Notarisation for dummies

d.healey

@trillbilly said in Notarisation for dummies:

It is for Mac & Windows?

Yes

d.healey

@trillbilly https://forum.hise.audio/topic/3085/export-tool

trillbilly

@orange You've talked me into it. Im attempting installers. I have successfully created Windows installer and Mac installer.

Notarization is another issue though. I was able to get to point of receiving email from Apple but they did not notarize the app.

Ill be continuing this quest tomorrow!

Dan Korneff

@trillbilly said in Notarisation for dummies:

they did not notarize the app

The email should contain a code that you can check for specific errors.

orange

@trillbilly The procedure in macOS is this:

1. Export plugin from HISE
2. Sign the plugin
3. Create a .pkg installer with WhiteBox Packages
4. Sign the installer
5. Notarize the installer
6. Time Stamp the installer

If you follow this procedure properly, there will be no issues. Follow the KvR thread, all of these steps are explained there, it's working.

Lindon

@orange said in Notarisation for dummies:

@trillbilly The procedure in macOS is this:

1. Export plugin from HISE
2. Sign the plugin
3. Create a .pkg installer with WhiteBox Packages
4. Sign the installer
5. Notarize the installer
6. Time Stamp the installer

If you follow this procedure properly, there will be no issues. Follow the KvR thread, all of these steps are explained there, it's working.

1. Export plugin from HISE
2. Sign the plugin
3. Create a .pkg installer with WhiteBox Packages
   3.1) attach your developer installer certificate to WBP
4. Sign the installer
5. Notarize the installer
6. Staple the installer

trillbilly

@lindon

"3.1) attach your developer installer certificate to WBP"

This is the certificate I placed in my Keychain, yes? How do you attach it to Packages?

Also, in the KVR thread they mention zipping the pkg before notarized, is this not necessary?

Lindon

@trillbilly said in Notarisation for dummies:

@lindon

"3.1) attach your developer installer certificate to WBP"

This is the certificate I placed in my Keychain, yes? How do you attach it to Packages?

Also, in the KVR thread they mention zipping the pkg before notarized, is this not necessary?

Not on the Mac at the moment but its in the user manual if you look for it:

Packages - Configuring a project

(s.sudre.free.fr)

No need to zip the pkg file,

orange

@lindon said in Notarisation for dummies:

    3.1) attach your developer installer certificate to WBP

This is the same thing with:

4. Sign the installer

While signing the installer you need to sign it with your Developer Installer Certificate.

Actually, while creating installers I don't attach my Developer Installer Certificate inside WhiteBox Packages app. After creating the installer, I am directly using the Terminal for attaching the Developer Installer Certificate. It's a choice but both ways are ok.

trillbilly

@dustbro yes, I seen this. I was just on my last nerve with apple yesterday. I was at it with installers, codesiging and attempting to notarize for almost 10 hours. I will be back to the studio in a couple hours to get back at it.

Almost there, for now....

trillbilly

@orange ok so attaching the certificate within Packages while creating the installer is essentially the same as signing the installer after the pkg has been created? Got it!

orange

@trillbilly

Ok to recap all the things, the below process is the way I use. Be careful with the spaces and other chars with these codes:

---

PLUGIN DISTRIBUTION PROCESS FOR macOS

1) Export the plugin from HISE

---

2) Sign the plugin: In the below example, my plugin folder is /Volumes/UnsignedPlugins/ For plugin signing, you need your Developer ID Application Certificate. Below code if for .vst, and similarly it will be same for vst3 and au plugins, only the file extension will be changed. So the code will be like this:

codesign --force -s "Developer ID Application: John Doe" "/Volumes/UnsignedPlugins/MyPlugin.vst"

This code is for checking the plugin signing process if it is successful or not:

pkgutil --check-signature "/Volumes/UnsignedPlugins/MyPlugin.vst"

---

3) Create a .pkg installer with WhiteBox Packages (without adding the Developer ID Installer Certificate). In this example the installer name is MyPlugin_Installer_v1.0.0.pkg

---

4) Sign the installer: My unsigned installer folder is /Volumes/UnsignedInstallers/. Put the created .pkg installer (in step 3) into this folder. Also, my signed installer folder is /Volumes/SignedInstallers/. Below code will create a new signed installer file which will be placed to signed installer folder. For the installer signing, you also need your Developer ID Installer Certificate So the code will be like this:

productsign --sign "Developer ID Installer: John Doe" "/Volumes/UnsignedInstallers/MyPlugin_Installer_v1.0.0.pkg" "/Volumes/SignedInstallers/MyPlugin_Installer_v1.0.0.pkg"

This code is for checking the installer signing process if it is successful or not:

pkgutil --check-signature "/Volumes/SignedInstallers/MyPlugin_Installer_v1.0.0.pkg"

---

5) Notarize the installer: For this, you'll need an app specific password. In the below notarization code, the app specific password is (for example) abcd-efgh-ijkl-mnop You can use one password for all of your products, or you can use individual. But be aware that there is a limit for app specific passwords, so IMO less is better. The notarization code will be this:

xcrun altool --notarize-app -f "/Volumes/SignedInstallers/MyPlugin_Installer_v1.0.0.pkg" --primary-bundle-id com.myplugininstaller.pkg --username "johndoe@gmail.com" --password "abcd-efgh-ijkl-mnop"

After applying the notarization code to the Terminal, wait for the upload process is done. After the upload finished, wait for the Apple email for the "notarization is successful" notification. After the uploading, mostly it takes with in 15 minutes. rarely it can take 4-5 hours but it is so uncommon. If you haven't got the email yet, wait for it. Don't try to re-notarize, the Apple email will come soon or later. Sequential notarization attempts cause fucked up failures.

---

6) Time Staple the Installer: After the "notarization is successful" email, the last step comes, Time Stamp. The code is this:

xcrun stapler staple "/Volumes/SignedInstallers/MyPlugin_Installer_v1.0.0.pkg"

That's it :)

Also, after the Time Stamp, you can check the notarization status with below code. If you get "status: Accepted", then that means the notarization process is successful:

spctl -a -vvv -t install "/Volumes/SignedInstallers/MyPlugin_Installer_v1.0.0.pkg"

A Former User

@orange That's a great explanation, Thank You!

trillbilly

All hail @orange

trillbilly

@orange Ive gotten to waiting for the email. Ill post update after.

UPDATE: Success. Thanks again!

Fortune

@orange Thnx for this epic information! All of the required information is here. You're awesome

@Christoph-Hart could you add this information to the Hise Documentation, please? I will be so helpful for the newbies.

d.healey

@fortune said in Notarisation for dummies:

could you add this information to the Hise Documentation, please?

HISE | Docs

(docs.hise.audio)

trillbilly

@nesta99 Here it is. The instructions are just a few posts above. This is with installers. I think the process is a bit different if you do it without installers.

Sawer

Hello everyone. After code sign the plugin I'm still not able to open my plugin on Logic Pro. I have the latest version of logic on a Monterey OS. Is it required to notarise the plugin before making it work o a daw?
Thanks

d.healey

@nesta99 said in Notarisation for dummies:

Is it required to notarise the plugin before making it work o a daw?

In Logic almost certainly, other DAWs might be more tolerant.