Notarisation for dummies
-
Have you enabled the Hardened Runtime properties in the autogenerated Projucer project?
-
Ok heres my process:
Step 0. build your app and plugins...Step 1: Sign the plugin or app from desktop (copy it there):
run these commands in the terminal window:
codesign -s "Developer ID Application: your-dev-id (your-dev-id-number)" "/Users/lindon/Desktop/your.component" --timestamp
codesign -s "Developer ID Application: your-dev-id (your-dev-id-number)" "/Users/lindon/Desktop/your.vst" --timestamp
codesign -s "Developer ID Application: your-dev-id (your-dev-id-number)" "/Users/lindon/Desktop/your.vst3" --timestamp
codesign --deep --force --options runtime --sign "Developer ID Application: your-dev-id (your-dev-id-number)" "/Users/lindon/Desktop/your.app"Validate that the code signing has happened:
codesign -vvv /Users/lindon/Desktop/yourvst.vst
Step 2: Make the installer package & Sign the package from desktop - note my white box has my dev installer certificate attached..(copy it there):
codesign -s "Developer ID Application: your-dev-id (your-dev-id-number)" "/Users/lindon/Desktop/your.pkg"
Step 3: notarize your package it should notarize your app at the same time......
—NOTE: YOU MUST TYPE THIS INTO THE TERMINAL BY HAND - IT WONT WORK CUT AND PASTE FOR ME!!!!!
xcrun altool --notarize-app -f "/Users/lindon/Desktop/your.pkg” --primary-bundle-id com.your.pkg --username "your-apple-id-NOT-your-dev_id" --password "your-altool-password"
Step 4: Wait for email from apple…
on success notification, staple your package:
xcrun stapler staple "/Users/lindon/Desktop/your.pkg"
Step 5:check if package has been signed…
codesign -vvv --deep --strict "/Users/lindon/Desktop/your.pkg”OK this all works fine - except!!! - If I add an icon to the app after its been built then it will NOT notarize giving you the ever helpful message:
unsealed contents present in the bundle root
As yet I havent tried to notarize an app that has used the Icon.png-in-the-images-folder approach..
-
-
@Lindon said in Notarisation for dummies:
codesign --deep --force --options runtime --sign "Developer ID Application: your-dev-id (your-dev-id-number)" "/Users/lindon/Desktop/your.app"
HERO!!!!
-
@Christoph-Hart said in Notarisation for dummies:
Have you enabled the Hardened Runtime properties in the autogenerated Projucer project?
No. For plugins, my process is this:
Hise Export plugins > Sign plugins > Build installer > Sign installer > Notarize installer > Time stamp installer
For the notarization of apps and plugins, you can follow this updated guide: https://www.kvraudio.com/forum/viewtopic.php?t=531663
-
Yes I did follow the guideline, but forgot to add the
--deep --force --options runtime
flags when signing the standalone app. All works now.Just one minor thing, I couldn't verify the notarisation with Lindons's suggestion, but this approach worked
-
@Christoph-Hart said in Notarisation for dummies:
Yes I did follow the guideline, but forgot to add the
--deep --force --options runtime
flags when signing the standalone app. All works now.Just one minor thing, I couldn't verify the notarisation with Lindons's suggestion, but this approach worked
For codesign checking I use this:
pkgutil --check-signature "/Volumes/Data/My_Installer.pkg"
For notarization checking I use this:
spctl -a -vvv -t install "/Volumes/Data/My_Installer.pkg"
If the notarization is ok, you should see "accepted" message.
Both of them should work in your system too.
-
@orange - cool. I will add these to my process...
-
Just another tidbit for those lay-people like me — I recently discovered this third-party app while trying to learn about notarization: DMG Canvas
It's a WYSIWYG builder that automatically notarizes and staples your installer using your Apple ID when you build the DMG file. Super clean!
-
@Christoph-Hart I do the @Lindon way. Almost everything the same. I just staple VSTs and AUs before packaging them into a .pkg and I got the "The validate action worked!" on everyone (files by themselves and installers)
-
@hisefilo You don't need to notarize/staple your plugins. You only need to codesign plugins and notarize/staple the installer.
-
@d-healey I was loosing my time then!!!! Thanks Dave
-
@d-healey said in Notarisation for dummies:
@hisefilo You don't need to notarize/staple your plugins. You only need to codesign plugins and notarize/staple the installer.
So Only Code Signing The .Component / .VST Or .VST3 Can Let Us To Distribute The Plugin?
Without Installers?So End User Can Drag & Drop The Plugin Into The Folders And Get To Work Right Away?!!!
-
@Natanr No. If you are distributing the binaries only then they need to be codesigned and notarized/stapled, but if you are distributing them in a pkg (or a DMG that contains a pkg) then you only need to notarize the pkg. This is according to the famous KVR post - https://www.kvraudio.com/forum/viewtopic.php?t=531663
-
@d-healey at the risk of a pass for an ignorant, what is the use of notarization? if my .vst or .au plugin is not notarized it will not work? I am under catalina and my plugins are working fine. it's just a legal obligation is it?
-
The end user will see a passive-aggressive popup from macOS that suggests your software is full of viruses unless you notarize.
It isn't a show stopper (AFAIK you can still run the installer by right-clicking and choosing Open from the context menu) but you need to prepare to answer a few more customer support emails than you should have to...
-
@Christoph-Hart however i have already given my plugins and vst to friends to try and they had no problem installing. logic asks that the plugin be checked but we can activate it anyway.
-
@adriano are they using Catalina?
-
@d-healey - my understanding remains that you need to notarise anything that will "run" on its own - so app or pkg or dmg etc. but plug-ins - that are called from within DAWs only need to be codesigned. Colour me massively unsurprised is this opinion is wrong...
-
@Lindon Perhaps it is needed for apps, the KVR thread just mentions plugins. I'll see what I can find out!