Recent workflow for notarization / codesigning on macOS?

optimistic

I’ve spent the last day researching codesigning and notarizing my HISE plugins on macOS and hitting some walls in trying to do so.

I’ve seen numerous good resources about this …

Notarisation for dummies

Hi everybody, after one year of answering support emails about Catalina with a "Right click and click on Open to bypass the notarisation"-template I've decid...

Forum (forum.hise.audio)

Just a moment...

(www.kvraudio.com)

And also the scripts which @d-healey posted recently on how to automate this process.

Unfortunately none of these are working for me at the moment. What I’ve be doing is running altool from the command line and trying to notarized my installer. But I’m guessing that I might need to notarize the actual plugins first? I’m just getting a vague email from Apple saying it is failing but not able to read the log.

So I wanted to ask here if anyone has a more recent or up to date method for this? I’m asking in part because I can see from this video there is a new Notary Tool method which appears to require Xcode 13 or 14 …

What’s new in notarization for Mac apps - WWDC22 - Videos - Apple Developer

Notarization works in tandem with macOS to help people safely download software for their Mac outside of the App Store. Learn about the...

Apple Developer (developer.apple.com)

Does anyone know if HISE supports XCode 13 or 14 yet?

This is for a commercial product being released later this month. I’m sure I’ll be able to sort this out with enough days of experimenting but if anyone could provide information on how they are doing this in late 2022 that would be appreciated.

If anyone would be available to offer consultant services on the whole pipeline of AAX, AU, VST3 on Windows / macOS this feel free to send me a DM!

d.healey

@optimistic Hello, I can help you out with the code signing and notarizing but not the aax stuff. I'll send you an email when I'm home and we can arrange a call.

Compilation works with xcode 13.1 and I think someone was having success with 14, not sure about versions in between

optimistic

@d-healey Awesome! Sounds good and much appreciated!

gorangrooves

@optimistic I've compiled and notarized successfully with xcode 14.1. I'll be tackling AAX this evening. If i don't post "how-to" over the next couple of days, tag me to remind me. I am racing against the clock

Matt_SF

@gorangrooves said in Recent workflow for notarization / codesigning on macOS?:

@optimistic If i don't post "how-to" over the next couple of days, tag me to remind me.

I will . Good luck!

optimistic

@gorangrooves Amazing and thank you!

I ended up getting this working relatively well in the end with the script @d-healey by making the following changes ...

• Building the plugins manually first so I can also create AAX
• Keeping HISE.app in the HISE/projects/standalone/Builds/MacOSX/build/Release folder. This was the original issue throwing me off on the script as it expects the build to live there
• Populate and run the script

However the issue I'm running into now is that (at least on my test machine) the installer isn't overwriting previous versions of the plugin. I've tried looking for a setting for this in Packages and also bumping the version number with no luck.

Will be interested to hear how you have things being built in Xcode 14.1 as I like keeping my os up to date and had some issues with a recent version of 13 a few months back.

d.healey

@optimistic

he installer isn't overwriting previous versions of the plugin.

How are you testing this? If you are looking at the modified time in Finder then you can ignore it, it often fails to update in a timely manner :)

optimistic

@d-healey Good question!

I was indeed looking at the time in the finder. But also the previous version was looking in the ~/Library folder for the preset folder and the new one is looking in the system equivalent.

I only had installed an AU previously and that one isn't updating to the correct latest version where as the VST3 and AAX both are loading the correct version.

I also updated the version 1.0.1 and the AU tool in Logic is still reporting it as seeing version 1.0.0

d.healey

@optimistic When you run your installer pkg, click customize (I think that's the name of the option) and it should show you if it's installing an update or installing for the first time.

gorangrooves

@optimistic Signing AAX for Mac works very similar to how it does on Windows. The only difference is the command line, and that you are not using a certificate you used on Windows, but Apple's sign ID.
First, download the PACE SDK for Mac through the PACE Central and install it.

For Mac, the command line will be something like this:

/Applications/PACEAntiPiracy/Eden/Fusion/Current/bin/wraptool sign --verbose --account peterjack --signid "Developer ID Application: Peter Jack (ABCDE12345)" --wcguid NEC6C510-6202-13ED-9388-005056928F3B --in "/Users/peterjack/Desktop/plugins/MyWickedPlugin.aaxplugin" --out "/Users/peterjack/Desktop/plugins/MyWickedPlugin.aaxplugin" --password myilokpassword

And just like for Windows, you will only have to specify the password for your iLok once.

Once you have your AAX plugins signed with PACE, you can package them into a PKG installer along with your other formats for distribution, which you will sign and notarize prior to distributing it.

Have fun!

gorangrooves

And regarding notarization, the old commands using alt tool not longer work with XCode 14.

Whoever wrote Apple's documentation on the subject is a bit of an ignorant dumb dickass for failing to properly specify how certain values should be written in the command line. They write things like this:

% xcrun notarytool submit OvernightTextEditor_11.6.8.zip

As if the OS is magically going to guess where the file is. Fuckin' dickshit wasted so much of my time with this and the rest of the command.

So, I'll explain clearly how to do this, so you don't have to waste a second.

Go to appleid.apple.com and create an "app-specific" profile. Say, create a profile called MyNotary. You will be provided a password, which you will need to copy and save to a text document on your computer, as you won't see it again.

You are now going to save that signing profile into your computer's keychain, by running the following line into the Terminal (after replacing relevant values):

xcrun notarytool store-credentials --apple-id "yourname@yourdomain.com" --password "1234-aein-uiod-vpax" --team-id "12345ABCDE"

The Apple ID you will enter above is your email registered with your developer account.
The password is the app-specific password you were provided for the profile MyNotary you previously created.
The Team ID is your developer team ID that you use for signing plugins on MacOS and can see it in your Apple developer account.

So, now that you clearly know how to enter those values without guessing if they should be specified with <> or [] or '' or {}, it will be a breeze.

Time to notarize the PKG installer.

Enter the following command line into the Terminal after replacing the appropriate values:

xcrun notarytool submit "/Users/peterjack/Desktop/PACKAGES PROJECTS/build/MyAppReadyForDistribution.pkg" --keychain-profile "MyNotary" --wait

So, basically, you just need to change the path to your file and specify the name of your actual notary profile previously saved in your Keychain. Hit enter and wait until it runs the check, uploads, scans and tells you that it was accepted.

Before you notarize the PKG file, all plugins needs to be code-signed with a timestamp, and your standalone app also needs to have the hardened runtime forced. You do that for the app by running the following line (after replacing the obvious values):

codesign --deep --force --options runtime --sign "Developer ID Application: Peter Jack (12345ABCDE)" "/Users/peterjack/Desktop/plugins/MyStandAloneApp.app”

Let me know if anything is not clear enough.

optimistic

@gorangrooves Thanks so much for the detailed response!

I ended up getting this working in the end and this post helped quite a bit.

It was actually a series of things including me not understanding AAX plugins on windows are folders, that in and out needed to be the same and that HISE wasn’t correctly building the plugins because I needed to change a property in VS.

Again, the help is super appreciated and great luck with your release. Your products look really interesting to me and plan on giving them a closer look in the future.

gorangrooves

@optimistic You are very welcome! I am glad to be able to contribute something here that will help others. I've gotten wonderful help over the last few years from the amazing folks here. Best of success with your products!

Adam_G

This post is deleted!