KVR Audio

audiothing · Post by **audiothing** » Mon May 17, 2021 7:23 am

Big Sur 11.3 fixed the missing SHA1 signature for both codesign and productsign. We have moved our dev machine to Big Sur and can confirm everything works as it should (from 10.9 to 11.3.1).
If you are using Packages for your installers you might need to re-sign them using productsign directly to make sure the right signatures are applied.

quikquak · Post by **quikquak** » Mon May 17, 2021 4:56 pm

Just to be sure - I don't have to keep dodging the updates? I can notarize for earlier machines using Big Sur? That's good news, thanks for that.

audiothing · Post by **audiothing** » Mon May 17, 2021 5:17 pm

quikquak wrote: ↑Mon May 17, 2021 4:56 pm Just to be sure - I don't have to keep dodging the updates? I can notarize for earlier machines using Big Sur? That's good news, thanks for that.

Yep, exactly, Big Sur 11.3 and Xcode 12.5 (on Silicon, but I guess it's going to be the same on Intel) can be used to build, sign, and notarize plugins and installers for 10.9 and up.

I'm using an M1 Macbook Pro as the main dev/build machine. It's faster and cooler than my 2018 i7 MacBook Pro.

More info here: https://forum.juce.com/t/upgraded-to-bi ... r/42812/42

joshb · Post by **joshb** » Mon May 17, 2021 5:30 pm

audiothing wrote: ↑Mon May 17, 2021 5:17 pm I'm using an M1 Macbook Pro as the main dev/build machine.

M1 MacBook Air?

quikquak · Post by **quikquak** » Mon May 17, 2021 5:36 pm

OK, ta. I'm all nerves when it comes to MacOS updates, does it also have to be the latest Xcode? I'll need someone with an Intel machine to be really sure. Anybody wanna try and report back?

audiothing · Post by **audiothing** » Mon May 17, 2021 5:42 pm

joshb wrote: ↑Mon May 17, 2021 5:30 pm
audiothing wrote: ↑Mon May 17, 2021 5:17 pm I'm using an M1 Macbook Pro as the main dev/build machine.
M1 MacBook Air?

No, the 13‑inch MacBook Pro with M1.

quikquak wrote: ↑Mon May 17, 2021 5:36 pm OK, ta. I'm all nerves when it comes to MacOS updates, does it also have to be the latest Xcode? I'll need someone with an Intel machine to be really sure. Anybody wanna try and report back?

Yes, you need Xcode 12.5: https://developer.apple.com/documentati ... ease-notes
Grab an external disk, get SuperDuper! (even the free version), clone your disk and then upgrade to Big Sur. You can always go back or you can even boot from the external disk if you ever need to check something.

newsonicarts · Post by **newsonicarts** » Wed Jun 16, 2021 3:20 am

I have one user who is using 10.9 and he is saying our new installers wont run for him (invalid digital signature). We are not doing the stapler step (nor plan to, I've jumped through enough Apple-shaped hoops for now). So I would just like to know what is the last version of OSX that the notarized (non stapled) installers (with hardened run time) will run on. Then we will simply update our min requirements. Does anyone know? I know its running on Mojave at least but I don't have older machine to test on.

Markus Krause · Post by **Markus Krause** » Wed Jun 16, 2021 6:40 am

You should be safe with MacOS 10.12 or higher

newsonicarts · Post by **newsonicarts** » Wed Jun 16, 2021 8:27 am

Markus Krause wrote: ↑Wed Jun 16, 2021 6:40 am You should be safe with MacOS 10.12 or higher

Thanks

audiothing · Post by **audiothing** » Wed Jun 16, 2021 9:38 am

newsonicarts wrote: ↑Wed Jun 16, 2021 3:20 am I have one user who is using 10.9 and he is saying our new installers wont run for him (invalid digital signature).

What macOS version are you using to create your installers?
Just a few posts earlier: viewtopic.php?p=8112710#p8112710

Big Sur 11.3 and Xcode 12.5 can be used to build, sign, and notarize plugins and installers for 10.9 and up.

newsonicarts · Post by **newsonicarts** » Wed Jun 16, 2021 10:08 am

audiothing wrote: ↑Wed Jun 16, 2021 9:38 am What macOS version are you using to create your installers?
Just a few posts earlier: viewtopic.php?p=8112710#p8112710

Big Sur 11.3 and Xcode 12.5 can be used to build, sign, and notarize plugins and installers for 10.9 and up.

Yeah already building the installers on Big Sur. Could be because I'm not doing the stapler step then (due to the fact that seems difficult to perform within an automated build process, as the notarization is not synchronous).

EDIT: or could it be that note about OTHER_CODE_SIGN_FLAGS ? I guess I will give that a try at least

audiothing · Post by **audiothing** » Wed Jun 16, 2021 11:04 am

newsonicarts wrote: ↑Wed Jun 16, 2021 10:08 amYeah already building the installers on Big Sur. Could be because I'm not doing the stapler step then (due to the fact that seems difficult to perform within an automated build process, as the notarization is not synchronous).

EDIT: or could it be that note about OTHER_CODE_SIGN_FLAGS ? I guess I will give that a try at least

Are you on Big Sur 11.3 and Xcode 12.5? In earlier versions of Big Sur and Xcode there was an issue with signatures (you can read more about it in my previous posts) that resulted in issues on 10.9. That is now fixed, but you need to make sure you are using the latest versions of both Big Sur and Xcode.

Adding the stapler step to an automated build process is easy, just create a wait loop and check every 30-60seconds with something like:

Code: Select all

xcrun altool --notarization-info $uuid $account

If you get "Package Approved" you can run the stapler.

newsonicarts · Post by **newsonicarts** » Thu Jun 17, 2021 4:22 am

audiothing wrote: ↑Wed Jun 16, 2021 11:04 am Are you on Big Sur 11.3 and Xcode 12.5?

Yep.

audiothing wrote: ↑Wed Jun 16, 2021 11:04 am Adding the stapler step to an automated build process is easy, just create a wait loop and check every 30-60seconds with something like:
Code: Select all
xcrun altool --notarization-info $uuid $account
If you get "Package Approved" you can run the stapler.

Ok thanks, but how to get the UUID? I know its returned from the --notarize-app command, but from memory I think a bunch of other stuff is too, and im not sure how to extract it (im most certainly no expert in the apple command line). If you have a code excerpt it would be appreciated.

quikquak · Post by **quikquak** » Thu Jun 17, 2021 12:43 pm

I think this is close to what I use, it may have been edited a bit since.
It's for pkg files, with just one command parameter - the package name without the extension
I think you may be more interested in the last bits.

Code: Select all

    # For pgk files, use one parameter without the extension
    #Fill these 3 lines in...
    USERNAME=myemail@mycompany.com     # Your standard Apple ID
    PASSWORD=xxxx-xxxx-xxxx-xxxx       # app specific password    
    COMPANYID=com.mycompany.$1         # Note the .$1 here adds the file's name to the bundle ID 
     
    printf "Submitting to Apple...\n\n"
    printf  "#xcrun altool --notarize-app -f "$1.pkg" --primary-bundle-id $COMPANYID --username $USERNAME --password $PASSWORD\n"


    xcrun altool --notarize-app -f "$1.pkg" --primary-bundle-id $COMPANYID --username $USERNAME --password $PASSWORD &> notarisation.result

    ASSET_UUID=`grep RequestUUID notarisation.result | cut -d" " -f 3`

    Printf  "\n\nChecking result of notarisation.."

    while true; do
    	echo -n '.'
    	if [[ `xcrun altool --notarization-info $ASSET_UUID --username $USERNAME --password $PASSWORD 2>&1  >/dev/null | grep -c "Package Approved"` == "1" ]]; then
    		break
    	fi
    	sleep 30
    done


    printf "\nStapling package...\n"

    xcrun stapler staple "$1.pkg"

newsonicarts · Post by **newsonicarts** » Fri Jun 18, 2021 3:29 am

quikquak wrote: ↑Thu Jun 17, 2021 12:43 pm I think this is close to what I use, it may have been edited a bit since.

Thanks! Will give that a go..

HOWTO macOS notarization (plugins, app, pkg installers)