KVR Audio

george · Post by **george** » Wed May 06, 2020 9:09 am

You probably need to sign the MIDI driver too. Had to sign a Packages extra plugin or it won't validate. I'm actually signing everything via command line. Xcode signed binaries are giving issues with Apple notarisation. The commands listed below are verified to work.

Plugins:

Code: Select all

codesign -s "Developer ID Application: Me (XXXXXXXXX)" --timestamp filename

App:

Code: Select all

codesign --force --options runtime --deep --sign "Developer ID Application: Me (XXXXXXXXX)" Filename.app

Luckily Whitebox packages signs the PKG correctly. Then notarize:

Code: Select all

xcrun altool --notarize-app --primary-bundle-id com.bundlename.pkg --username "myemail@discodsp.com" --password "altoolpassword" --file App.pkg

Then staple the PKG after notarization success:

Code: Select all

xcrun stapler staple App.pkg

Mundox · Post by **Mundox** » Wed May 06, 2020 11:40 am

Thanks I’ll try the first one for the driver again. First time it gave a file not found error I think. My packages isn’t actually signing even though I selected the cert in the prefs.

george · Post by **george** » Wed May 06, 2020 11:43 am

Yeah I actually ran into issues after Apple made the notarisation process more strict last February.

fuo · Post by **fuo** » Thu May 07, 2020 3:45 am

Thanks for this very detailed how-to.
I am facing a problem notorizing VST3 and AU plugins that I distribute in a zip (no installer).

I tried the following process on the VST3:

sign the folder with timestamp
zip it
notorize the zip

This results in a "package approved" message, cool.

But then when I try to staple the unzipped plugin file inside Contents/MacOS/ I get the following error:

Code: Select all

The staple and validate action failed! Error 73

spctl --assess on that same file returns the following:

Code: Select all

rejected (the code is valid but does not seem to be an app)

Any idea?

george · Post by **george** » Thu May 07, 2020 4:36 am

AFAIK plugin files (AU/VST/VST3) should be code signed. If not the only issue is that any DAW using hardened runtime without com.apple.security.cs.disable-library-validation on their entitlements plist won't be able to load them (Bliss sampler VST recorder hosting standalone app can do it).

If they aren't distributed via DMG or PKG (and they should) I don't think it's required to use notarization at all. They may be unsigned if they are going to be on a ZIP file but as said may run into issues for some hosts.

Cheers,
George.

Mundox · Post by **Mundox** » Thu May 07, 2020 6:09 am

The plot thickens.
When I run the codesign command, it returns a message <File is already signed>.
But making the pkg, signing it, and making a DMG and trying to notarize that fails with the same errors for the same file.
My feeling is that somehow this binary has been signed badly, if that's even possible.
How do I strip the signature and try again?

george · Post by **george** » Thu May 07, 2020 6:39 am

add --force to codesign and the signature will be replaced. Be careful copying files to another locations after that, they can get messed up. Do it on final paths.

Mundox · Post by **Mundox** » Thu May 07, 2020 7:46 am

Where does the --force go?
I tried in a few places without success.

george · Post by **george** » Thu May 07, 2020 7:48 am

AudioUnits plugin file example:

Code: Select all

codesign --force -s "Developer ID Application: Me (XXXXXXXX)" --timestamp "File.component"

Mundox · Post by **Mundox** » Thu May 07, 2020 8:04 am

I used it like this:

Code: Select all

codesign —-force -s Developer\ ID\ Application:\ myName --timestamp /Path/My.plugin

And terminal returned:

Code: Select all

—-force: No such file or directory

Mundox · Post by **Mundox** » Thu May 07, 2020 8:06 am

Oh wait. Those dashes are different, I used text edit to type it in first.
It worked when I copied the dashes from timestamp.

Mundox · Post by **Mundox** » Thu May 07, 2020 8:13 am

Mate, you are a life saver! Thanks so much for the guidance.
I got notarised!
Now to test...

george · Post by **george** » Thu May 07, 2020 8:15 am

fuo · Post by **fuo** » Thu May 07, 2020 8:27 am

discoDSP wrote: Thu May 07, 2020 4:36 am AFAIK plugin files (AU/VST/VST3) should be code signed. If not the only issue is that any DAW using hardened runtime without com.apple.security.cs.disable-library-validation on their entitlements plist won't be able to load them (Bliss sampler VST recorder hosting standalone app can do it).

If they aren't distributed via DMG or PKG (and they should) I don't think it's required to use notarization at all. They may be unsigned if they are going to be on a ZIP file but as said may run into issues for some hosts.

Cheers,
George.

Thanks!
So distributing plugins in zip is a no go for the future...

george · Post by **george** » Thu May 07, 2020 9:50 am

If they're signed I think it will be OK.

HOWTO macOS notarization (plugins, app, pkg installers)