Requirements:
- Apple Developer ID ($99/year).
- XCode 10.
- Internet access.
- Create a specific altool password.
We have an important update to share with you regarding Apple's command-line utility tool, altool. Apple has announced that altool will be deprecated and no longer supported after Fall 2023. This means that if you are currently using altool for notarizing your Apple software, you will need to switch to the new notarytool before the deprecation deadline to ensure your software continues to function properly.
To learn more about the new notarytool and how to use it for notarizing your software, please visit https://scriptingosx.com/2021/07/notari ... otarytool/. This website provides detailed information on how to use the new tool and what changes to expect.
We urge you to take note of this important change and to begin preparing for the transition to the new notarytool. This post will be updated once the date gets closer.
audiothing wrote: ↑Thu May 07, 2020 4:12 am Notarization is indeed needed for plugins, but if you are distributing through a PKG or DMG (which contains a PKG), you can just notarize the PKG or the DMG, and everything inside will be notarized.
If you are distributing your plugins with a simple ZIP file, you still need to notarize that (you are actually notarizing the content of the ZIP). The problem here is that you can't staple a ZIP file (as far as I remember). But it worked when I tested it.
That said, distributing with a PKG is the way to go, it's easier for the user, and you can automate the whole process (PKG creation, signing, notarization + stapling) with just a small bash script.
PLUGIN FILES
Signing via terminal is simple. Team name should be your Name and Surname followed by Team ID number like 87UBP9ZN95 using parenthesis:
Code: Select all
codesign -s "Developer ID Application: Team Name (Team ID)" "/path/plugin.component" --timestamp
codesign -s "Developer ID Application: Team Name (Team ID)" "/path/plugin.vst" --timestamp
codesign -s "Developer ID Application: Team Name (Team ID)" "/path/plugin.vst3" --timestamp
Alternatively, you use the script from viewtopic.php?p=8622323#p8622323e-phonic wrote: ↑Sat Oct 19, 2019 11:16 am - If you are using an installer, use the method as described below.
- If you are distributing a .vst / .component without installer, notarize the plugin.
You can do this by creating a zip file containing the plugin.
Then run:
You will receive the RequestUUID if all goes well.Code: Select all
xcrun altool --notarize-app --primary-bundle-id "com.company.vst.plugin" --username "USERNAME" --password "PASSWORD" --asc-provider "SHORT_PROVIDER_NAME" --file plugin.zip
To check the status of the RequestUUID:
Code: Select all
xcrun altool --notarization-info RequestUUID -u "USERNAME" -p "PASSWORD"
APP NOTARIZATION
Update:
audiothing wrote: ↑Sun Oct 20, 2019 2:49 amYep. From my previous post:The notary service generates a ticket for the top-level file that you specify, as well as each nested file. For example, if you submit a disk image that contains a signed installer package with an app bundle inside, the notarization service generates tickets for the disk image, installer package, and app bundle.
- Your app must get code signed and get Hardened Runtime enabled, it worked for me signing from command line:
Code: Select all
codesign --deep --force --options runtime --sign "Developer ID Application: Your Name" "Application.app"
- ZIP and submit it for notarization (following steps NOT required if you are going to submit a PKG): It should take a few minutes after the following message:
Code: Select all
xcrun altool --notarize-app -f "MyApp.zip" --primary-bundle-id com.yourcompany.app --username "YourAppleID" --password "YourSpecificAppPassword"
Code: Select all
2019-09-14 12:12:51.915 altool[89636:18916252] No errors uploading 'MyApp.zip'. RequestUUID = A long chain with your request ID
- You will receive a email from Apple once the process has finished, so it's time to staple the .app with a The staple and validate action worked! message.
Code: Select all
xcrun stapler staple "/Users/you/MyApp/MyApp.app"
- For verification purposes you use the commnad with a message like
Code: Select all
spctl --assess --verbose "MyApp.app"
Code: Select all
/path/MyApp.app: accepted source=Notarized Developer ID
- The app can be distributed now.
PKG INSTALLER NOTARIZATION
I use the app WhiteBox Packages to distribute the plugins and it works great. Make sure you set the Apple Developer certificate to your PKG:


- Submit the signed PKG to Apple servers: and after a few minutes you will receive a email notification.
Code: Select all
xcrun altool --notarize-app -f "/Users/home/Desktop/Install.pkg" --primary-bundle-id com.yourapp.pkg --username "YourAppleID" --password "YourAltoolPassword"
- Staple the PKG:
Code: Select all
xcrun stapler staple /Users/home/Desktop/signedPKG/Install.pkg"
- Verify everything is OK: should give you a valid message
Code: Select all
spctl -a -vvv -t install "/Users/home/Desktop/Install.pkg"
Code: Select all
/Users/home/Desktop/signedPKG/Install.pkg: accepted source=Notarized Developer ID origin=Developer ID Installer: Your Name (IDXXXXXX)
- And that's all! Ready to get distributed.
George.
2023 Feb 22 Update: Updated notarization info check.
May 7 Update: Added quote regarding notarizing plugin files only.
Feb 27 Update: replaced plugin codesign commands with more precise naming parameters.
Feb 23 Update: --timestamp flag is now a requirement for plugin files. Apple notarization server won't validate without this: https://developer.apple.com/documentati ... es#3087733
Update: Notarization script viewtopic.php?p=7630244#p7630244
Update: WhiteBox Packages 1.2.7 got support for trusted timestamp for CMS signatures (timestamps are required to notarize a package/distribution).