Back to Codesigning, Notarizing and stapling.....
-
Okay, I cant get any sense out of KVRAudio forum on this topic so I will try here:
I have a plugin, lets call it myplugin.vst3, I have code signed it...all good..
I have placed it in a zip file, lets call that myplugin.zip, and sent that off to Apple for Notarizing...
It came back as passed.....also good.
so now sitting on my Mac hard drive I have
myplugin.vst3
and
myplugin.zipNow this is a PLUGIN not an app, not a pkg, not a dmg not an installer app, none of these... just a plain old VST3, that I will be installing with my (completely separate) home-grown installer app...
Question of the day: Do I need to staple this? And if YES, then which of these am I stapling (and shipping)? The original myplugin.vst3? the zip? or do I need to extract my plugin from the zip and staple that?
Anyone, ANYONE! have any idea?
HISE Development for hire.
www.channelrobot.com -
@Lindon Staple the zip although I don't know if it's required.
Libre Wave - Freedom respecting instruments and effects
My Patreon - HISE tutorials
YouTube Channel - Public HISE tutorials -
@d-healey said in Back to Codesigning, Notarizing and stapling.....:
@Lindon Staple the zip although I don't know if it's required.
OK but I cant get my head around why I would staple the zip, what is stapling doing?
HISE Development for hire.
www.channelrobot.com -
Okay - spent some more time on the apple dev forums to get this:
When you staple a ticket to a product, stapler does the following: It gets the cdhash from the product. This code directory hash value uniquely identifies the code. You see it for yourself using codesign -d . It asks the Apple servers for a ticket that includes that cdhash. This ticket was generated and stored on the Apple servers when you notarised the product. It attaches that ticket to your product. The exact mechanism for doing this varies but, for a bundled product like an app, it simply copies the the ticket to Contents/CodeResourcesbut also....
So, to clarify, Apple’s general recommendation is that you: Sign all your code from the inside out, up to and including any signable containers. Then notarise and staple the outermost container. Ship that stapled container. So, for example, if you ship an app inside an installer package on a disk image, you’d sign the app, then the installer package, then the disk image, and then notarise and staple the disk image. The ticket that you staple to the outermost container will cover any nested containers and code. The system ingests this ticket when you open the outermost container for the first time. There are exceptions to this rule. Most of them are edge cases that most folks can ignore, but there’s one important one. If you ship an app inside a zip archive, you can’t sign your outermost container because zip archives don’t support signing. In that case you should: 1. Sign the app. 2. Zip that. 3. Notarise that. 4. Take the app from step 1 and staple that. 5. Zip that. 6. Ship the zip archive from step 5. The system will ingest this ticket when the user first launches the app.So in truth the answer is "mostly" do the zip , but if that fails then its Ok to do the "app" itself...
HISE Development for hire.
www.channelrobot.com -
@Lindon I have a situation now where I just want a plugin (vst3 and component) in a zip file, no pkg.
I've codesigned the plugins.
Put them in a zip file.
Uploaded the zip for notarization. All went well.
Unzipped the notarized zip file.
Attempted to staple the files but I get an errorrejected (the code is valid but does not seem to be an app)Any ideas?
Libre Wave - Freedom respecting instruments and effects
My Patreon - HISE tutorials
YouTube Channel - Public HISE tutorials -
@d-healey I think the zip file is what got notarized, not the contents.
Dan Korneff - Producer / Mixer / Audio Nerd
-
@d-healey
You can notarize several different types of software deliverables, including:
macOS apps
Non-app bundles, such as kernel extensions
Disk images (UDIF format)
Flat installer packagesIt appears to only be for executable files.
"When the user first installs or runs your software, the presence of a ticket (either online or attached to the executable) tells Gatekeeper that Apple notarized the software. Gatekeeper then places descriptive information in the initial launch dialog to help the user make an informed choice about whether to launch the app."
-
@Dan-Korneff said in Back to Codesigning, Notarizing and stapling.....:
@d-healey I think the zip file is what got notarized, not the contents.
Yes, but Apple says this
Libre Wave - Freedom respecting instruments and effects
My Patreon - HISE tutorials
YouTube Channel - Public HISE tutorials -
@d-healey hmmm....
-
@d-healey said in Back to Codesigning, Notarizing and stapling.....:
@Lindon I have a situation now where I just want a plugin (vst3 and component) in a zip file, no pkg.
I've codesigned the plugins.
Put them in a zip file.
Uploaded the zip for notarization. All went well.
Unzipped the notarized zip file.
Attempted to staple the files but I get an errorrejected (the code is valid but does not seem to be an app)Any ideas?
nearly right... no need to unzip the notarised zip... just staple the ORIGINAL plugin..from step1. . then zip this up for delivery...
HISE Development for hire.
www.channelrobot.com -
@Lindon Oh ok, I'll try that, thanks!
Libre Wave - Freedom respecting instruments and effects
My Patreon - HISE tutorials
YouTube Channel - Public HISE tutorials -
@d-healey Yeah it makes no sense to me on all sorts of levels... but it works...Apple.....
HISE Development for hire.
www.channelrobot.com -
@Lindon Hmm I just tried it but I get the same message about it not being an app
