Notarisation help please!
-
@JamesC said in Notarisation help please!:
/Users/jamescox/Documents/Obscura_Installer_1.0.0/Library/Audio/Plug-Ins/VST3/OBSCURA.vst3: rejected source=Unnotarized Developer ID
your plugin is not being code signed...
/Users/jamescox/Documents/Obscura_Installer_1.0.0/Library/Audio/Plug-Ins/VST3/OBSCURA.vst3: rejected source=Unnotarized Developer IDits failing....with an invalid Developer ID...
are you the one removing the Developer ID from this?
codesign --force --deep --options runtime --timestamp \ --sign "Developer ID Application: ID REMOVED FOR POST" \ "/Users/jamescox/Documents/Obscura_Installer_1.0.0/Library/Audio/Plug-Ins/VST3/OBSCURA.vst3"if so tell us what the format is of your Developer ID, if its not you then you have to put your Developer ID here...
-
Thanks guys yes I just removed it from posting so I had removed it Was doing:
Team Name (Team ID)
Please Don't tell me its something as simple as not having the brackets?
-
@JamesC ..I dont think you should eb using the Team Name/ID ...
-
@JamesC I have a video on my Patreon page showing a script that will automate the codesigning and notarization process - https://www.patreon.com/posts/osx-codesign-and-65785381
However, don't use the script until you can do it manually, but the script itself provides the step by step process.
-
This post is deleted! -
@JamesC So the first thing to do is remove your credentials from the post above. We don't need to see them and you should never be sharing this information.
I'll take a look properly later
-
JamesC
about an hour agoAgain guys thanks for your time I'm sorry I'm giving you lots to read but I really do appreciate it, I went and checked what I've been using against that script David and made some minor adjustments I've left all info in so you can see at this time:
codesign -s "Developer ID Application: Team Name (Number)" "/Users/jamescox/Documents/Obscura_Installer_1.0.0/Library/Audio/Plug-Ins/VST3/OBSCURA.vst3" --timestamp
codesign -s "Developer ID Application: Team Name (Number)" "/Users/jamescox/Documents/Obscura_Installer_1.0.0/Library/Audio/Plug-Ins/Components/OBSCURA.component" --timestamp
So then went and created my package in white box and the build succeeds and works as expected. So I then checked the productsign code for the package:productsign --sign "Developer ID Installer: Team Name (Number)"
"/Users/jamescox/Documents/Obscura_Installer_1.0.0/build/Obscura_Installer_1.0.3.pkg"
"/Users/jamescox/Documents/SignedInstallers/Obscura_Installer_1.0.3.pkg"
Terminal then gives me this:productsign: using timestamp authority for signature
Warning: unable to build chain to self-signed root for signer "Developer ID Installer: Team Name (Number)"
productsign: signing product with identity "Developer ID Installer: Team Name (Number)" from keychain /Users/jamescox/Library/Keychains/login.keychain-db
productsign: Wrote signed product archive to /Users/jamescox/Documents/SignedInstallers/Obscura_Installer_1.0.3.pkgSo I get a warning here. First question then becomes is this the first issue?
When I go to notorise using the code form David's script again it says Invalid. Again runing the log i get:
"message": "The binary is not signed with a valid Developer ID certificate.",
But in the keychain it says valid etc so I'm really confused now
-
@JamesC I extracted this from my script that is working fine:
(note that the pkg signature certificate is directly embedded in WhiteBox Packages, so no extra steps for me...)SIGN_ID="Developer ID Application: Team (NUMBER)" APPLE_ID="your@email.com" PASSWORD="your-pass-word" TEAM_ID="NUMBER" # codesign codesign --deep --force --timestamp --options runtime --sign "$SIGN_ID" "$VST3_PATH" --verbose # verify codesign -dv --verbose=4 "$VST3_PATH" # notarization xcrun notarytool submit --apple-id "$APPLE_ID" --password "$PASSWORD" --team-id "$TEAM_ID" "$PACKAGE_OUTPUT_PATH" --wait pkgutil --check-signature "$PACKAGE_OUTPUT_PATH" xcrun stapler staple "$PACKAGE_OUTPUT_PATH" -
@JamesC said in Notarisation help please!:
But in the keychain it says valid etc so I'm really confused now
it could be the certificate. I had similar issues in that everything looked fine but it wouldn't codesign. After going back and forth with ChatGBT for a while, reinstalling the certificates again and again it eventually worked.
Can you show us an image of your keychain (with the id numbers blurred out?)
for example, I have my two certs installed on Login, with an imported private key (from my older computer), but if you installed direct from your apple devaccount it will say something like Mac Developer ID Installer / Application. The private key is important, for some reason it took me a few goes to get it installed properly....
-
@JamesC right here's what my command line code signing string looks like...
codesign --deep --force --options runtime --sign "Developer ID Application: Lindon Mulcahy-Parker (9999AA9AAA)" "/Users/lindonparker/Desktop/Horizen.component"that 9999AA9AAA. is my Team ID (so yeah I was wrong you should def. be using that....) and Lindon Mulcahy-Parker is my developer account name, so make sure your details are correct:
- go to the developer.apple.com web site and check your details...
When you have the correct details enter the command on a command line and make sure it works...
if it doesnt and you continue to get the sort of errors listed above then I suspect your developer certificates are not installed correctly. Check they are installed correctly in Keychain Access - you should see them(at least one) in your Certificates/System tab in Key Chain Access - they should be annotated as This certificate is valid and show your developer account id and your team ID
-
Thanks all for this helpful info hopefully can make some prgoress! @DanH the more and more I'm digging in with this the mroe it seems like it is a certification issue:
UPDATE
So I went into this one that has the blue check and I said don't trust, went red, then always trust, went blue, the system defaults and its gone to green and is now trusted so I'm hoping that thats the missing piece of the puzzle will update once the mini ones have been put to bed!
-
It was that certificate that needed the permission change that was the block.
Honestly thank you so much to all of youf or your help I'm going to put together a post later this week step by step on what I had to do to get it working just incase anyone does face the same issues and at least then it summarised in one central location
