RE: Notarisation help please!

It was that certificate that needed the permission change that was the block.

Honestly thank you so much to all of youf or your help I'm going to put together a post later this week step by step on what I had to do to get it working just incase anyone does face the same issues and at least then it summarised in one central location

@DanH cheers for that the AI heavily judged me for not quite having the correct type of certificate and I was able so far to successfully sign the things!

@d-healey thanks for your advice of doing it manually first so everythigns in place solid as always!

@JamesC @d-healey as predicted I missed a step, thanks so much for the videos that you have put out there, should have started with them!

@JamesC I like this a simple sensible solution I will definitely consider it!

Morning all

I'm sure as always its something I've missed. I've set up this XY pad to control 2 simple Gains. Its looking as it should and the dot behaving on the panel as it should adn when the cursor moves the dots the knobs respond correctly and so do the simple gains.

Now the knobs work and control the simple gains also But don't then force the dot to respond on the pad. If someone can have a look at the code here it would be most helpful. Thanks in advance

///XY Panel
const var XYPadPnl = Content.getComponent("XYPadPnl");
const var SimpleGain1 = Synth.getEffect("Simple Gain1");
const var SimpleGain2 = Synth.getEffect("Simple Gain2");

XYPadPnl.setControlCallback(onXYPadPnlControl);

inline function onXYPadPnlControl(component, value)
{
	component.repaint();
}
///Knobs
const var knobs = []; 

for (i = 0; i < 2; i++)
{
    knobs[i] = Content.getComponent("Knob"+(i+1));
    knobs[i].setControlCallback(XYPad);
}

// Mouse CB
XYPadPnl.setMouseCallback(function(event)
{
    if (event.clicked || event.drag)
    {
        this.data.x = Math.range(event.x / this.getWidth(), 0, 1);
        this.data.y = Math.range(event.y / this.getHeight(), 0, 1);
        
        this.changed();
               
        knobs[0].setValue(1*this.data.x);
        knobs[1].setValue(1-(1*this.data.y));
        knobs[0].changed();
        knobs[1].changed();
    }    
});

// Paint routine

const SIZE = 10

XYPadPnl.setPaintRoutine(function(g)
{
   	var l = this.getLocalBounds(0);
    
    g.fillAll(this.get("bgColour"));
    
    var x = Math.range(this.data.x * this.getWidth(), 0, this.getWidth() - SIZE);
    var y = Math.range(this.data.y * this.getHeight(), 0, this.getHeight() - SIZE);
      
    //Draw Dot
    g.setColour(this.get("itemColour"));
    g.fillEllipse([x, y, SIZE, SIZE]);

});

inline function XYPad(component, value)
{ 
    local idx = knobs.indexOf(component);
   XYPadPnl.repaint();
};

inline function onKnob1Control(component, value)
{
	if(value)
	   SimpleGain1.setAttribute(SimpleGain1.Gain,(1 - value)*-100);
	    
};
Content.getComponent("Knob1").setControlCallback(onKnob1Control);

It was that certificate that needed the permission change that was the block.

Honestly thank you so much to all of youf or your help I'm going to put together a post later this week step by step on what I had to do to get it working just incase anyone does face the same issues and at least then it summarised in one central location

Thanks all for this helpful info hopefully can make some prgoress! @DanH the more and more I'm digging in with this the mroe it seems like it is a certification issue:

UPDATE

So I went into this one that has the blue check and I said don't trust, went red, then always trust, went blue, the system defaults and its gone to green and is now trusted so I'm hoping that thats the missing piece of the puzzle will update once the mini ones have been put to bed!

@DanH

JamesC
about an hour ago

@Lindon @DanH @d-healey

Again guys thanks for your time I'm sorry I'm giving you lots to read but I really do appreciate it, I went and checked what I've been using against that script David and made some minor adjustments I've left all info in so you can see at this time:

codesign -s "Developer ID Application: Team Name (Number)" "/Users/jamescox/Documents/Obscura_Installer_1.0.0/Library/Audio/Plug-Ins/VST3/OBSCURA.vst3" --timestamp

codesign -s "Developer ID Application: Team Name (Number)" "/Users/jamescox/Documents/Obscura_Installer_1.0.0/Library/Audio/Plug-Ins/Components/OBSCURA.component" --timestamp
So then went and created my package in white box and the build succeeds and works as expected. So I then checked the productsign code for the package:

productsign --sign "Developer ID Installer: Team Name (Number)"
"/Users/jamescox/Documents/Obscura_Installer_1.0.0/build/Obscura_Installer_1.0.3.pkg"
"/Users/jamescox/Documents/SignedInstallers/Obscura_Installer_1.0.3.pkg"
Terminal then gives me this:

productsign: using timestamp authority for signature
Warning: unable to build chain to self-signed root for signer "Developer ID Installer: Team Name (Number)"
productsign: signing product with identity "Developer ID Installer: Team Name (Number)" from keychain /Users/jamescox/Library/Keychains/login.keychain-db
productsign: Wrote signed product archive to /Users/jamescox/Documents/SignedInstallers/Obscura_Installer_1.0.3.pkg

So I get a warning here. First question then becomes is this the first issue?

When I go to notorise using the code form David's script again it says Invalid. Again runing the log i get:

"message": "The binary is not signed with a valid Developer ID certificate.",

But in the keychain it says valid etc so I'm really confused now

@DanH @Lindon

Thanks guys yes I just removed it from posting so I had removed it Was doing:

Team Name (Team ID)

Please Don't tell me its something as simple as not having the brackets?

Hello all again...

Again thanks for the advice using that and a few other bits I was able to start getting a handle on things and I think I've identified an issue.

So I sign the plugins first:

codesign --force --deep --options runtime --timestamp \
  --sign "Developer ID Application: ID REMOVED FOR POST" \
  "/Users/jamescox/Documents/Obscura_Installer_1.0.0/Library/Audio/Plug-Ins/VST3/OBSCURA.vst3"

codesign --force --deep --options runtime --timestamp \
  --sign "Developer ID Application: ID REMOVED FOR POST" \
  "/Users/jamescox/Documents/Obscura_Installer_1.0.0/Library/Audio/Plug-Ins/Components/OBSCURA.component"

Then I went to verify it was completed:

codesign -dv --verbose=4 "/Users/jamescox/Documents/Obscura_Installer_1.0.0/Library/Audio/Plug-Ins/VST3/OBSCURA.vst3"
spctl --assess --verbose=4 "/Users/jamescox/Documents/Obscura_Installer_1.0.0/Library/Audio/Plug-Ins/VST3/OBSCURA.vst3"

codesign -dv --verbose=4 "/Users/jamescox/Documents/Obscura_Installer_1.0.0/Library/Audio/Plug-Ins/Components/OBSCURA.component"
spctl --assess --verbose=4 "/Users/jamescox/Documents/Obscura_Installer_1.0.0/Library/Audio/Plug-Ins/Components/OBSCURA.component"

Now what I get back is my first question AI says this is normal as its not been notorized yet and will be in the pkg when we get to that bit, question though is whats below an actual issue?

/Users/jamescox/Documents/Obscura_Installer_1.0.0/Library/Audio/Plug-Ins/VST3/OBSCURA.vst3: rejected source=Unnotarized Developer ID

SO assuming what the AI said was correct i move on to building the package in whitebox packages, I can't set the certificate in whitebox itself as the build always fails so built without the certificate then move onto signing the pkg:

productsign \
  --sign "Developer ID Installer: ID REMOVED FOR POST" \
  "/Users/jamescox/Documents/Obscura_Installer_1.0.0/build/Obscura_Installer_1.0.1.pkg" \
  "/Users/jamescox/Documents/SignedInstallers/Obscura_Installer_1.0.1.pkg"

This comes back:

Warning: unable to build chain to self-signed root for signer "Developer ID Installer: ID REMOVED FOR POST"
productsign: signing product with identity "Developer ID Installer: ID REMOVED FOR POST" from keychain /Users/jamescox/Library/Keychains/login.keychain-db

Again AI says this isn't an issue (is it?) then go to verify the signing:

~ % pkgutil --check-signature "/Users/jamescox/Documents/SignedInstallers/Obscura_Installer_1.0.0.pkg" Package "Obscura_Installer_1.0.0.pkg": Status: signed by a certificate that has since expired Signed with a trusted timestamp on: 2025-09-15 20:11:56 +0000 Certificate Chain: 1. Developer ID Installer: ID REMOVED FOR POST Expires: 2030-09-11 04:17:53 +0000 SHA256 Fingerprint: REMOVED FROM POST

Again AI says this isn't an issue as the certificate is still valid even though its expired so I go to notorize:

crun notarytool submit "/Users/jamescox/Documents/SignedInstallers/Obscura_Installer_1.0.1.pkg" --keychain-profile "notary-profile" --wait

Which brings back:

Submission ID received
id: REMOVED FROM POST
Upload progress: 100.00% (43.7 MB of 43.7 MB)
Successfully uploaded file
id: REMOVED FROM POST
path: /Users/jamescox/Documents/SignedInstallers/Obscura_Installer_1.0.1.pkg
Waiting for processing to complete.
Current status: Invalid...........
Processing complete
id: REMOVED FROM POST
status: Invalid

So it fails so I run the log to see what the exact issue is which returns this:

{
"logFormatVersion": 1,
"jobId": "3b6f5430-86d4-40ba-8c10-e0b7fcab6dc1",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "Obscura_Installer_1.0.1.pkg",
"uploadDate": "2025-09-16T06:10:38.211Z",
"sha256": "e7e6f2d38e067189c3a72473084a0c7e133548531c0a855a8bb87461fa07685a",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "Obscura_Installer_1.0.1.pkg",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": null

So there the issue is the binary is not signed so whats the pitfall I'm missing here? I'm assuming its to do with the expired timestamp and not valid certificate even though when checking the certificates they are all valid etc.

Any further help would be greatly appreciated.

@Lindon said in Notarisation help please!:

You have added a password for altool in the apple developer web server?

Hey, so quick questions its saying I can't use atool I need to use notary tool as atool use is discontinued is this correct?

@Lindon

Thanks for the speedy response:

you have set up an apple developer account and paid the fees? Yes
You have added a password for altool in the apple developer web server? No

Will look into the second one now!

I've been following the guides as recommeneded and was able to use packages to build my pkg and folllow the steps in the Notarisation for dummies to sign that package.

I'm onto notarisation at this time and was using the following :

xcrun altool --notarize-app -f “/Users/jamescox/Documents/SignedInstallers/OBSCURAvst3.pkg" --primary-bundle-id com.occultaudio.pkg.OBSCURAvst3 --username “***********@gmail.com" --password "app specific password here"

Can anyone see something I'm not doing right here?

2025-09-14 16:47:02.980 *** Error: Unable to upload your app for notarization. You must specify authentication credentials (username/password or apiKey/apiIssuer). (-1011)
{
NSLocalizedDescription = "Unable to upload your app for notarization.";
NSLocalizedFailureReason = "You must specify authentication credentials (username/password or apiKey/apiIssuer).";
}
2025-09-14 16:47:02.981 *** Error: Unable to upload your app for notarization. --notarize-app is missing one or more required options: --primary-bundle-id. (-1027)
{
NSLocalizedDescription = "Unable to upload your app for notarization.";
NSLocalizedFailureReason = "--notarize-app is missing one or more required options: --primary-bundle-id.";