Notarisation for dummies



  • Hi everybody,

    after one year of answering support emails about Catalina with a "Right click and click on Open to bypass the notarisation"-template I've decided to give in and notarise stuff on macOS. Now I know some of you have already notarised some apps made with HISE so before I go down the rabbit hole and google how to notarize an app just to troubleshoot why a generic approach doesn't work, it would be nice to have a HISE-specific guide.

    So after my naive approach of notarizing failed with a really nice descriptive error message called "package invalid" after being irresponsive for 10 minutes while the upload was in progress (by a process called Java. JAVA!!!!) my inner peace and patience acquired over the weekend is already gone.

    So what did you do in order to sucessfully notarize a HISE app?



  • @Christoph-Hart said in Notarisation for dummies:

    Hi everybody,

    after one year of answering support emails about Catalina with a "Right click and click on Open to bypass the notarisation"-template I've decided to give in and notarise stuff on macOS. Now I know some of you have already notarised some apps made with HISE so before I go down the rabbit hole and google how to notarize an app just to troubleshoot why a generic approach doesn't work, it would be nice to have a HISE-specific guide.

    So after my naive approach of notarizing failed with a really nice descriptive error message called "package invalid" after being irresponsive for 10 minutes while the upload was in progress (by a process called Java. JAVA!!!!) my inner peace and patience acquired over the weekend is already gone.

    So what did you do in order to sucessfully notarize a HISE app?

    I haven't built a standalone app in Hise yet, so I don't have experience for the app notarization.

    But for plugins, it definately works.



  • Have you enabled the Hardened Runtime properties in the autogenerated Projucer project?



  • @Christoph-Hart

    Ok heres my process:
    Step 0. build your app and plugins...

    Step 1: Sign the plugin or app from desktop (copy it there):

    run these commands in the terminal window:

    codesign -s "Developer ID Application: your-dev-id (your-dev-id-number)" "/Users/lindon/Desktop/your.component" --timestamp

    codesign -s "Developer ID Application: your-dev-id (your-dev-id-number)" "/Users/lindon/Desktop/your.vst" --timestamp
    codesign -s "Developer ID Application: your-dev-id (your-dev-id-number)" "/Users/lindon/Desktop/your.vst3" --timestamp
    codesign --deep --force --options runtime --sign "Developer ID Application: your-dev-id (your-dev-id-number)" "/Users/lindon/Desktop/your.app"

    Validate that the code signing has happened:

    codesign -vvv /Users/lindon/Desktop/yourvst.vst

    Step 2: Make the installer package & Sign the package from desktop - note my white box has my dev installer certificate attached..(copy it there):

    codesign -s "Developer ID Application: your-dev-id (your-dev-id-number)" "/Users/lindon/Desktop/your.pkg"

    Step 3: notarize your package it should notarize your app at the same time......

    —NOTE: YOU MUST TYPE THIS INTO THE TERMINAL BY HAND - IT WONT WORK CUT AND PASTE FOR ME!!!!!

    xcrun altool --notarize-app -f "/Users/lindon/Desktop/your.pkg” --primary-bundle-id com.your.pkg --username "your-apple-id-NOT-your-dev_id" --password "your-altool-password"

    Step 4: Wait for email from apple…

    on success notification, staple your package:

    xcrun stapler staple "/Users/lindon/Desktop/your.pkg"

    Step 5:check if package has been signed…
    codesign -vvv --deep --strict "/Users/lindon/Desktop/your.pkg”

    OK this all works fine - except!!! - If I add an icon to the app after its been built then it will NOT notarize giving you the ever helpful message:

    unsealed contents present in the bundle root

    As yet I havent tried to notarize an app that has used the Icon.png-in-the-images-folder approach..



  • @Lindon said in Notarisation for dummies:

    If I add an icon to the app after its been built

    Why?



  • @Lindon said in Notarisation for dummies:

    codesign --deep --force --options runtime --sign "Developer ID Application: your-dev-id (your-dev-id-number)" "/Users/lindon/Desktop/your.app"

    HERO!!!!



  • @Christoph-Hart said in Notarisation for dummies:

    Have you enabled the Hardened Runtime properties in the autogenerated Projucer project?

    No. For plugins, my process is this:

    Hise Export plugins > Sign plugins > Build installer > Sign installer > Notarize installer > Time stamp installer

    For the notarization of apps and plugins, you can follow this updated guide: https://www.kvraudio.com/forum/viewtopic.php?t=531663



  • Yes I did follow the guideline, but forgot to add the --deep --force --options runtime flags when signing the standalone app. All works now.

    Just one minor thing, I couldn't verify the notarisation with Lindons's suggestion, but this approach worked



  • @Christoph-Hart said in Notarisation for dummies:

    Yes I did follow the guideline, but forgot to add the --deep --force --options runtime flags when signing the standalone app. All works now.

    Just one minor thing, I couldn't verify the notarisation with Lindons's suggestion, but this approach worked

    For codesign checking I use this:

    pkgutil --check-signature "/Volumes/Data/My_Installer.pkg"
    

    For notarization checking I use this:

    spctl -a -vvv -t install "/Volumes/Data/My_Installer.pkg"
    

    If the notarization is ok, you should see "accepted" message.


    Both of them should work in your system too.



  • @orange - cool. I will add these to my process...



  • Just another tidbit for those lay-people like me — I recently discovered this third-party app while trying to learn about notarization: DMG Canvas

    It's a WYSIWYG builder that automatically notarizes and staples your installer using your Apple ID when you build the DMG file. Super clean!



  • @Christoph-Hart I do the @Lindon way. Almost everything the same. I just staple VSTs and AUs before packaging them into a .pkg and I got the "The validate action worked!" on everyone (files by themselves and installers)



  • @hisefilo You don't need to notarize/staple your plugins. You only need to codesign plugins and notarize/staple the installer.



  • @d-healey I was loosing my time then!!!! Thanks Dave



  • @d-healey said in Notarisation for dummies:

    @hisefilo You don't need to notarize/staple your plugins. You only need to codesign plugins and notarize/staple the installer.

    So Only Code Signing The .Component / .VST Or .VST3 Can Let Us To Distribute The Plugin?
    Without Installers?

    So End User Can Drag & Drop The Plugin Into The Folders And Get To Work Right Away?!!!



  • @Natanr No. If you are distributing the binaries only then they need to be codesigned and notarized/stapled, but if you are distributing them in a pkg (or a DMG that contains a pkg) then you only need to notarize the pkg. This is according to the famous KVR post - https://www.kvraudio.com/forum/viewtopic.php?t=531663



  • @d-healey at the risk of a pass for an ignorant, what is the use of notarization? if my .vst or .au plugin is not notarized it will not work? I am under catalina and my plugins are working fine. it's just a legal obligation is it?



  • The end user will see a passive-aggressive popup from macOS that suggests your software is full of viruses unless you notarize.

    It isn't a show stopper (AFAIK you can still run the installer by right-clicking and choosing Open from the context menu) but you need to prepare to answer a few more customer support emails than you should have to...



  • @Christoph-Hart however i have already given my plugins and vst to friends to try and they had no problem installing. logic asks that the plugin be checked but we can activate it anyway.



  • @adriano are they using Catalina?


Log in to reply
 

15
Online

1.1k
Users

3.8k
Topics

33.4k
Posts