Confusion on Catalina / notarization / hardened run-time - no changes needed after all?

Audio Plugins
1

So, today I wanted to check how my plugin and its installer are behaving in Catalina.
This is my context:

  • the last official plugin release was built at the end of 2018 (before Catalina existed) with XCode 10.x (or perhaps even 9.x; would need to look it up)
  • my installer package (created with Packages) is code-signed
  • the VST and AU plugins inside the .pkg are NOT signed
  • the AAX plugin inside the .pkg is signed with the Eden tools from PACE
  • the installer .pkg file was NOT submitted to Apple for notarization
  • I didnā€™t do anything regarding ā€œhardened run-timeā€ (feel free to explain how this impacts plugins and what I should do)
  • the software is distributed outside the app store (installer package download from my site)
  • Iā€™ve been an official (paying) Apple developer for several years

So I cloned my 10.14 system to an external USB drive and then upgraded that clone to 10.15 (Catalina).
I removed all traces of my plugin from the system, and then ran the installer as-is.

Results:

  • Apart from the usual ā€œInstaller is trying to install new softwareā€ dialog where you have to type your password to allow this, the installation worked fine as before.
  • When activating the plugin (from inside the plugin itself, which contacts my activation server) everything worked fine as well (an activation response file gets written to the userā€™s disk).
  • I activated my plugin from within the latest version of Logic Pro X and also tested the plugin in GarageBand and Plogue Bidule, and found no issues so far (didnā€™t test Pro Tools yet, but given that they donā€™t currently support Catalina, that can wait).

But what does this mean?
I was under the impression things would no longer work without changes to the signing process / adding notarization / making settings for hardened run-timeā€¦
So, what gives? Is this just a temporary thing for a few months as a ā€œtransition windowā€?
Is it because the installer was already signed months ago and my developer ID already exists for years and I got lucky?

This is what I see on the command line:

KTMacBookPro:SampleSumo ktanghe$ spctl --assess -vvv --type install SaltyGrainInstaller_1.1.3_20181228.pkg 
SaltyGrainInstaller_1.1.3_20181228.pkg: accepted
source=Developer ID
origin=Developer ID Installer: SampleSumo (PV86PQRTGE)
KTMacBookPro:SampleSumo ktanghe$ stapler validate SaltyGrainInstaller_1.1.3_20181228.pkg 
Processing: /Users/ktanghe/InstallSources/Sound/SampleSumo/SaltyGrainInstaller_1.1.3_20181228.pkg
SaltyGrainInstaller_1.1.3_20181228.pkg does not have a ticket stapled to it.

I read this thread: Apple Gatekeeper notarised distributables , but Iā€™m still not sure if it is expected that I didnā€™t have to change anything at all, if this is only for standalone software apps, if this is because I was using an upgraded OS (vs. a fresh install), or if itā€™s just a temporary thing.

Could anyone explain this behavior Iā€™m seeing? Thanks!

PS
I saw Apple will be present at ADC, so it would be good if they could make a clear presentation of what all this means for audio plugin developers.

2

Article below may be relevant, also I believe that the date you built the plugin is relevant (binaries built prior to 2019 are ā€˜excusedā€™ for now).
ā€œApple has relaxed notarization required for macOS Catalina devices. The deadline is now four months away ā€” January 2020ā€

https://www.imore.com/apple-delays-notarization-non-app-store-software-macos-catalina-until-january-2020#targetText=Apple%20has%20relaxed%20notarization%20required,having%20issues%20with%20adopting%20notarization.

1 Like
4

I tried to notarize my plugin and I got an error back from the server ā€˜not an appā€™. So do plugins not need to be notarized?

I also understand that only things downloaded from the internet need to be notarized. So if you run xattr -d com.apple.quarantine foo.vst it removes the flag that the file was downloaded and then it will run. So the .pkg needs to be signed / notarized but the contents donā€™t? Iā€™m not 100% sure about that.

5

I still am not totally clear on the answer to that. Hereā€™s what I can add:

Today I was notarizing an already-built installer package from the command line, following Appleā€™s instructions here.

The installer was notarized with no problem. When checking the log file for the notarization (at the LogFileURL provided by Apple), it lists the ā€œticketContentsā€ in detail. Itemized there were 8 entries:

  • The overall installer .pkg
  • A plug-in bundle for each of the AU and VST3 formats (.component and .vst3)
  • The plug-in binary within each of the bundles (i.e. within /Contents/MacOS/ subdirectories) for AU, VST, and AAX
  • A couple Pace_Eden entries for the AAX

For each entry it lists a cdhash value. So it would seem that each binary included within the installer is being tracked by the single notarization step. But canā€™t say for sure.

1 Like
6

Update from Apple (Dec. 23th 2019): https://developer.apple.com/news/?id=12232019a

3 Likes