Confusion on Catalina / notarization / hardened run-time - no changes needed after all?

So, today I wanted to check how my plugin and its installer are behaving in Catalina.
This is my context:

  • the last official plugin release was built at the end of 2018 (before Catalina existed) with XCode 10.x (or perhaps even 9.x; would need to look it up)
  • my installer package (created with Packages) is code-signed
  • the VST and AU plugins inside the .pkg are NOT signed
  • the AAX plugin inside the .pkg is signed with the Eden tools from PACE
  • the installer .pkg file was NOT submitted to Apple for notarization
  • I didn’t do anything regarding “hardened run-time” (feel free to explain how this impacts plugins and what I should do)
  • the software is distributed outside the app store (installer package download from my site)
  • I’ve been an official (paying) Apple developer for several years

So I cloned my 10.14 system to an external USB drive and then upgraded that clone to 10.15 (Catalina).
I removed all traces of my plugin from the system, and then ran the installer as-is.

Results:

  • Apart from the usual “Installer is trying to install new software” dialog where you have to type your password to allow this, the installation worked fine as before.
  • When activating the plugin (from inside the plugin itself, which contacts my activation server) everything worked fine as well (an activation response file gets written to the user’s disk).
  • I activated my plugin from within the latest version of Logic Pro X and also tested the plugin in GarageBand and Plogue Bidule, and found no issues so far (didn’t test Pro Tools yet, but given that they don’t currently support Catalina, that can wait).

But what does this mean?
I was under the impression things would no longer work without changes to the signing process / adding notarization / making settings for hardened run-time…
So, what gives? Is this just a temporary thing for a few months as a “transition window”?
Is it because the installer was already signed months ago and my developer ID already exists for years and I got lucky?

This is what I see on the command line:

KTMacBookPro:SampleSumo ktanghe$ spctl --assess -vvv --type install SaltyGrainInstaller_1.1.3_20181228.pkg 
SaltyGrainInstaller_1.1.3_20181228.pkg: accepted
source=Developer ID
origin=Developer ID Installer: SampleSumo (PV86PQRTGE)
KTMacBookPro:SampleSumo ktanghe$ stapler validate SaltyGrainInstaller_1.1.3_20181228.pkg 
Processing: /Users/ktanghe/InstallSources/Sound/SampleSumo/SaltyGrainInstaller_1.1.3_20181228.pkg
SaltyGrainInstaller_1.1.3_20181228.pkg does not have a ticket stapled to it.

I read this thread: Apple Gatekeeper notarised distributables , but I’m still not sure if it is expected that I didn’t have to change anything at all, if this is only for standalone software apps, if this is because I was using an upgraded OS (vs. a fresh install), or if it’s just a temporary thing.

Could anyone explain this behavior I’m seeing? Thanks!

PS
I saw Apple will be present at ADC, so it would be good if they could make a clear presentation of what all this means for audio plugin developers.

Article below may be relevant, also I believe that the date you built the plugin is relevant (binaries built prior to 2019 are ‘excused’ for now).
Apple has relaxed notarization required for macOS Catalina devices. The deadline is now four months away — January 2020

https://www.imore.com/apple-delays-notarization-non-app-store-software-macos-catalina-until-january-2020#targetText=Apple%20has%20relaxed%20notarization%20required,having%20issues%20with%20adopting%20notarization.

1 Like

I tried to notarize my plugin and I got an error back from the server ‘not an app’. So do plugins not need to be notarized?

I also understand that only things downloaded from the internet need to be notarized. So if you run xattr -d com.apple.quarantine foo.vst it removes the flag that the file was downloaded and then it will run. So the .pkg needs to be signed / notarized but the contents don’t? I’m not 100% sure about that.

I still am not totally clear on the answer to that. Here’s what I can add:

Today I was notarizing an already-built installer package from the command line, following Apple’s instructions here.

The installer was notarized with no problem. When checking the log file for the notarization (at the LogFileURL provided by Apple), it lists the “ticketContents” in detail. Itemized there were 8 entries:

  • The overall installer .pkg
  • A plug-in bundle for each of the AU and VST3 formats (.component and .vst3)
  • The plug-in binary within each of the bundles (i.e. within /Contents/MacOS/ subdirectories) for AU, VST, and AAX
  • A couple Pace_Eden entries for the AAX

For each entry it lists a cdhash value. So it would seem that each binary included within the installer is being tracked by the single notarization step. But can’t say for sure.