Feb 27 Update: replaced plugin codesign commands with more precise naming parameters.
Feb 23 Update: --timestamp flag is now a requirement for plugin files. Apple notarization server won't validate without this: https://developer.apple.com/documentati ... es#3087733
Update: Notarization script viewtopic.php?p=7630244#p7630244
Update: WhiteBox Packages 1.2.7 got support for trusted timestamp for CMS signatures (timestamps are required to notarize a package/distribution).
After managing to get everything sorted out regarding notarization I decided to publish a howto to make other developers life easier in order to comply with latest macOS requirements.
Requirements:
- Apple Developer ID ($99/year).
- XCode 10.
- Internet access.
- Create a specific altool password.
audiothing wrote: ↑Thu May 07, 2020 4:12 am Notarization is indeed needed for plugins, but if you are distributing through a PKG or DMG (which contains a PKG), you can just notarize the PKG or the DMG, and everything inside will be notarized.
If you are distributing your plugins with a simple ZIP file, you still need to notarize that (you are actually notarizing the content of the ZIP). The problem here is that you can't staple a ZIP file (as far as I remember). But it worked when I tested it.
That said, distributing with a PKG is the way to go, it's easier for the user, and you can automate the whole process (PKG creation, signing, notarization + stapling) with just a small bash script.
PLUGIN FILES
Signing via terminal is simple. Team name should be your Name and Surname followed by Team ID number like 87UBP9ZN95 using parenthesis:
Code: Select all
codesign -s "Developer ID Application: Team Name (Team ID)" "/path/plugin.component" --timestamp
codesign -s "Developer ID Application: Team Name (Team ID)" "/path/plugin.vst" --timestamp
codesign -s "Developer ID Application: Team Name (Team ID)" "/path/plugin.vst3" --timestamp
e-phonic wrote: ↑Sat Oct 19, 2019 11:16 am - If you are using an installer, use the method as described below.
- If you are distributing a .vst / .component without installer, notarize the plugin.
You can do this by creating a zip file containing the plugin.
Then run:
You will receive the RequestUUID if all goes well.Code: Select all
xcrun altool --notarize-app --primary-bundle-id "com.company.vst.plugin" --username "USERNAME" --password "PASSWORD" --asc-provider "SHORT_PROVIDER_NAME" --file plugin.zip
To check the status of the RequestUUID:
PJCode: Select all
xcrun altool --notarization-history 0 -u "USERNAME" -p "PASSWORD"
APP NOTARIZATION
Update:
audiothing wrote: ↑Sun Oct 20, 2019 2:49 amYep. From my previous post:The notary service generates a ticket for the top-level file that you specify, as well as each nested file. For example, if you submit a disk image that contains a signed installer package with an app bundle inside, the notarization service generates tickets for the disk image, installer package, and app bundle.
- Your app must get code signed and get Hardened Runtime enabled, it worked for me signing from command line:
Code: Select all
codesign --deep --force --options runtime --sign "Developer ID Application: Your Name" "Application.app"
- ZIP and submit it for notarization (following steps NOT required if you are going to submit a PKG): It should take a few minutes after the following message:
Code: Select all
xcrun altool --notarize-app -f "MyApp.zip" --primary-bundle-id com.yourcompany.app --username "YourAppleID" --password "YourSpecificAppPassword"
Code: Select all
2019-09-14 12:12:51.915 altool[89636:18916252] No errors uploading 'MyApp.zip'. RequestUUID = A long chain with your request ID
- You will receive a email from Apple once the process has finished, so it's time to staple the .app with a The staple and validate action worked! message.
Code: Select all
xcrun stapler staple "/Users/you/MyApp/MyApp.app"
- For verification purposes you use the commnad with a message like
Code: Select all
spctl --assess --verbose "MyApp.app"
Code: Select all
/path/MyApp.app: accepted source=Notarized Developer ID
- The app can be distributed now.
PKG INSTALLER NOTARIZATION
I use the app WhiteBox Packages to distribute the plugins and it works great. Make sure you set the Apple Developer certificate to your PKG:


- Submit the signed PKG to Apple servers: and after a few minutes you will receive a email notification.
Code: Select all
xcrun altool --notarize-app -f "/Users/home/Desktop/Install.pkg" --primary-bundle-id com.yourapp.pkg --username "YourAppleID" --password "YourAltoolPassword"
- Staple the PKG:
Code: Select all
xcrun stapler staple /Users/home/Desktop/signedPKG/Install.pkg"
- Verify everything is OK: should give you a valid message
Code: Select all
spctl -a -vvv -t install "/Users/home/Desktop/Install.pkg"
Code: Select all
/Users/home/Desktop/signedPKG/Install.pkg: accepted source=Notarized Developer ID origin=Developer ID Installer: Your Name (IDXXXXXX)
- And that's all! Ready to get distributed.
George.