Notarisation for dummies
-
@orange said in Notarisation for dummies:
@trillbilly The procedure in macOS is this:
- Export plugin from HISE
- Sign the plugin
- Create a .pkg installer with WhiteBox Packages
- Sign the installer
- Notarize the installer
- Time Stamp the installer
If you follow this procedure properly, there will be no issues. Follow the KvR thread, all of these steps are explained there, it's working.
- Export plugin from HISE
- Sign the plugin
- Create a .pkg installer with WhiteBox Packages
3.1) attach your developer installer certificate to WBP - Sign the installer
- Notarize the installer
- Staple the installer
-
"3.1) attach your developer installer certificate to WBP"
This is the certificate I placed in my Keychain, yes? How do you attach it to Packages?
Also, in the KVR thread they mention zipping the pkg before notarized, is this not necessary?
-
@trillbilly said in Notarisation for dummies:
"3.1) attach your developer installer certificate to WBP"
This is the certificate I placed in my Keychain, yes? How do you attach it to Packages?
Also, in the KVR thread they mention zipping the pkg before notarized, is this not necessary?
Not on the Mac at the moment but its in the user manual if you look for it:
http://s.sudre.free.fr/Software/documentation/Packages/en_2017/Project_Configuration.html#5
No need to zip the pkg file,
-
@lindon said in Notarisation for dummies:
3.1) attach your developer installer certificate to WBP
This is the same thing with:
- Sign the installer
While signing the installer you need to sign it with your Developer Installer Certificate.
Actually, while creating installers I don't attach my Developer Installer Certificate inside WhiteBox Packages app. After creating the installer, I am directly using the Terminal for attaching the Developer Installer Certificate. It's a choice but both ways are ok.
-
@dustbro yes, I seen this. I was just on my last nerve with apple yesterday. I was at it with installers, codesiging and attempting to notarize for almost 10 hours. I will be back to the studio in a couple hours to get back at it.
Almost there, for now....
-
@orange ok so attaching the certificate within Packages while creating the installer is essentially the same as signing the installer after the pkg has been created? Got it!
-
Ok to recap all the things, the below process is the way I use. Be careful with the spaces and other chars with these codes:
PLUGIN DISTRIBUTION PROCESS FOR macOS
1) Export the plugin from HISE
2) Sign the plugin: In the below example, my plugin folder is
/Volumes/UnsignedPlugins/
For plugin signing, you need yourDeveloper ID Application Certificate
. Below code if for .vst, and similarly it will be same for vst3 and au plugins, only the file extension will be changed. So the code will be like this:codesign --force -s "Developer ID Application: John Doe" "/Volumes/UnsignedPlugins/MyPlugin.vst"
This code is for checking the plugin signing process if it is successful or not:
pkgutil --check-signature "/Volumes/UnsignedPlugins/MyPlugin.vst"
3) Create a .pkg installer with WhiteBox Packages (without adding the Developer ID Installer Certificate). In this example the installer name is
MyPlugin_Installer_v1.0.0.pkg
4) Sign the installer: My unsigned installer folder is
/Volumes/UnsignedInstallers/
. Put the created .pkg installer (in step 3) into this folder. Also, my signed installer folder is/Volumes/SignedInstallers/
. Below code will create a new signed installer file which will be placed to signed installer folder. For the installer signing, you also need yourDeveloper ID Installer Certificate
So the code will be like this:productsign --sign "Developer ID Installer: John Doe" "/Volumes/UnsignedInstallers/MyPlugin_Installer_v1.0.0.pkg" "/Volumes/SignedInstallers/MyPlugin_Installer_v1.0.0.pkg"
This code is for checking the installer signing process if it is successful or not:
pkgutil --check-signature "/Volumes/SignedInstallers/MyPlugin_Installer_v1.0.0.pkg"
5) Notarize the installer: For this, you'll need an app specific password. In the below notarization code, the app specific password is (for example)
abcd-efgh-ijkl-mnop
You can use one password for all of your products, or you can use individual. But be aware that there is a limit for app specific passwords, so IMO less is better. The notarization code will be this:xcrun altool --notarize-app -f "/Volumes/SignedInstallers/MyPlugin_Installer_v1.0.0.pkg" --primary-bundle-id com.myplugininstaller.pkg --username "johndoe@gmail.com" --password "abcd-efgh-ijkl-mnop"
After applying the notarization code to the Terminal, wait for the upload process is done. After the upload finished, wait for the Apple email for the "notarization is successful" notification. After the uploading, mostly it takes with in 15 minutes. rarely it can take 4-5 hours but it is so uncommon. If you haven't got the email yet, wait for it. Don't try to re-notarize, the Apple email will come soon or later. Sequential notarization attempts cause fucked up failures.
6) Time Staple the Installer: After the "notarization is successful" email, the last step comes, Time Stamp. The code is this:
xcrun stapler staple "/Volumes/SignedInstallers/MyPlugin_Installer_v1.0.0.pkg"
That's it :)
Also, after the Time Stamp, you can check the notarization status with below code. If you get "status: Accepted", then that means the notarization process is successful:
spctl -a -vvv -t install "/Volumes/SignedInstallers/MyPlugin_Installer_v1.0.0.pkg"
-
@orange That's a great explanation, Thank You!
-
All hail @orange
-
@orange Ive gotten to waiting for the email. Ill post update after.
UPDATE: Success. Thanks again!
-
@orange Thnx for this epic information! All of the required information is here. You're awesome
@Christoph-Hart could you add this information to the Hise Documentation, please? I will be so helpful for the newbies.
-
@fortune said in Notarisation for dummies:
could you add this information to the Hise Documentation, please?
https://docs.hise.audio/working-with-hise/project-management/documentation/contributing.html
-
@nesta99 Here it is. The instructions are just a few posts above. This is with installers. I think the process is a bit different if you do it without installers.
-
Hello everyone. After code sign the plugin I'm still not able to open my plugin on Logic Pro. I have the latest version of logic on a Monterey OS. Is it required to notarise the plugin before making it work o a daw?
Thanks
-
@nesta99 said in Notarisation for dummies:
Is it required to notarise the plugin before making it work o a daw?
In Logic almost certainly, other DAWs might be more tolerant.
-
@d-healey Thanks so much. Another question: I'm having an issue with dealing with the packaging, most precisely on the destination folder:
As shown in the picture above I wasn't able to place the .component in the Audio/Plugins/Component folder.
Now when the end user will install the product, the .component fill will be place in the wrong place, making it complicated.
Any solution? -
@nesta99 Are you using Whitebox Packages?
-
@d-healey
This: -
@nesta99 Yep, you need to setup your install paths in there.
-
@nesta99 said in Notarisation for dummies:
Hello everyone. After code sign the plugin I'm still not able to open my plugin on Logic Pro. I have the latest version of logic on a Monterey OS. Is it required to notarise the plugin before making it work o a daw?
Thanks
I have NEVER had to notarize any plugin anywhere - codesign - yes but notarize no, I strongly suspect its not that its not notarized, have you run auval against your compiled component plugin?