Notarisation help please!

Lindon

Go look for the notarization thread on kvraudio in the dsp Development topic...

Just a moment...

(www.kvraudio.com)

There are 28 pages,I suggest you read all of them

JamesC

Hello all again...

Again thanks for the advice using that and a few other bits I was able to start getting a handle on things and I think I've identified an issue.

So I sign the plugins first:

codesign --force --deep --options runtime --timestamp \
  --sign "Developer ID Application: ID REMOVED FOR POST" \
  "/Users/jamescox/Documents/Obscura_Installer_1.0.0/Library/Audio/Plug-Ins/VST3/OBSCURA.vst3"

codesign --force --deep --options runtime --timestamp \
  --sign "Developer ID Application: ID REMOVED FOR POST" \
  "/Users/jamescox/Documents/Obscura_Installer_1.0.0/Library/Audio/Plug-Ins/Components/OBSCURA.component"

Then I went to verify it was completed:

codesign -dv --verbose=4 "/Users/jamescox/Documents/Obscura_Installer_1.0.0/Library/Audio/Plug-Ins/VST3/OBSCURA.vst3"
spctl --assess --verbose=4 "/Users/jamescox/Documents/Obscura_Installer_1.0.0/Library/Audio/Plug-Ins/VST3/OBSCURA.vst3"

codesign -dv --verbose=4 "/Users/jamescox/Documents/Obscura_Installer_1.0.0/Library/Audio/Plug-Ins/Components/OBSCURA.component"
spctl --assess --verbose=4 "/Users/jamescox/Documents/Obscura_Installer_1.0.0/Library/Audio/Plug-Ins/Components/OBSCURA.component"

Now what I get back is my first question AI says this is normal as its not been notorized yet and will be in the pkg when we get to that bit, question though is whats below an actual issue?

/Users/jamescox/Documents/Obscura_Installer_1.0.0/Library/Audio/Plug-Ins/VST3/OBSCURA.vst3: rejected source=Unnotarized Developer ID

SO assuming what the AI said was correct i move on to building the package in whitebox packages, I can't set the certificate in whitebox itself as the build always fails so built without the certificate then move onto signing the pkg:

productsign \
  --sign "Developer ID Installer: ID REMOVED FOR POST" \
  "/Users/jamescox/Documents/Obscura_Installer_1.0.0/build/Obscura_Installer_1.0.1.pkg" \
  "/Users/jamescox/Documents/SignedInstallers/Obscura_Installer_1.0.1.pkg"

This comes back:

Warning: unable to build chain to self-signed root for signer "Developer ID Installer: ID REMOVED FOR POST"
productsign: signing product with identity "Developer ID Installer: ID REMOVED FOR POST" from keychain /Users/jamescox/Library/Keychains/login.keychain-db

Again AI says this isn't an issue (is it?) then go to verify the signing:

~ % pkgutil --check-signature "/Users/jamescox/Documents/SignedInstallers/Obscura_Installer_1.0.0.pkg" Package "Obscura_Installer_1.0.0.pkg": Status: signed by a certificate that has since expired Signed with a trusted timestamp on: 2025-09-15 20:11:56 +0000 Certificate Chain: 1. Developer ID Installer: ID REMOVED FOR POST Expires: 2030-09-11 04:17:53 +0000 SHA256 Fingerprint: REMOVED FROM POST

Again AI says this isn't an issue as the certificate is still valid even though its expired so I go to notorize:

crun notarytool submit "/Users/jamescox/Documents/SignedInstallers/Obscura_Installer_1.0.1.pkg" --keychain-profile "notary-profile" --wait

Which brings back:

Submission ID received
id: REMOVED FROM POST
Upload progress: 100.00% (43.7 MB of 43.7 MB)
Successfully uploaded file
id: REMOVED FROM POST
path: /Users/jamescox/Documents/SignedInstallers/Obscura_Installer_1.0.1.pkg
Waiting for processing to complete.
Current status: Invalid...........
Processing complete
id: REMOVED FROM POST
status: Invalid

So it fails so I run the log to see what the exact issue is which returns this:

{
"logFormatVersion": 1,
"jobId": "3b6f5430-86d4-40ba-8c10-e0b7fcab6dc1",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "Obscura_Installer_1.0.1.pkg",
"uploadDate": "2025-09-16T06:10:38.211Z",
"sha256": "e7e6f2d38e067189c3a72473084a0c7e133548531c0a855a8bb87461fa07685a",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "Obscura_Installer_1.0.1.pkg",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": null

So there the issue is the binary is not signed so whats the pitfall I'm missing here? I'm assuming its to do with the expired timestamp and not valid certificate even though when checking the certificates they are all valid etc.

Any further help would be greatly appreciated.

DanH

@JamesC quite a lot going on here! But I'd say your binaries aren't getting codesigned properly.

However you notarisation command looks very different to mine:

xcrun notarytool submit --apple-id "me@mail.com" --password "xxxx-xxxx-xxxx-xxxx" --team-id "XXXXXXXXXX" "/Users/SignedPlugins/MYNEW.pkg" --wait

You could try running the codesiging command without all the deep force stuff that's normally required for apps:

codesign -s "Developer ID Application: YOUR NAME (XYZXYZXYZX)" "/Users/PLUGINFOLDER/PLUGIN.vst3" --timestamp

Lindon

@JamesC said in Notarisation help please!:

/Users/jamescox/Documents/Obscura_Installer_1.0.0/Library/Audio/Plug-Ins/VST3/OBSCURA.vst3: rejected source=Unnotarized Developer ID

your plugin is not being code signed...

/Users/jamescox/Documents/Obscura_Installer_1.0.0/Library/Audio/Plug-Ins/VST3/OBSCURA.vst3: rejected source=Unnotarized Developer ID

its failing....with an invalid Developer ID...

are you the one removing the Developer ID from this?

codesign --force --deep --options runtime --timestamp \
  --sign "Developer ID Application: ID REMOVED FOR POST" \
  "/Users/jamescox/Documents/Obscura_Installer_1.0.0/Library/Audio/Plug-Ins/VST3/OBSCURA.vst3"

if so tell us what the format is of your Developer ID, if its not you then you have to put your Developer ID here...

JamesC

@DanH @Lindon

Thanks guys yes I just removed it from posting so I had removed it Was doing:

Team Name (Team ID)

Please Don't tell me its something as simple as not having the brackets?

Lindon

@JamesC ..I dont think you should eb using the Team Name/ID ...

d.healey

@JamesC I have a video on my Patreon page showing a script that will automate the codesigning and notarization process - https://www.patreon.com/posts/osx-codesign-and-65785381

However, don't use the script until you can do it manually, but the script itself provides the step by step process.

JamesC

This post is deleted!

DanH

@JamesC So the first thing to do is remove your credentials from the post above. We don't need to see them and you should never be sharing this information.

I'll take a look properly later

JamesC

@DanH

JamesC
about an hour ago

@Lindon @DanH @d-healey

Again guys thanks for your time I'm sorry I'm giving you lots to read but I really do appreciate it, I went and checked what I've been using against that script David and made some minor adjustments I've left all info in so you can see at this time:

codesign -s "Developer ID Application: Team Name (Number)" "/Users/jamescox/Documents/Obscura_Installer_1.0.0/Library/Audio/Plug-Ins/VST3/OBSCURA.vst3" --timestamp

codesign -s "Developer ID Application: Team Name (Number)" "/Users/jamescox/Documents/Obscura_Installer_1.0.0/Library/Audio/Plug-Ins/Components/OBSCURA.component" --timestamp
So then went and created my package in white box and the build succeeds and works as expected. So I then checked the productsign code for the package:

productsign --sign "Developer ID Installer: Team Name (Number)"
"/Users/jamescox/Documents/Obscura_Installer_1.0.0/build/Obscura_Installer_1.0.3.pkg"
"/Users/jamescox/Documents/SignedInstallers/Obscura_Installer_1.0.3.pkg"
Terminal then gives me this:

productsign: using timestamp authority for signature
Warning: unable to build chain to self-signed root for signer "Developer ID Installer: Team Name (Number)"
productsign: signing product with identity "Developer ID Installer: Team Name (Number)" from keychain /Users/jamescox/Library/Keychains/login.keychain-db
productsign: Wrote signed product archive to /Users/jamescox/Documents/SignedInstallers/Obscura_Installer_1.0.3.pkg

So I get a warning here. First question then becomes is this the first issue?

When I go to notorise using the code form David's script again it says Invalid. Again runing the log i get:

"message": "The binary is not signed with a valid Developer ID certificate.",

But in the keychain it says valid etc so I'm really confused now

ustk

@JamesC I extracted this from my script that is working fine:
(note that the pkg signature certificate is directly embedded in WhiteBox Packages, so no extra steps for me...)

SIGN_ID="Developer ID Application: Team (NUMBER)"
APPLE_ID="your@email.com"
PASSWORD="your-pass-word"
TEAM_ID="NUMBER"

# codesign
codesign --deep --force --timestamp --options runtime --sign "$SIGN_ID" "$VST3_PATH" --verbose

# verify
codesign -dv --verbose=4 "$VST3_PATH"


# notarization
xcrun notarytool submit --apple-id "$APPLE_ID" --password "$PASSWORD" --team-id "$TEAM_ID" "$PACKAGE_OUTPUT_PATH" --wait

pkgutil --check-signature "$PACKAGE_OUTPUT_PATH"

xcrun stapler staple "$PACKAGE_OUTPUT_PATH"

DanH

@JamesC said in Notarisation help please!:

But in the keychain it says valid etc so I'm really confused now

it could be the certificate. I had similar issues in that everything looked fine but it wouldn't codesign. After going back and forth with ChatGBT for a while, reinstalling the certificates again and again it eventually worked.

Can you show us an image of your keychain (with the id numbers blurred out?)

for example, I have my two certs installed on Login, with an imported private key (from my older computer), but if you installed direct from your apple devaccount it will say something like Mac Developer ID Installer / Application. The private key is important, for some reason it took me a few goes to get it installed properly....

Lindon

@JamesC right here's what my command line code signing string looks like...

codesign --deep --force --options runtime --sign "Developer ID Application: Lindon Mulcahy-Parker (9999AA9AAA)" "/Users/lindonparker/Desktop/Horizen.component"

that 9999AA9AAA. is my Team ID (so yeah I was wrong you should def. be using that....) and Lindon Mulcahy-Parker is my developer account name, so make sure your details are correct:

• go to the developer.apple.com web site and check your details...

When you have the correct details enter the command on a command line and make sure it works...

if it doesnt and you continue to get the sort of errors listed above then I suspect your developer certificates are not installed correctly. Check they are installed correctly in Keychain Access - you should see them(at least one) in your Certificates/System tab in Key Chain Access - they should be annotated as This certificate is valid and show your developer account id and your team ID

JamesC

Thanks all for this helpful info hopefully can make some prgoress! @DanH the more and more I'm digging in with this the mroe it seems like it is a certification issue:

UPDATE

So I went into this one that has the blue check and I said don't trust, went red, then always trust, went blue, the system defaults and its gone to green and is now trusted so I'm hoping that thats the missing piece of the puzzle will update once the mini ones have been put to bed!

JamesC

It was that certificate that needed the permission change that was the block.

Honestly thank you so much to all of youf or your help I'm going to put together a post later this week step by step on what I had to do to get it working just incase anyone does face the same issues and at least then it summarised in one central location

Lindon

@JamesC ok well note the thread as a question, and then note it as Solved. So when people are looking they see the answer is in here...