Apple team ID, code sign but ask for security to open the plugin

Oli Ullmann

@Yannrog
You must codesign your plug-in files.
And you must codesign, notarize, and staple your installer.

Here are the commands I use. Of course, you'll need to enter your own data. For the commands to work, the files must always be on your desktop.

// AU Component (Sign)
codesign -s "Developer ID Application: YOUR NAME (YOUR CODE)" "/Users/YOUR_USERNAME/Desktop/YOUR_PLUGIN.component" --timestamp

// VST3 (Sign)
codesign -s "Developer ID Application: YOUR NAME (YOUR CODE)" "/Users/YOUR_USERNAME/Desktop/YOUR_PLUGIN.vst3" --timestamp

// Installer (Sign)
codesign --deep --force --options runtime --sign "Developer ID Application: YOUR NAME (YOUR CODE)" "/Users/YOUR_USERNAME/Desktop/YOUR_INSTALLER.pkg"

// Installer (Notarization)
xcrun notarytool submit --apple-id "YOUR_MAIL_ADRESS" --password "YOUR_PASSWORD"  --team-id "YOUR_CODE" --wait "/Users/YOUR_USERNAME/Desktop/YOUR_INSTALLER.pkg"

// Installer (Staple)
xcrun stapler staple "/Users/YOUR_USERNAME/Desktop/YOUR_INSTALLER.pkg"

This article is very helpful, and it allowed me to set up my system:
https://www.kvraudio.com/forum/viewtopic.php?t=531663

This article is also very helpful if you run into any problems:
https://developer.apple.com/documentation/security/resolving-common-notarization-issues

Yannrog

@Lindon ok,

I'm a true newbie, so I will learn. thank you for your advices

Yannrog

@Oli-Ullmann Ok,

Thank you

Yannrog

@David-Healey @AchimR @dannytaurus @Lindon @Oli-Ullmann

Is it normal that when I code sign it, notarize it with the new notary tool, it is invalid?
(in Hise I have team ID and Bundle), I have registered the bundle in apple.

I have one plugin that worked when code signed it, notarized and stapled it. But I have a new one that load to server and has status invalid.

Oli Ullmann

@Yannrog
I had the same problem with the automatic code signing performed by HISE / xCode. My solution is to first remove the signature after compiling, and then manually run the signing process again before notarizing and stapling.

The command to remove the signature is as follows:

codesign --remove-signature "/Users/YOU_USERNAME/Desktop/YOUR_PLUG-IN.vst3"
codesign --remove-signature "/Users/YOU_USERNAME/Desktop/YOUR_PLUG-IN.component"

For this as well, your plug-in must be on the desktop, or you'll need to adjust the command.

David Healey

@Yannrog Do it manually through the CLI as Oli suggests.

Yannrog

@Oli-Ullmann ok, thank you. I will try

Yannrog

@David-Healey Thank you David, ok

Yannrog

@Oli-Ullmann By runnnig the signing process again, you mean with the new notary tool?

Oli Ullmann

@Yannrog
I'm not familiar with the new notary tool. I use the commands I showed you above:

// AU Component (Sign)
codesign -s "Developer ID Application: YOUR NAME (YOUR CODE)" "/Users/YOUR_USERNAME/Desktop/YOUR_PLUGIN.component" --timestamp

// VST3 (Sign)
codesign -s "Developer ID Application: YOUR NAME (YOUR CODE)" "/Users/YOUR_USERNAME/Desktop/YOUR_PLUGIN.vst3" --timestamp

// Installer (Sign)
codesign --deep --force --options runtime --sign "Developer ID Application: YOUR NAME (YOUR CODE)" "/Users/YOUR_USERNAME/Desktop/YOUR_INSTALLER.pkg"

// Installer (Notarization)
xcrun notarytool submit --apple-id "YOUR_MAIL_ADRESS" --password "YOUR_PASSWORD"  --team-id "YOUR_CODE" --wait "/Users/YOUR_USERNAME/Desktop/YOUR_INSTALLER.pkg"

// Installer (Staple)
xcrun stapler staple "/Users/YOUR_USERNAME/Desktop/YOUR_INSTALLER.pkg"

First, as mentioned, you'll need to remove the signature using this:

codesign --remove-signature "/Users/YOU_USERNAME/Desktop/YOUR_PLUG-IN.vst3"
codesign --remove-signature "/Users/YOU_USERNAME/Desktop/YOUR_PLUG-IN.component"

Yannrog

@Oli-Ullmann Ok , I didn't know about code signing directly from the CLI Thank you so much.
Sorry, this is already the new notary tool. This is the new command apple recommend with “xcrun notarytool submitt“.

Yannrog

@Oli-Ullmann It seems to work. I have status accepted. God bless you.

Yannrog

@Oli-Ullmann @David-Healey

What is the command to verify if it is code signed ? thank you

David Healey

@Yannrog Can't remember, but there's some useful apps here that will give you the info https://forum.hise.audio/topic/14860/couple-of-handy-free-mac-apps-for-checking-code-signs-and-notarisation

ustk

@Oli-Ullmann I shouldn't need to remove the old signature prior to signing again.
The new codesign process warns you about the existing signature and automatically replaces it.

Yannrog

@David-Healey works well

Oli Ullmann

@ustk
What do you mean by “new codesign process”? The new notary tool?

ustk

@Oli-Ullmann no I just mean when you codesign again, the previous signature should be replaced. That's what I do with no issues.

ustk

@Oli-Ullmann

VST and AU:

Running: codesign --deep --force --timestamp --options runtime --sign "Developer ID Application: XXXXXXXXXXX" "/Library/Audio/Plug-Ins/Components/MyPlugin.component" --verbose

/Library/Audio/Plug-Ins/Components/MyPlugin.component: replacing existing signature
/Library/Audio/Plug-Ins/Components/MyPlugin.component: signed bundle with Mach-O universal (x86_64 arm64) [com.studio427audio.myplugin]

And AAX:

Warning! This binary has an invalid existing platform digital signature.
  This situation could happen if you wrapped a binary that was already signed.
  Regardless, a new signature will be created now, using your specified credentials.

Oli Ullmann

@ustk
I see. Your command looks a little different from mine. I'll try it next time. Maybe it'll work for me then, too. Thanks a lot! :-)