HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers)

DSP, Plug-in and Host development discussion.
KVRian
751 posts since 6 Aug, 2005 from England

Post Tue Nov 24, 2020 1:06 am

kv331 wrote:
Mon Nov 23, 2020 12:35 pm
Hi all,

My notarization script has been working fine, but recently Apple is rejecting :(

I codesign all binaries
I codesign all pkg files
That's insane. Please let us know when you find out what the problem is. 🙂 I think Apple needs to know this, have you posted on their dev forums?

User avatar
KVRian
944 posts since 2 Jul, 2018

Post Wed Nov 25, 2020 5:10 am

I've notice these changes since December 2019:

A plugin that dynamically creates files within the .component on loading is rejected by the Notarisation. Before December this did work. In my case it did affect the symbiosis AU wrapper.

Symlinks within the .component do not longer work. Before December this did work.

It needed lots of try-and-error to find this out. Especially since the Notarisation is really slow and when you need to upload large files it can be a pain. Thanks Apple for wasting my lifetime!
Tone2 Audiosoftware https://www.tone2.com

KVRAF
2555 posts since 23 Jun, 2006

Post Wed Nov 25, 2020 11:00 am

kv331 wrote:
Mon Nov 23, 2020 12:35 pm
Hi all,

My notarization script has been working fine, but recently Apple is rejecting :(

I codesign all binaries
I codesign all pkg files

and yet I am not getting errors like below:

"issues": [
{
"severity": "error",
"code": null,
"path": "SynthMasterDemoSetup.pkg/synthmastervstdemo.pkg Contents/Payload/Library/Audio/Plug-Ins/VST/SynthMaster2FX.vst/Contents/MacOS/SynthMaster2FX",
"message": "The signature of the binary is invalid.",
"docUrl": null,
"architecture": "x86_64"
},
Check if your signature is valid. In our case it expired 1 month before the deadline

KVRian
751 posts since 6 Aug, 2005 from England

Post Fri Jan 15, 2021 8:04 am

Sorry for the 'bump' - but has everything settled down now?

Is it safe to upgrade my Mac dev. machine to Big Sur and still release software for previous OSs?
Or has Apple fudged that up completely?

KVRian
754 posts since 3 May, 2005 from Victoria, BC

Post Fri Jan 15, 2021 8:24 am

quikquak wrote:
Fri Jan 15, 2021 8:04 am
Sorry for the 'bump' - but has everything settled down now?

Is it safe to upgrade my Mac dev. machine to Big Sur and still release software for previous OSs?
Or has Apple fudged that up completely?
No, productsign is only making valid signatures that work back to 10.12, if you want to support older OSes, stick with Catalina.

KVRian
751 posts since 6 Aug, 2005 from England

Post Fri Jan 15, 2021 8:34 am

Thanks for letting me know. Whenever I run my Mac it keeps on insisting that I upgrade. It just means that one day I'm going to let it upgrade by accident 🙄😥
Oh well. That's Apple development for ya! 🤬ers!

User avatar
KVRAF
1603 posts since 13 Apr, 2011 from EU

Post Fri Jan 15, 2021 9:18 am

On Big Sur, productsign and codesign, don't apply sha1 signatures anymore. Actually, on Big Sur Intel, codesign seems to be still applying sha1 signatures, but productsign is not.

The problem with codesign not applying sha1 signatures:
10.9 seems to ignore the signatures completely, so auvaltool validates the plugin
10.10 it's expecting a sha1 signature, so validation fails
10.11 seems to be the minimum version to accept sha256 plugins

The problem with productsign not applying sha1 signatures:
10.11 and below are expecting sha1 for installers, it fails otherwise
10.12 is the minimum version to accept sha256 installers

For productsign, there is a workaround: https://forum.juce.com/t/upgraded-to-bi ... r/42812/10 (tested and working fine)

A workaround I found for codesign is to use the wraptool (if you are making AAXs). It works for AU and VST as well, although it's slower and I'm not sure if PACE is going to like it.

So, to avoid workarounds and to play safe, and unless you want to bump the minimum macOS version to 10.12, I suggest staying with Catalina. It should be good for at least a couple of years, I guess.
We are supporting from 10.7 to 11.1 with XCode 12.3 on Catalina 10.15.7. No issues so far.

There's also an Apple's official response (link) to this "issue": provide separate installers for older macOS versions.
This is probably what we will be going to do when we move our build server to Silicon.
AudioThing (VST, AU, AAX Plugins)
Instagram | Facebook | Twitter

KVRian
751 posts since 6 Aug, 2005 from England

Post Sat Jan 16, 2021 1:28 pm

So plug-ins I release plug-ins using Catalina WILL work on Big Sur?
Good, that's a relief

User avatar
KVRAF
1603 posts since 13 Apr, 2011 from EU

Post Sat Jan 16, 2021 2:15 pm

quikquak wrote:
Sat Jan 16, 2021 1:28 pm
So plug-ins I release plug-ins using Catalina WILL work on Big Sur?
Good, that's a relief
As long as you compile for both x86_64 and arm64, yes, Catalina is your best bet for supporting from 10.7 to 11.1. However, if you don't compile for arm64, they will still probably work under Rosetta.
AudioThing (VST, AU, AAX Plugins)
Instagram | Facebook | Twitter

User avatar
KVRian
944 posts since 2 Jul, 2018

Post Mon Jan 18, 2021 2:02 am

quikquak wrote:
Fri Jan 15, 2021 8:04 am
Sorry for the 'bump' - but has everything settled down now?

Is it safe to upgrade my Mac dev. machine to Big Sur and still release software for previous OSs?
Or has Apple fudged that up completely?
I can not recommend to upgrade your dev machine to Big Sur. Instead stay with Catalina. Otherwise you'll have trouble to sign your stuff, because is does not longer add a SHA1 signature.
Tone2 Audiosoftware https://www.tone2.com

User avatar
KVRer
19 posts since 12 Feb, 2021

Post Wed Feb 17, 2021 5:03 am

Big thanks for this detailed information. I have already went through this. I live in a countryside and I can say that uploading the whole *.pkg installe filled with samples using a weak "village style" internet connection is some kind of hell. Not quite hilarious ;)

User avatar
KVRian
944 posts since 2 Jul, 2018

Post Fri Feb 19, 2021 7:54 am

I totally agree with this. The who software notarisation is a horrible and frustrating process - especially when you need to upload large pkg files. It is complicated, slow and obfuscated.
To save time i first zip only the vst3/au plugin without data. Then upload for the notarisation. When it passes i build the pkg will all data and run notarisation again.
Tone2 Audiosoftware https://www.tone2.com

KVRist
318 posts since 26 Jun, 2010

Post Mon May 10, 2021 5:32 pm

(issue solved)
James Walker-Hall
www.newsonicarts.com

KVRist
318 posts since 26 Jun, 2010

Post Sun May 16, 2021 7:00 pm

Markus Krause wrote:
Mon Jan 18, 2021 2:02 am
I can not recommend to upgrade your dev machine to Big Sur. Instead stay with Catalina. Otherwise you'll have trouble to sign your stuff, because is does not longer add a SHA1 signature.
FWIW I'm now building and notarizing on/from Big Sur fine, the installers still work when tested on Mojave.
James Walker-Hall
www.newsonicarts.com

User avatar
KVRian
661 posts since 16 May, 2014 from Germany

Post Sun May 16, 2021 10:54 pm

Markus Krause wrote:
Mon Jan 18, 2021 2:02 am
I can not recommend to upgrade your dev machine to Big Sur. Instead stay with Catalina. Otherwise you'll have trouble to sign your stuff, because is does not longer add a SHA1 signature.
+1

Return to “DSP and Plug-in Development”