Notarisation for dummies

d.healey

@Lindon Seems like we're good to just notarize the pkg

Does notarization apply to a .app contained on a .pkg?

Yep. From my previous post:
The notary service generates a ticket for the top-level file that you specify, as well as each nested file. For example, if you submit a disk image that contains a signed installer package with an app bundle inside, the notarization service generates tickets for the disk image, installer package, and app bundle.

Your app must get code signed and get Hardened Runtime enabled,

My exporter tool handles this.

adriano

@d-healey I don't understand everything in the language of a programmer like you. gatekeeper I don't even know what it is. I distributed a dixiane of plugin to friends under catalina, mainly producers. I created one. pkg with the mac package application, then creates a distribution package. I just told the package to put the .vst and .au plugins in audio / plugin .... and that's it .. no problem whatsoever at the package or vst level. To be sure, I asked my friends if they had any errors and no one reported any problem to me. I did not do any right click manipulation etc ... just we open the pkg and everything works fine. After that maybe to distribute a plugin via the apple store it is necessary but for me, at this moment, everything is fine. I compile under x code latest version, project latest version and catalina latest version

Christoph Hart

Alrighty, then enjoy the freedom from notarization as long as you can :)

d.healey

@adriano said in Notarisation for dummies:

gatekeeper I don't even know what it is.

Gatekeeper is the Mac "security" thing that pops up and tells you which apps it thinks are dangerous and it will try to stop you running them.

adriano

@d-healey ball kick to gatekeep

SampleScience

@adriano Do you distribute your plugins to your friends online or by using USB keys? Because if it's by using USB keys, you won't have any problems, it's when it's downloaded via the web that the Gatekeeper will interfere with the app/plugin.

adriano

@SampleScience from "WE transfert" or gmail directly.

yall

@Lindon said in Notarisation for dummies:

username

@Lindon

hi, i just got to code my vst.component and the PKG. the coding went well.
(I could not verify if the code was successful with the command.>.

codesign -vvv /Users/macmini/Desktop/notarizationplugin/myvst.component. )

i had again entered the command line to sign, the terminal told me that the vst was already signed. so ok.
i'm notarizing pkg now, i handwrite in terminal but get this error. >.
unable to find utility "altool", not a developer tool or in PATH. <

and I am a little stuck.
I have created my altool password, correctly entered my email address in username. do you have any idea of ​​the problem?
thank you ;)

yall

@Lindon the problem may be with x code 8.3 instead of a newer version?

d.healey

Official docs say you need xcode 10 or later.

https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow

yall

@d-healey @Lindon i just installed xcode 10. i received an email from apple saying that the notarization was not accepted. but I think I know why, the signature of the plugin, in the end, is not good. however when I do it nothing happens on the terminal. basically I can't sign. however on a previous manipulation, he told me that the plugin was already signed but probably not correctly. a little help would be welcome ^^

d.healey

@yall Did you sign the pkg?

yall

@d-healey I started again from the beginning so the first step would be to sign the plugin or code it, is that right? with this line>
codesign -s "Developer application ID: my name (my number id)" "/Users/Desktop/your.component" --timestamp
already for me it does not work

d.healey

@yall

Codesign the plugin
Package the plugin
Codesign the package
Notarize the package

for me it does not work

What error do you get?

yall

@d-healey no error because nothing happens that is the problem. I have checked multiple times to see if I was wrong, but I do not think so.

d.healey

@yall Post a video so we can see what you're doing and what messages you get (blur out your credentials of course).

yall

@d-healey ok I will do that tomorrow, thank you;)

yall

@d-healey @Lindon

Here are my precise steps for signing. (The notarization fails because I think my plugin is not signed correctly you will understand later)

Step 0> plugin export wise> myplugin.component
Step 1> I place the myplugin on the desktop
Step 3> I open Keychain and I create a certificate request from a competent authority. I save "CertificateSigningRequest.certSigningRequest" on my desktop.
Step 4> I log into my apple developer space and create a Developer ID Application certificate, so I import the "CertificateSigningRequest.certSigningRequest" file.
I create a certificates also a pkg distribution certificate…;
Step 5> I download the certificates and install them, I see them appear in Keychain

Step 6> I want to sign my myplugin.component so I proceed this way from the terminal>
Step 6.1 codesign -s "Developer ID Application: myname (mycode)" "/Users/macmini/Desktop/myplugin.component" --timestamp

          > here nothing is happening in particular so I decide to check to start step 6.1 again. the terminal tells me that the myplugin.component. is already signed

Step7> I really want to be sure that myplugin.component is signed so this time, from the terminal, I enter this formula>
codesign -vvv /Users/macmini/Desktop/myplugin.component
I get this>. /Users/macmini/Desktop/myplugin.component: valid on disk
/Users/macmini/Desktop/myplugin.component: does not satisfy its designated Requirement

            This sentence "does not satisfy its designated Requirement" appeals to me but I try anyway (you never know ^^)

Step 8> I create a raw PKG or I integrate myplugin.component and then I transform it into a distribution. I affix the certificate from the "project" tab.
Step 9> I therefore want to sign my PKG and for that I use the following formula from the terminal>
codesign -s "Developer ID Application: myname (mycode)" "/Users/macmini/Desktop/myplugin.pkg" --timestamp

Step 10: I check by entering the same command again. The terminal tells me myplugin.pkg is already signed (same step as 6.1)

       Again I really want to be sure so I enter this command>
           codesign -vvv /Users/macmini/Desktop/myplugin.pkg
          I get exactly the same as in step 7. "valid on disk" and "does not meet its designated requirement"

Step 11> I'm trying to be a notarize but I already know the result…. I am using this command

    xcrun altool --notarize-app -f "/Users/macmini/Desktop/myplugin.pkg" --primary-bundle-id en.myname.pkg.myplugin --username "my email address" --password "my password altool pass "

Step 12> I drink a coffee
Step 13> I wash my cup of coffee!
Step 14> I receive an email from apple (I'm happy, I have friends ^^). In this mail I get this> the Mac software you downloaded has not been notarized, please check the notarization log with Xcode or altool, fix the issues it presents and download your software again.

I think concretely that the problem comes from the signature of the component and the pkg.

I could not make videos my mac paddles too much

My Mac config> High Sierra 10.13.6. and x code 10.1

Lindon

steps 3,4 and 5 are pretty redundant I think - I never do these.

yall

@Lindon Are there any steps that I missed or did I get the wrong certificates? there is nothing to modify in the certificates? I'm almost there, I'm only missing this phase ^^