Apple team ID, code sign but ask for security to open the plugin
-
Hi,
I have an apple team Id, I have code signed the plugin, And code signed the installer but it ask for security when launch the installer.
Is there someone who can help me?
-
@Yannrog Where did you use the Apple Team ID?
I don't think it's needed for regular VST/AU exports, only for iOS exports (which are no longer supported).
How are you code-signing the plugin and the installer? Are you using an app, like Packages or Package Builder? Or are you using the command line?
-
You can use this terminal command to check your signing:
codesign -vvv --deep --strict "Your Plugin.vst3" && spctl --assess -vv --type install "Your Plugin.vst3"If the output doesn't say 'accepted', something went wrong with the signing or notarization process.
-
@Yannrog Did you notarize it?
This workshop might be helpful for you: https://audiodevschool.com/courses/packaging-for-macos/
-
@David-Healey Hi, I don't know what is notarize,
I will check
-
@dannytaurus When I put VST and AU, the plugin is not seen and is seeing as a potential malware.
I use Packages and I use “add a certificate“
-
@AchimR Ok,
I will check
-
@Yannrog said in Apple team ID, code sign but ask for security to open the plugin:
@David-Healey Hi, I don't know what is notarize,
I will check
if its not notarized its not going to load....
-
@Yannrog
You must codesign your plug-in files.
And you must codesign, notarize, and staple your installer.Here are the commands I use. Of course, you'll need to enter your own data. For the commands to work, the files must always be on your desktop.
// AU Component (Sign) codesign -s "Developer ID Application: YOUR NAME (YOUR CODE)" "/Users/YOUR_USERNAME/Desktop/YOUR_PLUGIN.component" --timestamp // VST3 (Sign) codesign -s "Developer ID Application: YOUR NAME (YOUR CODE)" "/Users/YOUR_USERNAME/Desktop/YOUR_PLUGIN.vst3" --timestamp // Installer (Sign) codesign --deep --force --options runtime --sign "Developer ID Application: YOUR NAME (YOUR CODE)" "/Users/YOUR_USERNAME/Desktop/YOUR_INSTALLER.pkg" // Installer (Notarization) xcrun notarytool submit --apple-id "YOUR_MAIL_ADRESS" --password "YOUR_PASSWORD" --team-id "YOUR_CODE" --wait "/Users/YOUR_USERNAME/Desktop/YOUR_INSTALLER.pkg" // Installer (Staple) xcrun stapler staple "/Users/YOUR_USERNAME/Desktop/YOUR_INSTALLER.pkg"This article is very helpful, and it allowed me to set up my system:
https://www.kvraudio.com/forum/viewtopic.php?t=531663This article is also very helpful if you run into any problems:
https://developer.apple.com/documentation/security/resolving-common-notarization-issues -
@Lindon ok,
I'm a true newbie, so I will learn. thank you for your advices
-
@Oli-Ullmann Ok,
Thank you
-
@David-Healey @AchimR @dannytaurus @Lindon @Oli-Ullmann
Is it normal that when I code sign it, notarize it with the new notary tool, it is invalid?
(in Hise I have team ID and Bundle), I have registered the bundle in apple.I have one plugin that worked when code signed it, notarized and stapled it. But I have a new one that load to server and has status invalid.
-
@Yannrog
I had the same problem with the automatic code signing performed by HISE / xCode. My solution is to first remove the signature after compiling, and then manually run the signing process again before notarizing and stapling.The command to remove the signature is as follows:
codesign --remove-signature "/Users/YOU_USERNAME/Desktop/YOUR_PLUG-IN.vst3" codesign --remove-signature "/Users/YOU_USERNAME/Desktop/YOUR_PLUG-IN.component"For this as well, your plug-in must be on the desktop, or you'll need to adjust the command.
-
@Yannrog Do it manually through the CLI as Oli suggests.
-
@Oli-Ullmann ok, thank you. I will try
-
@David-Healey Thank you David, ok
-
@Oli-Ullmann By runnnig the signing process again, you mean with the new notary tool?
-
@Yannrog
I'm not familiar with the new notary tool. I use the commands I showed you above:// AU Component (Sign) codesign -s "Developer ID Application: YOUR NAME (YOUR CODE)" "/Users/YOUR_USERNAME/Desktop/YOUR_PLUGIN.component" --timestamp // VST3 (Sign) codesign -s "Developer ID Application: YOUR NAME (YOUR CODE)" "/Users/YOUR_USERNAME/Desktop/YOUR_PLUGIN.vst3" --timestamp // Installer (Sign) codesign --deep --force --options runtime --sign "Developer ID Application: YOUR NAME (YOUR CODE)" "/Users/YOUR_USERNAME/Desktop/YOUR_INSTALLER.pkg" // Installer (Notarization) xcrun notarytool submit --apple-id "YOUR_MAIL_ADRESS" --password "YOUR_PASSWORD" --team-id "YOUR_CODE" --wait "/Users/YOUR_USERNAME/Desktop/YOUR_INSTALLER.pkg" // Installer (Staple) xcrun stapler staple "/Users/YOUR_USERNAME/Desktop/YOUR_INSTALLER.pkg"First, as mentioned, you'll need to remove the signature using this:
codesign --remove-signature "/Users/YOU_USERNAME/Desktop/YOUR_PLUG-IN.vst3" codesign --remove-signature "/Users/YOU_USERNAME/Desktop/YOUR_PLUG-IN.component" -
@Oli-Ullmann Ok , I didn't know about code signing directly from the CLI Thank you so much.
Sorry, this is already the new notary tool. This is the new command apple recommend with “xcrun notarytool submitt“. -
@Oli-Ullmann It seems to work. I have status accepted. God bless you.
