Notarization Apple



  • Don't know if this will affect us. But Apple is requiring this in order to run apps. Not sure about plugins.

    Important

    Beginning in macOS 10.14.5, all new or updated kernel extensions and all software from developers new to distributing with Developer ID must be notarized in order to run. Beginning in macOS 10.15, notarization is required by default for all software.

    https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution



  • For example, if a plug-in employs deep integration with the host executable via C function pointer overrides, or uses a JavaScript engine for custom workflows, the host executable must declare the Allow Unsigned Executable Memory Entitlement or Allow Execution of JIT-compiled Code Entitlement, respectively. In some cases, a plug-in fails to even load if the host executable lacks the proper entitlement.

    It‘s as if Apple said „fuck all software developers but HISE in particular“ 😉



  • Just like everytime, Apple is fucking with developers, users.....so they are fucking with everyone.

    After Steve Jobs' gone, they're just fucking themselves, but they don't realize that. In long period Apple will loose lot's of users, not just in the computer arena, but also other technology arenas too.

    Another example: Apple card. https://edition.cnn.com/2019/08/22/tech/apple-card-discoloration-trnd/index.html

    "If your titanium Apple Card comes into contact with hard surfaces or materials, it's possible that the coating can be damaged," The bottom line: The Apple Card probably shouldn't touch anything.

    So if I can't put Apple card in the leather wallet or if the card can't touch with other cards, why the fuck did you make this titanium card?!

    The real question goes to the user: Why did you buy this useless card? 😕

    That is just an example that Apple loosing it's mind and productive work.



  • I received an email from PACE (the company that makes EDEN tools for signing plugins) today, saying this:

    As you may be aware Apple will be releasing its new macOS Catalina (10.15) soon. 
    As part of this release software notarization will be more strongly enforced.
    
    This email covers what PACE is doing with our upcoming 5.1.0 release to support notarization. 
    It’s important that you read this email because the changes required for notarization affect compatibility.
    

    .... and the mail goes.

    Is this notarization shit, about only for installers / dmg files? Or do we have to notarize all of the vst / au plugins, because they won't be opened in hosts without notarization?

    macOS Catalina will be released soon. Does anybody know what is this about?



  • In this video, they say that

    • Plugins must be signed with your Developer ID Application Certificate and it will have a secure timestamp.

    • Installers must be signed with your Developer ID Installer Certificate (this cert. is different from App. cert. above)

    • Dmg files must be signed with your Developer ID Application Certificate and it will have a timestamp.

    For now, the "macOS Mojave (10.14.5) update" is opening unsigned and unnotarized plugins (with a Gatekeeper warning). but I am not sure about "macOS Catalina".



  • discoDSP made a tutorial for the notarization: https://www.kvraudio.com/forum/viewtopic.php?t=531663



  • @orange Hello I need help on the notarization. so i created a pkg. So if I understood correctly, if for example I put 3 plugins in this pkg they will all be notarized. okay. i dont understand apple certificates. I do have an account that I pay 99euros. if someone could detail me the procedure to follow from the creation of a certificate to the notarization please? I just want to be able to open my plugins with bigsur. apple drives me crazy with their stupid protection





  • @yall said in Notarization Apple:

    @orange Hello I need help on the notarization. so i created a pkg. So if I understood correctly, if for example I put 3 plugins in this pkg they will all be notarized. okay. i dont understand apple certificates. I do have an account that I pay 99euros. if someone could detail me the procedure to follow from the creation of a certificate to the notarization please? I just want to be able to open my plugins with bigsur. apple drives me crazy with their stupid protection

    Your process should be like this;

    Hise Export plugins > Sign plugins > Build installer > Sign installer > Notarize installer > Time stamp installer

    For signing you need 2 types of certifiactes.

    For plugin signing, you need "Developer ID Application" certificate
    For installer signing you need "Developer ID Installer" certificate

    You can create certificates with "Request a certificate from a Certificate Authority" option in Keychain. Watch this video. He is making iOS certificate but you can follow the same steps for "Developer ID Application" and "Developer ID Installer" certificates individually.

    After creating your certificates, follow this KvR guide:

    https://www.kvraudio.com/forum/viewtopic.php?t=531663

    Cheers 🙂



  • @orange so I managed to create a certificate.ca I understood. then. I therefore exported a plugin from hise in .vst. I created with package a .pkg for the installation. I have imported the certificate into it. okay now the terminal code lines don't work for me. I put my .pkg on the desktop. I copied and pasted your link and modify the information of course. It gives me an error in the terminal. strongly a full video tutorial ^^ I say that I say nothing ^^



  • .

    If you follow the KvR guide properly, it will definately work.

    @yall said in Notarization Apple:

    @orange so I managed to create a certificate.ca I understood. then.

    You need 2 certificates, not one; as I mentioned above, have you got both 2 of them?

    I therefore exported a plugin from hise in .vst. I created with package a .pkg for the installation.

    After exporting the plugin, you need to sign it before it the .pkg installer. Did you do it? Remember this procedure: Hise Export plugins > Sign plugins > Build installer > Sign installer > Notarize installer > Time stamp installer. You need to carefully follow the KvR guide again: https://www.kvraudio.com/forum/viewtopic.php?t=531663

    now the terminal code lines don't work for me.

    How it doesn't work? What are you typing into the terminal and what is terminal saying to you?



  • @orange I would like to clarify some things. What exactly am I replacing this data with?

    codesign -s "Developer ID Application: Team Name (Team ID)" "/path/plugin.component" --timestamp

    developer application ID?
    team Name?
    (team ID)?
    between devloper account, apple account, I'm lost. I certainly did not do it right. the team id I know this is something like XHEIY67HDJJD from apple developer.
    Yet it seems very simple but for the first time it is a bit messy all this for a noobs like me ^^



  • @yall You will find this in your Apple developer account. It'll look exactly like the example.

    Awesome Plugin Company (W68FJJHBN)
    


  • @yall said in Notarization Apple:

    @orange I would like to clarify some things. What exactly am I replacing this data with?

    codesign -s "Developer ID Application: Team Name (Team ID)" "/path/plugin.component" --timestamp

    developer application ID?
    team Name?
    (team ID)?
    between devloper account, apple account, I'm lost. I certainly did not do it right. the team id I know this is something like XHEIY67HDJJD from apple developer.
    Yet it seems very simple but for the first time it is a bit messy all this for a noobs like me ^^

    Open the Keychain Access Utility and look at your certificates that you've just created.

    For example, in below image

    alt text

    Developer ID Application : is just for describing the certificate type, no need to do anything for this.
    Team Name: John Smith. It could be your company's name too.
    Team ID: RNZ541ACLZ

    As you see, for signing, you need to use the same name of the certificate just like in the Keychain Access Utility. So acording to this example in the image, the AU plugin signing code will be like this:

    codesign -s "Developer ID Application: John Smith (RNZ541ACLZ)" "/path/plugin.component" --timestamp
    
    

    Also be careful about spaces, letters...etc. in the code.

    NOTE: If you can't see the both 2 certificates in the Keychain Access Utility, then it means that you didn't installed certificates properly. Then go to the begining and install the certificates properly.



  • @orange @dustbro @d-healey
    hello, i haven't looked into notarization yet but something weird has happened to me. a friend who serves me as a beta tester, did not manage to open a vst in ableton because I sent him by we transfer directly to the compressed file format. my instrument.vst .that did not work . I sent it back as a pkg. and strangely enough it worked straight away without a problem. he is on bigsure. the plugin is therefore not notarized. is it a fluke or is it something logical? because if it works. why bother to notarize? his mac is from late 2013 with last bigsure update. I created a package with whitebox package. without entering my apple IDs expand



  • @yall Are you sure he didn't just allow it past the gatekeeper when prompted?



  • @yall Sending a project as a raw .vst .aax or .component wont work with Wetransfer. It changes the file structure from a container into a folder (or... something like that). To maintain the properties, zip up the plugins before you send.



  • @d-healey I'm pretty sure he hasn't touched anything because he doesn't know anything about it ^^ however I gave him the .vst file I will try to give it a .componant even I was surprised! the first time he tried to drag the .vst in and the apple indicated that the developer was not verified. then he deleted the .vst. and installed with a simple pkg. and ableton took it straight. I will try to send him some fx and vst plugins of all kinds to be sure.



  • @dustbro I have always sent this way it never bothered. but suppose you are right. how is it possible that bigsure allows an unverified plugin? from what I know now it is imperative to notarize them?



  • @yall

    imperative to notarize them?

    If you notarize the package you don't need to notarize the plugin, but you still need to codesign both.


Log in to reply
 

13
Online

1.2k
Users

3.8k
Topics

33.6k
Posts