Notarisation for dummies

trillbilly

@d-healey What do you recommend keeping download sizes too? Do you recommend keeping hr1 files the default 500mb or do you increase?

d.healey

@trillbilly 2GB max per file.

trillbilly

@orange So I have tried the notarization with my AppleID/Developer Username (my email) and with both My password and the generated App Specific Password with no luck.

I also removed the SHORT_PROVIDER_NAME as when I was reading through the thread, there was mention its unnecessary if you're only associated with one entity with Apple.

Here is the code I used and error I received.

xcrun altool --notarize-app --primary-bundle-id "com.website.plugin" --username “my email” --password “my password“ "/Users/mymac/Plugin.zip"

**** Error: Notarization failed for '(null)'.
*** Error: Unable to upload your app for notarization. --file must specify a file. (-1027)
{
NSLocalizedDescription = "Unable to upload your app for notarization.";
NSLocalizedFailureReason = "--file must specify a file.";
}
*** Error: Unable to upload your app for notarization. Failed to get authorization for username and password. (
"Error Domain=NSCocoaErrorDomain Code=0 "Status code: 0" UserInfo={NSLocalizedDescription=Status code: 0, NSLocalizedFailureReason=The auth server returned a bad status code.}"
) (-1011)
{
NSLocalizedDescription = "Unable to upload your app for notarization.";
NSLocalizedFailureReason = "Failed to get authorization for username '\U201c\U201d' and password. (\n "Error Domain=NSCocoaErrorDomain Code=0 \"Status code: 0\" UserInfo={NSLocalizedDescription=Status code: 0, NSLocalizedFailureReason=The auth server returned a bad status code.}"\n)";
}*

orange

@trillbilly I've used installers only, never used the .zip files for the plugin distribution. Are you sure about the folder path of the .zip file?

Also, I think the code you tried is for individual zip packages. For example, put a vst in a single zip file. then put .component file to another zip file... etc.

Why don't you use Packages Installer instead? It's pretty straightforward, easier, and a much professional way for the user experience.

I strongly suggest using Whitebox Packages for this purpose, after downloading and installing it (it's free), take a look at this PACKAGES TEMPLATE PROJECT that 've made earlier. It's an installer project with all of the plugin formats.

trillbilly

@orange Id like to eventually have installers but am terrified to even begin. Whitebox looks like it only does Mac Installers, yes? What about Windows?

d.healey

@trillbilly

What about Windows?

InnoSetup.

I made an app that does all this for you (including codesigning and notarizing), it's available on my Patreon page. I haven't tested it with recent versions of HISE but I think it should still work. It has a few bugs which I haven't found the time to fix yet, but will get to it eventually :)

trillbilly

@d-healey I believe I am already a member of your Patreon. I will have to look for this tool. It is for Mac & Windows?

d.healey

@trillbilly said in Notarisation for dummies:

It is for Mac & Windows?

Yes

d.healey

@trillbilly https://forum.hise.audio/topic/3085/export-tool

trillbilly

@orange You've talked me into it. Im attempting installers. I have successfully created Windows installer and Mac installer.

Notarization is another issue though. I was able to get to point of receiving email from Apple but they did not notarize the app.

Ill be continuing this quest tomorrow!

Dan Korneff

@trillbilly said in Notarisation for dummies:

they did not notarize the app

The email should contain a code that you can check for specific errors.

orange

@trillbilly The procedure in macOS is this:

1. Export plugin from HISE
2. Sign the plugin
3. Create a .pkg installer with WhiteBox Packages
4. Sign the installer
5. Notarize the installer
6. Time Stamp the installer

If you follow this procedure properly, there will be no issues. Follow the KvR thread, all of these steps are explained there, it's working.

Lindon

@orange said in Notarisation for dummies:

@trillbilly The procedure in macOS is this:

1. Export plugin from HISE
2. Sign the plugin
3. Create a .pkg installer with WhiteBox Packages
4. Sign the installer
5. Notarize the installer
6. Time Stamp the installer

If you follow this procedure properly, there will be no issues. Follow the KvR thread, all of these steps are explained there, it's working.

1. Export plugin from HISE
2. Sign the plugin
3. Create a .pkg installer with WhiteBox Packages
   3.1) attach your developer installer certificate to WBP
4. Sign the installer
5. Notarize the installer
6. Staple the installer

trillbilly

@lindon

"3.1) attach your developer installer certificate to WBP"

This is the certificate I placed in my Keychain, yes? How do you attach it to Packages?

Also, in the KVR thread they mention zipping the pkg before notarized, is this not necessary?

Lindon

@trillbilly said in Notarisation for dummies:

@lindon

"3.1) attach your developer installer certificate to WBP"

This is the certificate I placed in my Keychain, yes? How do you attach it to Packages?

Also, in the KVR thread they mention zipping the pkg before notarized, is this not necessary?

Not on the Mac at the moment but its in the user manual if you look for it:

Packages - Configuring a project

(s.sudre.free.fr)

No need to zip the pkg file,

orange

@lindon said in Notarisation for dummies:

    3.1) attach your developer installer certificate to WBP

This is the same thing with:

4. Sign the installer

While signing the installer you need to sign it with your Developer Installer Certificate.

Actually, while creating installers I don't attach my Developer Installer Certificate inside WhiteBox Packages app. After creating the installer, I am directly using the Terminal for attaching the Developer Installer Certificate. It's a choice but both ways are ok.

trillbilly

@dustbro yes, I seen this. I was just on my last nerve with apple yesterday. I was at it with installers, codesiging and attempting to notarize for almost 10 hours. I will be back to the studio in a couple hours to get back at it.

Almost there, for now....

trillbilly

@orange ok so attaching the certificate within Packages while creating the installer is essentially the same as signing the installer after the pkg has been created? Got it!

orange

@trillbilly

Ok to recap all the things, the below process is the way I use. Be careful with the spaces and other chars with these codes:

---

PLUGIN DISTRIBUTION PROCESS FOR macOS

1) Export the plugin from HISE

---

2) Sign the plugin: In the below example, my plugin folder is /Volumes/UnsignedPlugins/ For plugin signing, you need your Developer ID Application Certificate. Below code if for .vst, and similarly it will be same for vst3 and au plugins, only the file extension will be changed. So the code will be like this:

codesign --force -s "Developer ID Application: John Doe" "/Volumes/UnsignedPlugins/MyPlugin.vst"

This code is for checking the plugin signing process if it is successful or not:

pkgutil --check-signature "/Volumes/UnsignedPlugins/MyPlugin.vst"

---

3) Create a .pkg installer with WhiteBox Packages (without adding the Developer ID Installer Certificate). In this example the installer name is MyPlugin_Installer_v1.0.0.pkg

---

4) Sign the installer: My unsigned installer folder is /Volumes/UnsignedInstallers/. Put the created .pkg installer (in step 3) into this folder. Also, my signed installer folder is /Volumes/SignedInstallers/. Below code will create a new signed installer file which will be placed to signed installer folder. For the installer signing, you also need your Developer ID Installer Certificate So the code will be like this:

productsign --sign "Developer ID Installer: John Doe" "/Volumes/UnsignedInstallers/MyPlugin_Installer_v1.0.0.pkg" "/Volumes/SignedInstallers/MyPlugin_Installer_v1.0.0.pkg"

This code is for checking the installer signing process if it is successful or not:

pkgutil --check-signature "/Volumes/SignedInstallers/MyPlugin_Installer_v1.0.0.pkg"

---

5) Notarize the installer: For this, you'll need an app specific password. In the below notarization code, the app specific password is (for example) abcd-efgh-ijkl-mnop You can use one password for all of your products, or you can use individual. But be aware that there is a limit for app specific passwords, so IMO less is better. The notarization code will be this:

xcrun altool --notarize-app -f "/Volumes/SignedInstallers/MyPlugin_Installer_v1.0.0.pkg" --primary-bundle-id com.myplugininstaller.pkg --username "johndoe@gmail.com" --password "abcd-efgh-ijkl-mnop"

After applying the notarization code to the Terminal, wait for the upload process is done. After the upload finished, wait for the Apple email for the "notarization is successful" notification. After the uploading, mostly it takes with in 15 minutes. rarely it can take 4-5 hours but it is so uncommon. If you haven't got the email yet, wait for it. Don't try to re-notarize, the Apple email will come soon or later. Sequential notarization attempts cause fucked up failures.

---

6) Time Staple the Installer: After the "notarization is successful" email, the last step comes, Time Stamp. The code is this:

xcrun stapler staple "/Volumes/SignedInstallers/MyPlugin_Installer_v1.0.0.pkg"

That's it :)

Also, after the Time Stamp, you can check the notarization status with below code. If you get "status: Accepted", then that means the notarization process is successful:

spctl -a -vvv -t install "/Volumes/SignedInstallers/MyPlugin_Installer_v1.0.0.pkg"

A Former User

@orange That's a great explanation, Thank You!