesn't work but I think it's because I'm making newbie errors. Here's what I do.

1. I have a folder named "Plugins" on my macOS desktop, my plugins are in it (as you would guess)
2. I right-click and chose "New terminal at folder"
3. I copy/paste this code, but with my personal Apple Dev information in it (Team name and Team ID) + the name of the plugin I want to code sign:

Code: Select all

codesign -s "Developer ID Application: Team Name (Team ID)" "/path/Oberom.component" --timestamp

I get this error:

Code: Select all

No such file or directory

I change the directory to:

Code: Select all

/Plugins/Oberom.component

and get this error:

Code: Select all

dquote>

I'm sure the solution is very simple for more experienced developers but at this point I've tried removing all the quotes and it didn't worked. I'm stuck there. Any hints on what I'm doing would be appreciated.

[Fender19]

It appears the file path to your plugin.component file is not right. Did you try right-clicking on the component file to get the path directly from the system?

[SampleScience]

It appears the file path to your plugin.component file is not right. Did you try right-clicking on the component file to get the path directly from the system?

Yeah, but I got the same result. I'll try again in case I made a silly mistake. I'm really not used to macOS at all, so even the basic use can be tricky for me.

[SampleScience]

I managed to codesigned my plugin, but it failed the validation process when I try to load it in Garageband. I now need to notarize my plugin by compressing it to zip and run the notarization process, but it fails because altool doesn't have an app specific password. I generated an app specific password in my Apple account but I have no idea how to change my altool password. I get this error when I try to notarize:

Code: Select all

Error: Unable to validate your application. We are unable to create an authentication session.

I guess that I have to change altool password that in the terminal but with which command? I tried doing it in the keychain, without success unfortunately.

[discoDSP]

I was trying to notarize a PKG that previously wasn't giving any issues. It didn't have any .app executable requiring hardened runtime and all it's just .component/.vst/.vst3 correctly code signed in a flat package.

WhiteBox Packages signs the PKG with secure time stamp but the service gives me a Status Code: 2 Package Invalid. Any ideas?

[audiothing]

I was trying to notarize a PKG that previously wasn't giving any issues. It didn't have any .app executable requiring hardened runtime and all it's just .component/.vst/.vst3 correctly code signed in a flat package.

WhiteBox Packages signs the PKG with secure time stamp but the service gives me a Status Code: 2 Package Invalid. Any ideas?

What does the log say?

Code: Select all

 xcrun altool --notarization-info REQUEST_ID -u ACCOUNT -p PASSWORD

You should get a LogFileURL with more info on each error in the bundle.

[discoDSP]

What does the log say?

Thanks for pointing up. Several issues:

Code: Select all

The binary is not signed with a valid Developer ID certificate.
The signature does not include a secure timestamp.

This is from inside the .vst and .vst3 (/Plugin.vst3/Contents/MacOS/Plugin) path
Anyway, I think I had this issue before and fix is relatively simple.
Thanks again. Really appreciated!

[Mundox]

What does the log say?

Thanks for pointing up. Several issues:

Code: Select all

The binary is not signed with a valid Developer ID certificate.
The signature does not include a secure timestamp.

This is from inside the .vst and .vst3 (/<span class="skimlinks-unlinked">Plugin.vst3/Contents/MacOS/Plugin</span>) path
Anyway, I think I had this issue before and fix is relatively simple.
Thanks again. Really appreciated!

I am having the same issue, where the .dmg I happily notarized a few weeks ago now gives me the error. The errors are pointing at a MIDI driver file that's separate from the AAX bundle. My usual method is: Create .pkg with Packages, sign .pkg with Developer ID Installer, create DMG, notarize DMG in terminal with altool. But now, whatever combination I'm trying is not working with exactly the same files as before. Very frustrating.
It seems like the MIDI driver needs to be signed separately, but does it need to be?
Thanks for any pointers.
Cheers
Vedat