HOWTO macOS notarization (plugins, app, pkg installers)

DSP, Plugin and Host development discussion.
RELATED
PRODUCTS
User avatar
discoDSP
KVRAF
Topic Starter
5583 posts since 18 Jul, 2002

Post Sat Sep 14, 2019 4:26 am

After managing to get everything sorted out regarding notarization I decided to publish a howto to make other developers life easier in order to comply with latest macOS requirements.

Requirements: Apple will deprecate altool after Fall 2023:

We have an important update to share with you regarding Apple's command-line utility tool, altool. Apple has announced that altool will be deprecated and no longer supported after Fall 2023. This means that if you are currently using altool for notarizing your Apple software, you will need to switch to the new notarytool before the deprecation deadline to ensure your software continues to function properly.

To learn more about the new notarytool and how to use it for notarizing your software, please visit https://scriptingosx.com/2021/07/notari ... otarytool/. This website provides detailed information on how to use the new tool and what changes to expect.

We urge you to take note of this important change and to begin preparing for the transition to the new notarytool. This post will be updated once the date gets closer.
audiothing wrote: Thu May 07, 2020 4:12 am Notarization is indeed needed for plugins, but if you are distributing through a PKG or DMG (which contains a PKG), you can just notarize the PKG or the DMG, and everything inside will be notarized.
If you are distributing your plugins with a simple ZIP file, you still need to notarize that (you are actually notarizing the content of the ZIP). The problem here is that you can't staple a ZIP file (as far as I remember). But it worked when I tested it.
That said, distributing with a PKG is the way to go, it's easier for the user, and you can automate the whole process (PKG creation, signing, notarization + stapling) with just a small bash script.

PLUGIN FILES

Signing via terminal is simple. Team name should be your Name and Surname followed by Team ID number like 87UBP9ZN95 using parenthesis:

Code: Select all

codesign -s "Developer ID Application: Team Name (Team ID)" "/path/plugin.component" --timestamp
codesign -s "Developer ID Application: Team Name (Team ID)" "/path/plugin.vst" --timestamp 
codesign -s "Developer ID Application: Team Name (Team ID)" "/path/plugin.vst3" --timestamp
For AAX, it's recommended to use Developer ID Application on Code Signing Entitlements and add --timestamp to Other Code Signing Flags. Source: viewtopic.php?p=7672836#p7672836

e-phonic wrote: Sat Oct 19, 2019 11:16 am - If you are using an installer, use the method as described below.
- If you are distributing a .vst / .component without installer, notarize the plugin.
You can do this by creating a zip file containing the plugin.
Then run:

Code: Select all

xcrun altool --notarize-app --primary-bundle-id "com.company.vst.plugin" --username "USERNAME" --password "PASSWORD" --asc-provider "SHORT_PROVIDER_NAME" --file plugin.zip
You will receive the RequestUUID if all goes well.
To check the status of the RequestUUID:

Code: Select all

xcrun altool --notarization-info RequestUUID -u "USERNAME" -p "PASSWORD"
Alternatively, you use the script from viewtopic.php?p=8622323#p8622323

APP NOTARIZATION

Update:
audiothing wrote: Sun Oct 20, 2019 2:49 am
discoDSP wrote: Sun Oct 20, 2019 2:04 am Does notarization apply to a .app contained on a .pkg?
Yep. From my previous post:
The notary service generates a ticket for the top-level file that you specify, as well as each nested file. For example, if you submit a disk image that contains a signed installer package with an app bundle inside, the notarization service generates tickets for the disk image, installer package, and app bundle.
  • Your app must get code signed and get Hardened Runtime enabled, it worked for me signing from command line:

    Code: Select all

    codesign --deep --force --options runtime --sign "Developer ID Application: Your Name" "Application.app"
  • ZIP and submit it for notarization (following steps NOT required if you are going to submit a PKG):

    Code: Select all

    xcrun altool --notarize-app -f "MyApp.zip" --primary-bundle-id com.yourcompany.app --username "YourAppleID" --password "YourSpecificAppPassword"
    It should take a few minutes after the following message:

    Code: Select all

    2019-09-14 12:12:51.915 altool[89636:18916252] No errors uploading 'MyApp.zip'.
    RequestUUID = A long chain with your request ID
  • You will receive a email from Apple once the process has finished, so it's time to staple the .app

    Code: Select all

    xcrun stapler staple "/Users/you/MyApp/MyApp.app"
    with a The staple and validate action worked! message.
  • For verification purposes you use the commnad

    Code: Select all

    spctl --assess --verbose "MyApp.app"
    with a message like

    Code: Select all

    /path/MyApp.app: accepted
    source=Notarized Developer ID
  • The app can be distributed now.

PKG INSTALLER NOTARIZATION

I use the app WhiteBox Packages to distribute the plugins and it works great. Make sure you set the Apple Developer certificate to your PKG:

Image
Image
  • Submit the signed PKG to Apple servers:

    Code: Select all

    xcrun altool --notarize-app -f "/Users/home/Desktop/Install.pkg" --primary-bundle-id com.yourapp.pkg --username "YourAppleID" --password "YourAltoolPassword"
    and after a few minutes you will receive a email notification.
  • Staple the PKG:

    Code: Select all

    xcrun stapler staple /Users/home/Desktop/signedPKG/Install.pkg"
  • Verify everything is OK:

    Code: Select all

    spctl -a -vvv -t install "/Users/home/Desktop/Install.pkg"
    should give you a valid message

    Code: Select all

    /Users/home/Desktop/signedPKG/Install.pkg: accepted
    source=Notarized Developer ID
    origin=Developer ID Installer: Your Name (IDXXXXXX)
  • And that's all! Ready to get distributed.
Cheers,
George.

2023 Feb 22 Update: Updated notarization info check.

May 7 Update: Added quote regarding notarizing plugin files only.

Feb 27 Update: replaced plugin codesign commands with more precise naming parameters.

Feb 23 Update: --timestamp flag is now a requirement for plugin files. Apple notarization server won't validate without this: https://developer.apple.com/documentati ... es#3087733

Update: Notarization script viewtopic.php?p=7630244#p7630244

Update: WhiteBox Packages 1.2.7 got support for trusted timestamp for CMS signatures (timestamps are required to notarize a package/distribution).
Last edited by discoDSP on Wed Mar 01, 2023 1:07 am, edited 19 times in total.
Synthesizers • Samplers • Effects • Soundware
https://www.discodsp.com/

User avatar
xhunaudio
KVRian
1027 posts since 17 Feb, 2010

Post Sat Sep 14, 2019 8:33 am

A very big thank you for your contribution, George.

Talking just for the PLUGINS, the signing process doesn't involve Xcode, so Xcode10 is not a requirement, right?

I ask this because I'm on Xcode7 and I don't want to update / change anything (once it works... :))
bruno @ Xhun Audio || www.xhun-audio.com || Twitter || Instagram
Image

User avatar
discoDSP
KVRAF
Topic Starter
5583 posts since 18 Jul, 2002

Post Sat Sep 14, 2019 8:41 am

You’re welcome. I think so Bruno, but for notarizing DMG/PKG/app then XCode 10 command line tools or the built in tools should be used.

By the way it’s very easy to sign plugins in XCode 10 and it has a new compilation system, so I’d recommend giving at least a try ;)
Synthesizers • Samplers • Effects • Soundware
https://www.discodsp.com/

User avatar
xhunaudio
KVRian
1027 posts since 17 Feb, 2010

Post Sat Sep 14, 2019 10:12 am

My fear with Xcode10 is that WDL-OL doesn't like it...

...or maybe it should be better to wait until IPlug2 will be out (and production-ready). By the way thank you again !
bruno @ Xhun Audio || www.xhun-audio.com || Twitter || Instagram
Image

User avatar
audiothing
KVRAF
1815 posts since 13 Apr, 2011 from EU

Post Sat Sep 14, 2019 3:33 pm

discoDSP wrote: Sat Sep 14, 2019 4:26 amI use the app Packages to distribute the plugins and it works great. However right now the digitally signed build from it are NOT compatible with Apple notarization.
What version are you using? The latest one (v1.2.6) works perfectly fine with the notarization here.
AudioThing (VST, AU, AAX, CLAP Plugins)
Instagram | Twitter | Discord Server

User avatar
discoDSP
KVRAF
Topic Starter
5583 posts since 18 Jul, 2002

Post Sat Sep 14, 2019 11:57 pm

audiothing wrote: Sat Sep 14, 2019 3:33 pmWhat version are you using? The latest one (v1.2.6) works perfectly fine with the notarization here.
Current Packages version 1.2.6 doesn't build a signed secure timestamp PKG. I was in talk with the developer these days. Version 1.2.7 of Packages which is going to be released before the end of September should be able to do so.

At least for me, checking the stapled PKG code signed with Packages 1.2.6 resulted in a rejected file. Right now the only way to add a secure timestamp is using product sign command line tool as described on the howto.

Cheers,
George.
Synthesizers • Samplers • Effects • Soundware
https://www.discodsp.com/

User avatar
audiothing
KVRAF
1815 posts since 13 Apr, 2011 from EU

Post Sun Sep 15, 2019 1:12 am

discoDSP wrote: Sat Sep 14, 2019 11:57 pmCurrent Packages version 1.2.6 doesn't build a signed secure timestamp PKG. I was in talk with the developer these days. Version 1.2.7 of Packages which is going to be released before the end of September should be able to do so.

At least for me, checking the stapled PKG code signed with Packages 1.2.6 resulted in a rejected file. Right now the only way to add a secure timestamp is using product sign command line tool as described on the howto.
I've just retested and I can notarize and staple my PKGs without issues using Packages v1.2.6 in our build script using packagesbuild.
I've verified the PKG signature before submitting it for notarization with:

Code: Select all

pkgutil --check-signature installer.pkg
Status: signed by a certificate trusted by Mac OS X
   Certificate Chain:
    1. Developer ID Installer: XXXXX 
Then notarized/stapled and verified with:

Code: Select all

spctl -a -vvv -t install installer.pkg
installer.pkg: accepted
source=Notarized Developer ID
origin=Developer ID Installer: XXXXX
If the current version of Packages doesn't add the timestamp I guess it would be a huge mess :dog:
AudioThing (VST, AU, AAX, CLAP Plugins)
Instagram | Twitter | Discord Server

User avatar
discoDSP
KVRAF
Topic Starter
5583 posts since 18 Jul, 2002

Post Sun Sep 15, 2019 1:22 am

I'm referring to Whitebox Packages and it looks like you're pointing to packagesdev/packages which BTW added timestamp embedded in the CMS signature around 1 month ago.

I contacted the WhiteBox Packages developer and he answered 1.2.6 doesn't set a secure timestamp and will be added on 1.2.7 this September. After using productsign on the PKG I was able to notarize without issues.

OP has been clarified to avoid any confusions. Thanks for the feedback!
Synthesizers • Samplers • Effects • Soundware
https://www.discodsp.com/

User avatar
audiothing
KVRAF
1815 posts since 13 Apr, 2011 from EU

Post Sun Sep 15, 2019 2:10 am

discoDSP wrote: Sun Sep 15, 2019 1:22 am I'm referring to Whitebox Packages and it looks like you're pointing to packagesdev/packages which BTW added timestamp embedded in the CMS signature around 1 month ago.
I'm really confused. According to the Whitebox Packages page, that repo is the source code of Packages. I'm just using the command line to build the PKGs, and the command is packagesbuild.

From http://s.sudre.free.fr/Software/Packages/about.html
Integrating Packages into an automated production workflow is easy with the packagesbuild command line tool. Once you have created your Packages project, the packagesbuild tool will let you build it from the Terminal, a shell script or an Xcode Run Script Build phase.
So, I've tested again, removing and adding the certificate (Project > Set certificate), building from the GUI this time (no command line, no build script, everything manually), notarized and stapled with no issues. :shrug: I hope I'm not doing anything wrong...
AudioThing (VST, AU, AAX, CLAP Plugins)
Instagram | Twitter | Discord Server

User avatar
discoDSP
KVRAF
Topic Starter
5583 posts since 18 Jul, 2002

Post Sun Sep 15, 2019 2:17 am

It doesn't work here when building from GUI and CMS signature not supported by app is confirmed by the dev himself, so no idea what's going on :shrug: From what I understand the command line tool correctly CMS signs the PKG.
Synthesizers • Samplers • Effects • Soundware
https://www.discodsp.com/

User avatar
daniel_noiseash
KVRer
16 posts since 13 Feb, 2017

Post Thu Sep 19, 2019 5:34 am

Hi Thank you so much for this nice tutorial!
  • What will happen for updates? If we notarized an installer with a Bundle Identifier and a altool password; when we want to update it, do we have to upload and notarize the new version again? With the same Bundle Identifier and specific altool password?
  • Does this specific altool password has to be individual for different software installers?
  • I use Whitebox Packages 1.2.6 too. When I Staple the PKG, there is nothing happening. But when I check it, it seems to ok.
Best Regards...

User avatar
discoDSP
KVRAF
Topic Starter
5583 posts since 18 Jul, 2002

Post Thu Sep 19, 2019 10:39 pm

daniel_noiseash wrote: Thu Sep 19, 2019 5:34 am Hi Thank you so much for this nice tutorial!
  • What will happen for updates? If we notarized an installer with a Bundle Identifier and a altool password; when we want to update it, do we have to upload and notarize the new version again? With the same Bundle Identifier and specific altool password?
I think any files should be notarized.
  • Does this specific altool password has to be individual for different software installers?
Nope.
  • I use Whitebox Packages 1.2.6 too. When I Staple the PKG, there is nothing happening. But when I check it, it seems to ok.
Yeah, it happened the same here and after deeper investigation notarization wasn't OK. What I did is detailed on the OP. 1.2.7 will add CMS timestap which is not supported right now (not the command line tool from what it was reported thought).
Synthesizers • Samplers • Effects • Soundware
https://www.discodsp.com/

User avatar
daniel_noiseash
KVRer
16 posts since 13 Feb, 2017

Post Thu Sep 19, 2019 10:57 pm

Ok thanks! I should better wait for the 1.2.7 release.

User avatar
daniel_noiseash
KVRer
16 posts since 13 Feb, 2017

Post Fri Sep 20, 2019 8:22 am

Today I rebuilt Packages installer. Signed, Notarized and retried timestamp. This time I saw successful message in Terminal after timestamp attempt (yesterday there was no message after timestamp attempt).

I think this issue can be Apple's notarization system. Yesterday it didn't but today it is ok. I am using Packages 1.2.6

Weird!

BlueprintInc
KVRist
135 posts since 9 Apr, 2017

Post Fri Sep 20, 2019 8:37 am

So I may need to upload a multiple gigabyte big app everytime to notarize it? That's really hilarious :D

Return to “DSP and Plugin Development”