Notarisation help please!

d.healey

@JamesC I have a video on my Patreon page showing a script that will automate the codesigning and notarization process - https://www.patreon.com/posts/osx-codesign-and-65785381

However, don't use the script until you can do it manually, but the script itself provides the step by step process.

JamesC

This post is deleted!

DanH

@JamesC So the first thing to do is remove your credentials from the post above. We don't need to see them and you should never be sharing this information.

I'll take a look properly later

JamesC

@DanH

JamesC
about an hour ago

@Lindon @DanH @d-healey

Again guys thanks for your time I'm sorry I'm giving you lots to read but I really do appreciate it, I went and checked what I've been using against that script David and made some minor adjustments I've left all info in so you can see at this time:

codesign -s "Developer ID Application: Team Name (Number)" "/Users/jamescox/Documents/Obscura_Installer_1.0.0/Library/Audio/Plug-Ins/VST3/OBSCURA.vst3" --timestamp

codesign -s "Developer ID Application: Team Name (Number)" "/Users/jamescox/Documents/Obscura_Installer_1.0.0/Library/Audio/Plug-Ins/Components/OBSCURA.component" --timestamp
So then went and created my package in white box and the build succeeds and works as expected. So I then checked the productsign code for the package:

productsign --sign "Developer ID Installer: Team Name (Number)"
"/Users/jamescox/Documents/Obscura_Installer_1.0.0/build/Obscura_Installer_1.0.3.pkg"
"/Users/jamescox/Documents/SignedInstallers/Obscura_Installer_1.0.3.pkg"
Terminal then gives me this:

productsign: using timestamp authority for signature
Warning: unable to build chain to self-signed root for signer "Developer ID Installer: Team Name (Number)"
productsign: signing product with identity "Developer ID Installer: Team Name (Number)" from keychain /Users/jamescox/Library/Keychains/login.keychain-db
productsign: Wrote signed product archive to /Users/jamescox/Documents/SignedInstallers/Obscura_Installer_1.0.3.pkg

So I get a warning here. First question then becomes is this the first issue?

When I go to notorise using the code form David's script again it says Invalid. Again runing the log i get:

"message": "The binary is not signed with a valid Developer ID certificate.",

But in the keychain it says valid etc so I'm really confused now

ustk

@JamesC I extracted this from my script that is working fine:
(note that the pkg signature certificate is directly embedded in WhiteBox Packages, so no extra steps for me...)

SIGN_ID="Developer ID Application: Team (NUMBER)"
APPLE_ID="your@email.com"
PASSWORD="your-pass-word"
TEAM_ID="NUMBER"

# codesign
codesign --deep --force --timestamp --options runtime --sign "$SIGN_ID" "$VST3_PATH" --verbose

# verify
codesign -dv --verbose=4 "$VST3_PATH"


# notarization
xcrun notarytool submit --apple-id "$APPLE_ID" --password "$PASSWORD" --team-id "$TEAM_ID" "$PACKAGE_OUTPUT_PATH" --wait

pkgutil --check-signature "$PACKAGE_OUTPUT_PATH"

xcrun stapler staple "$PACKAGE_OUTPUT_PATH"

DanH

@JamesC said in Notarisation help please!:

But in the keychain it says valid etc so I'm really confused now

it could be the certificate. I had similar issues in that everything looked fine but it wouldn't codesign. After going back and forth with ChatGBT for a while, reinstalling the certificates again and again it eventually worked.

Can you show us an image of your keychain (with the id numbers blurred out?)

for example, I have my two certs installed on Login, with an imported private key (from my older computer), but if you installed direct from your apple devaccount it will say something like Mac Developer ID Installer / Application. The private key is important, for some reason it took me a few goes to get it installed properly....

Lindon

@JamesC right here's what my command line code signing string looks like...

codesign --deep --force --options runtime --sign "Developer ID Application: Lindon Mulcahy-Parker (9999AA9AAA)" "/Users/lindonparker/Desktop/Horizen.component"

that 9999AA9AAA. is my Team ID (so yeah I was wrong you should def. be using that....) and Lindon Mulcahy-Parker is my developer account name, so make sure your details are correct:

• go to the developer.apple.com web site and check your details...

When you have the correct details enter the command on a command line and make sure it works...

if it doesnt and you continue to get the sort of errors listed above then I suspect your developer certificates are not installed correctly. Check they are installed correctly in Keychain Access - you should see them(at least one) in your Certificates/System tab in Key Chain Access - they should be annotated as This certificate is valid and show your developer account id and your team ID

JamesC

Thanks all for this helpful info hopefully can make some prgoress! @DanH the more and more I'm digging in with this the mroe it seems like it is a certification issue:

UPDATE

So I went into this one that has the blue check and I said don't trust, went red, then always trust, went blue, the system defaults and its gone to green and is now trusted so I'm hoping that thats the missing piece of the puzzle will update once the mini ones have been put to bed!

JamesC

It was that certificate that needed the permission change that was the block.

Honestly thank you so much to all of youf or your help I'm going to put together a post later this week step by step on what I had to do to get it working just incase anyone does face the same issues and at least then it summarised in one central location

Lindon

@JamesC ok well note the thread as a question, and then note it as Solved. So when people are looking they see the answer is in here...