HOWTO macOS notarization (plugins, app, pkg installers)

[quikquak]

Hi all,

My notarization script has been working fine, but recently Apple is rejecting

I codesign all binaries
I codesign all pkg files

That's insane. Please let us know when you find out what the problem is. I think Apple needs to know this, have you posted on their dev forums?

[Markus Krause]

I've notice these changes since December 2019:

A plugin that dynamically creates files within the .component on loading is rejected by the Notarisation. Before December this did work. In my case it did affect the symbiosis AU wrapper.

Symlinks within the .component do not longer work. Before December this did work.

It needed lots of try-and-error to find this out. Especially since the Notarisation is really slow and when you need to upload large files it can be a pain. Thanks Apple for wasting my lifetime!

[Zaphod (giancarlo)]

Hi all,

My notarization script has been working fine, but recently Apple is rejecting

I codesign all binaries
I codesign all pkg files

and yet I am not getting errors like below:

"issues": [
{
"severity": "error",
"code": null,
"path": "SynthMasterDemoSetup.pkg/synthmastervstdemo.pkg Contents/Payload/Library/Audio/Plug-Ins/VST/SynthMaster2FX.vst/Contents/MacOS/SynthMaster2FX",
"message": "The signature of the binary is invalid.",
"docUrl": null,
"architecture": "x86_64"
},

Check if your signature is valid. In our case it expired 1 month before the deadline

[quikquak]

Sorry for the 'bump' - but has everything settled down now?

Is it safe to upgrade my Mac dev. machine to Big Sur and still release software for previous OSs?
Or has Apple fudged that up completely?

[FigBug]

Sorry for the 'bump' - but has everything settled down now?

Is it safe to upgrade my Mac dev. machine to Big Sur and still release software for previous OSs?
Or has Apple fudged that up completely?

No, productsign is only making valid signatures that work back to 10.12, if you want to support older OSes, stick with Catalina.

[quikquak]

Thanks for letting me know. Whenever I run my Mac it keeps on insisting that I upgrade. It just means that one day I'm going to let it upgrade by accident
Oh well. That's Apple development for ya! ers!

[audiothing]

On Big Sur, productsign and codesign, don't apply sha1 signatures anymore. Actually, on Big Sur Intel, codesign seems to be still applying sha1 signatures, but productsign is not.

The problem with codesign not applying sha1 signatures:
10.9 seems to ignore the signatures completely, so auvaltool validates the plugin
10.10 it's expecting a sha1 signature, so validation fails
10.11 seems to be the minimum version to accept sha256 plugins

The problem with productsign not applying sha1 signatures:
10.11 and below are expecting sha1 for installers, it fails otherwise
10.12 is the minimum version to accept sha256 installers

For productsign, there is a workaround: https://forum.juce.com/t/upgraded-to-bi ... r/42812/10 (tested and working fine)

A workaround I found for codesign is to use the wraptool (if you are making AAXs). It works for AU and VST as well, although it's slower and I'm not sure if PACE is going to like it.

So, to avoid workarounds and to play safe, and unless you want to bump the minimum macOS version to 10.12, I suggest staying with Catalina. It should be good for at least a couple of years, I guess.
We are supporting from 10.7 to 11.1 with XCode 12.3 on Catalina 10.15.7. No issues so far.

There's also an Apple's official response (link) to this "issue": provide separate installers for older macOS versions.
This is probably what we will be going to do when we move our build server to Silicon.

[quikquak]

So plug-ins I release plug-ins using Catalina WILL work on Big Sur?
Good, that's a relief

[audiothing]

So plug-ins I release plug-ins using Catalina WILL work on Big Sur?
Good, that's a relief

As long as you compile for both x86_64 and arm64, yes, Catalina is your best bet for supporting from 10.7 to 11.1. However, if you don't compile for arm64, they will still probably work under Rosetta.

[Markus Krause]

Sorry for the 'bump' - but has everything settled down now?

Is it safe to upgrade my Mac dev. machine to Big Sur and still release software for previous OSs?
Or has Apple fudged that up completely?

I can not recommend to upgrade your dev machine to Big Sur. Instead stay with Catalina. Otherwise you'll have trouble to sign your stuff, because is does not longer add a SHA1 signature.

[Soundyan]

Big thanks for this detailed information. I have already went through this. I live in a countryside and I can say that uploading the whole *.pkg installe filled with samples using a weak "village style" internet connection is some kind of hell. Not quite hilarious

[Markus Krause]

I totally agree with this. The who software notarisation is a horrible and frustrating process - especially when you need to upload large pkg files. It is complicated, slow and obfuscated.
To save time i first zip only the vst3/au plugin without data. Then upload for the notarisation. When it passes i build the pkg will all data and run notarisation again.

[newsonicarts]

(issue solved)

[newsonicarts]

I can not recommend to upgrade your dev machine to Big Sur. Instead stay with Catalina. Otherwise you'll have trouble to sign your stuff, because is does not longer add a SHA1 signature.

FWIW I'm now building and notarizing on/from Big Sur fine, the installers still work when tested on Mojave.

[TB-ProAudio]

I can not recommend to upgrade your dev machine to Big Sur. Instead stay with Catalina. Otherwise you'll have trouble to sign your stuff, because is does not longer add a SHA1 signature.

+1