Notarisation for dummies

Christoph Hart

Hi everybody,

after one year of answering support emails about Catalina with a "Right click and click on Open to bypass the notarisation"-template I've decided to give in and notarise stuff on macOS. Now I know some of you have already notarised some apps made with HISE so before I go down the rabbit hole and google how to notarize an app just to troubleshoot why a generic approach doesn't work, it would be nice to have a HISE-specific guide.

So after my naive approach of notarizing failed with a really nice descriptive error message called "package invalid" after being irresponsive for 10 minutes while the upload was in progress (by a process called Java. JAVA!!!!) my inner peace and patience acquired over the weekend is already gone.

So what did you do in order to sucessfully notarize a HISE app?

orange

@Christoph-Hart said in Notarisation for dummies:

Hi everybody,

after one year of answering support emails about Catalina with a "Right click and click on Open to bypass the notarisation"-template I've decided to give in and notarise stuff on macOS. Now I know some of you have already notarised some apps made with HISE so before I go down the rabbit hole and google how to notarize an app just to troubleshoot why a generic approach doesn't work, it would be nice to have a HISE-specific guide.

So after my naive approach of notarizing failed with a really nice descriptive error message called "package invalid" after being irresponsive for 10 minutes while the upload was in progress (by a process called Java. JAVA!!!!) my inner peace and patience acquired over the weekend is already gone.

So what did you do in order to sucessfully notarize a HISE app?

I haven't built a standalone app in Hise yet, so I don't have experience for the app notarization.

But for plugins, it definately works.

Christoph Hart

Have you enabled the Hardened Runtime properties in the autogenerated Projucer project?

Lindon

@Christoph-Hart

Ok heres my process:
Step 0. build your app and plugins...

Step 1: Sign the plugin or app from desktop (copy it there):

run these commands in the terminal window:

codesign -s "Developer ID Application: your-dev-id (your-dev-id-number)" "/Users/lindon/Desktop/your.component" --timestamp

codesign -s "Developer ID Application: your-dev-id (your-dev-id-number)" "/Users/lindon/Desktop/your.vst" --timestamp
codesign -s "Developer ID Application: your-dev-id (your-dev-id-number)" "/Users/lindon/Desktop/your.vst3" --timestamp
codesign --deep --force --options runtime --sign "Developer ID Application: your-dev-id (your-dev-id-number)" "/Users/lindon/Desktop/your.app"

Validate that the code signing has happened:

codesign -vvv /Users/lindon/Desktop/yourvst.vst

Step 2: Make the installer package & Sign the package from desktop - note my white box has my dev installer certificate attached..(copy it there):

codesign -s "Developer ID Application: your-dev-id (your-dev-id-number)" "/Users/lindon/Desktop/your.pkg"

Step 3: notarize your package it should notarize your app at the same time......

—NOTE: YOU MUST TYPE THIS INTO THE TERMINAL BY HAND - IT WONT WORK CUT AND PASTE FOR ME!!!!!

xcrun altool --notarize-app -f "/Users/lindon/Desktop/your.pkg” --primary-bundle-id com.your.pkg --username "your-apple-id-NOT-your-dev_id" --password "your-altool-password"

Step 4: Wait for email from apple…

on success notification, staple your package:

xcrun stapler staple "/Users/lindon/Desktop/your.pkg"

Step 5:check if package has been signed…
codesign -vvv --deep --strict "/Users/lindon/Desktop/your.pkg”

OK this all works fine - except!!! - If I add an icon to the app after its been built then it will NOT notarize giving you the ever helpful message:

unsealed contents present in the bundle root

As yet I havent tried to notarize an app that has used the Icon.png-in-the-images-folder approach..

Christoph Hart

@Lindon said in Notarisation for dummies:

If I add an icon to the app after its been built

Why?

Christoph Hart

@Lindon said in Notarisation for dummies:

codesign --deep --force --options runtime --sign "Developer ID Application: your-dev-id (your-dev-id-number)" "/Users/lindon/Desktop/your.app"

HERO!!!!

orange

@Christoph-Hart said in Notarisation for dummies:

Have you enabled the Hardened Runtime properties in the autogenerated Projucer project?

No. For plugins, my process is this:

Hise Export plugins > Sign plugins > Build installer > Sign installer > Notarize installer > Time stamp installer

For the notarization of apps and plugins, you can follow this updated guide: https://www.kvraudio.com/forum/viewtopic.php?t=531663

Christoph Hart

Yes I did follow the guideline, but forgot to add the --deep --force --options runtime flags when signing the standalone app. All works now.

Just one minor thing, I couldn't verify the notarisation with Lindons's suggestion, but this approach worked

orange

@Christoph-Hart said in Notarisation for dummies:

Yes I did follow the guideline, but forgot to add the --deep --force --options runtime flags when signing the standalone app. All works now.

Just one minor thing, I couldn't verify the notarisation with Lindons's suggestion, but this approach worked

For codesign checking I use this:

pkgutil --check-signature "/Volumes/Data/My_Installer.pkg"

---

For notarization checking I use this:

spctl -a -vvv -t install "/Volumes/Data/My_Installer.pkg"

If the notarization is ok, you should see "accepted" message.

---

Both of them should work in your system too.

Lindon

@orange - cool. I will add these to my process...

Casey Kolb

Just another tidbit for those lay-people like me — I recently discovered this third-party app while trying to learn about notarization: DMG Canvas

It's a WYSIWYG builder that automatically notarizes and staples your installer using your Apple ID when you build the DMG file. Super clean!

hisefilo

@Christoph-Hart I do the @Lindon way. Almost everything the same. I just staple VSTs and AUs before packaging them into a .pkg and I got the "The validate action worked!" on everyone (files by themselves and installers)

d.healey

@hisefilo You don't need to notarize/staple your plugins. You only need to codesign plugins and notarize/staple the installer.

hisefilo

@d-healey I was loosing my time then!!!! Thanks Dave

Natan

@d-healey said in Notarisation for dummies:

@hisefilo You don't need to notarize/staple your plugins. You only need to codesign plugins and notarize/staple the installer.

So Only Code Signing The .Component / .VST Or .VST3 Can Let Us To Distribute The Plugin?
Without Installers?

So End User Can Drag & Drop The Plugin Into The Folders And Get To Work Right Away?!!!

d.healey

@Natanr No. If you are distributing the binaries only then they need to be codesigned and notarized/stapled, but if you are distributing them in a pkg (or a DMG that contains a pkg) then you only need to notarize the pkg. This is according to the famous KVR post - https://www.kvraudio.com/forum/viewtopic.php?t=531663

adriano

@d-healey at the risk of a pass for an ignorant, what is the use of notarization? if my .vst or .au plugin is not notarized it will not work? I am under catalina and my plugins are working fine. it's just a legal obligation is it?

Christoph Hart

The end user will see a passive-aggressive popup from macOS that suggests your software is full of viruses unless you notarize.

It isn't a show stopper (AFAIK you can still run the installer by right-clicking and choosing Open from the context menu) but you need to prepare to answer a few more customer support emails than you should have to...

adriano

@Christoph-Hart however i have already given my plugins and vst to friends to try and they had no problem installing. logic asks that the plugin be checked but we can activate it anyway.

d.healey

@adriano are they using Catalina?