HOWTO macOS notarization (plugins, app, pkg installers)
- KVRAF
- 1873 posts since 13 Apr, 2011 from EU
Big Sur 11.3 fixed the missing SHA1 signature for both codesign and productsign. We have moved our dev machine to Big Sur and can confirm everything works as it should (from 10.9 to 11.3.1).
If you are using Packages for your installers you might need to re-sign them using productsign directly to make sure the right signatures are applied.
If you are using Packages for your installers you might need to re-sign them using productsign directly to make sure the right signatures are applied.
- KVRian
- 872 posts since 6 Aug, 2005 from England
Just to be sure - I don't have to keep dodging the updates? I can notarize for earlier machines using Big Sur? That's good news, thanks for that.
Dave Hoskins. http://www.quikquak.com
- KVRAF
- 1873 posts since 13 Apr, 2011 from EU
Yep, exactly, Big Sur 11.3 and Xcode 12.5 (on Silicon, but I guess it's going to be the same on Intel) can be used to build, sign, and notarize plugins and installers for 10.9 and up.
I'm using an M1 Macbook Pro as the main dev/build machine. It's faster and cooler than my 2018 i7 MacBook Pro.
More info here: https://forum.juce.com/t/upgraded-to-bi ... r/42812/42
-
- KVRist
- 134 posts since 13 Apr, 2016
M1 MacBook Air?audiothing wrote: ↑Mon May 17, 2021 5:17 pm I'm using an M1 Macbook Pro as the main dev/build machine.
- KVRian
- 872 posts since 6 Aug, 2005 from England
OK, ta. I'm all nerves when it comes to MacOS updates, does it also have to be the latest Xcode? I'll need someone with an Intel machine to be really sure. Anybody wanna try and report back?
Dave Hoskins. http://www.quikquak.com
- KVRAF
- 1873 posts since 13 Apr, 2011 from EU
No, the 13‑inch MacBook Pro with M1.joshb wrote: ↑Mon May 17, 2021 5:30 pmM1 MacBook Air?audiothing wrote: ↑Mon May 17, 2021 5:17 pm I'm using an M1 Macbook Pro as the main dev/build machine.
Yes, you need Xcode 12.5: https://developer.apple.com/documentati ... ease-notes
Grab an external disk, get SuperDuper! (even the free version), clone your disk and then upgrade to Big Sur. You can always go back or you can even boot from the external disk if you ever need to check something.
-
- KVRist
- 358 posts since 26 Jun, 2010
I have one user who is using 10.9 and he is saying our new installers wont run for him (invalid digital signature). We are not doing the stapler step (nor plan to, I've jumped through enough Apple-shaped hoops for now). So I would just like to know what is the last version of OSX that the notarized (non stapled) installers (with hardened run time) will run on. Then we will simply update our min requirements. Does anyone know? I know its running on Mojave at least but I don't have older machine to test on.
James Walker-Hall
www.newsonicarts.com
www.newsonicarts.com
- KVRAF
- 1748 posts since 2 Jul, 2018
You should be safe with MacOS 10.12 or higher
-
- KVRist
- 358 posts since 26 Jun, 2010
- KVRAF
- 1873 posts since 13 Apr, 2011 from EU
What macOS version are you using to create your installers?newsonicarts wrote: ↑Wed Jun 16, 2021 3:20 am I have one user who is using 10.9 and he is saying our new installers wont run for him (invalid digital signature).
Just a few posts earlier: viewtopic.php?p=8112710#p8112710
Big Sur 11.3 and Xcode 12.5 can be used to build, sign, and notarize plugins and installers for 10.9 and up.
-
- KVRist
- 358 posts since 26 Jun, 2010
Yeah already building the installers on Big Sur. Could be because I'm not doing the stapler step then (due to the fact that seems difficult to perform within an automated build process, as the notarization is not synchronous).audiothing wrote: ↑Wed Jun 16, 2021 9:38 am What macOS version are you using to create your installers?
Just a few posts earlier: viewtopic.php?p=8112710#p8112710
Big Sur 11.3 and Xcode 12.5 can be used to build, sign, and notarize plugins and installers for 10.9 and up.
EDIT: or could it be that note about OTHER_CODE_SIGN_FLAGS ? I guess I will give that a try at least
James Walker-Hall
www.newsonicarts.com
www.newsonicarts.com
- KVRAF
- 1873 posts since 13 Apr, 2011 from EU
Are you on Big Sur 11.3 and Xcode 12.5? In earlier versions of Big Sur and Xcode there was an issue with signatures (you can read more about it in my previous posts) that resulted in issues on 10.9. That is now fixed, but you need to make sure you are using the latest versions of both Big Sur and Xcode.newsonicarts wrote: ↑Wed Jun 16, 2021 10:08 amYeah already building the installers on Big Sur. Could be because I'm not doing the stapler step then (due to the fact that seems difficult to perform within an automated build process, as the notarization is not synchronous).
EDIT: or could it be that note about OTHER_CODE_SIGN_FLAGS ? I guess I will give that a try at least
Adding the stapler step to an automated build process is easy, just create a wait loop and check every 30-60seconds with something like:
Code: Select all
xcrun altool --notarization-info $uuid $account
-
- KVRist
- 358 posts since 26 Jun, 2010
Yep.
Ok thanks, but how to get the UUID? I know its returned from the --notarize-app command, but from memory I think a bunch of other stuff is too, and im not sure how to extract it (im most certainly no expert in the apple command line). If you have a code excerpt it would be appreciated.audiothing wrote: ↑Wed Jun 16, 2021 11:04 am Adding the stapler step to an automated build process is easy, just create a wait loop and check every 30-60seconds with something like:If you get "Package Approved" you can run the stapler.Code: Select all
xcrun altool --notarization-info $uuid $account
James Walker-Hall
www.newsonicarts.com
www.newsonicarts.com
- KVRian
- 872 posts since 6 Aug, 2005 from England
I think this is close to what I use, it may have been edited a bit since.
It's for pkg files, with just one command parameter - the package name without the extension
I think you may be more interested in the last bits.
It's for pkg files, with just one command parameter - the package name without the extension
I think you may be more interested in the last bits.
Code: Select all
# For pgk files, use one parameter without the extension
#Fill these 3 lines in...
USERNAME=myemail@mycompany.com # Your standard Apple ID
PASSWORD=xxxx-xxxx-xxxx-xxxx # app specific password
COMPANYID=com.mycompany.$1 # Note the .$1 here adds the file's name to the bundle ID
printf "Submitting to Apple...\n\n"
printf "#xcrun altool --notarize-app -f "$1.pkg" --primary-bundle-id $COMPANYID --username $USERNAME --password $PASSWORD\n"
xcrun altool --notarize-app -f "$1.pkg" --primary-bundle-id $COMPANYID --username $USERNAME --password $PASSWORD &> notarisation.result
ASSET_UUID=`grep RequestUUID notarisation.result | cut -d" " -f 3`
Printf "\n\nChecking result of notarisation.."
while true; do
echo -n '.'
if [[ `xcrun altool --notarization-info $ASSET_UUID --username $USERNAME --password $PASSWORD 2>&1 >/dev/null | grep -c "Package Approved"` == "1" ]]; then
break
fi
sleep 30
done
printf "\nStapling package...\n"
xcrun stapler staple "$1.pkg"
Dave Hoskins. http://www.quikquak.com
-
- KVRist
- 358 posts since 26 Jun, 2010