How to start with signing audio plugins?

Good afternoon,

I’ve written a VST3 audio plugin and I want to sign the VST3 binary to avoid this problem on macOS:

“Plugin.vst3” cannot be opened because the developer cannot be verified.

macOS cannot verify that this app is free from malware.

[Move to Bin] [Cancel]

Gatekeeper blocks it: Open a Mac app from an unidentified developer - Apple Support

There are some tricks to run the plugin even when it’s unsigned, but this is nothing you want to push to customers.

Now I’m not not familiar with the Apple world and don’t know where to start. I’ve googled and searched this forum, but I’m just blown away by all the content.

I think I found out the following:

  • You need to sign the VST3 binary somehow with XDebug
  • You sadly need an Apple Developer account
  • You need to notarize the installer if you want to have an installer. At the moment I’m not keen on an installer, I just want the VST3 to be signed so Gatekeeper does not block it and the DAW loads it without hassle.

Can someone please tell me where to start or what is a good resource that guides me through the process of signing the VST3 for Apple? What are the steps?

Thank you very much.

P.S. On Windows everything works without signing. With lower priority I also want to sign the Windows version. So if you have the same information for Windows, please post it in. But my main focus at the moment is on Apple.

1 Like

You need to enroll to the Apple Developer Programs, costing 99/year: Apple Developer Program - Apple Developer

After enrolled, you need to create certificates for code signing and the installer. Furthermore, you need to do some more to get up and running for the notarization. I don’t remember the steps now, but there’s a thread around in the forum with all you need.

Thank you for the reply. Like said, I don’t want/need an installer at this point. If I sign the VST3 file and it will be placed in the VST3 folder it should work without the warning / block from Apple, is this correct?

I still need the Apple Developer Account and create a certificate as much as I know (but no notarization). If someone knows a good up-to-date article, please let me know :slight_smile:

You can also generate a certificate locally, but apparently the local certificate solution doesn’t work if you build on macOS 10.15 and above.

Hey I enroll to the Apple Developer Program, create an certificate there and sign my VST3 binary (and not use an installer at the moment), how long does this process probably take? Do I have to calculate with days/weeks because of Apple?

Days. Once enrolled in the Apple Developer program its just some work to be done. creating a certificate is a matter of minutes (but probably you need some hours to figure out the details). Codesigning takes seconds, but again takes some time to figured it out (there are many posts on it here in the forum and in the web. if you have an app or an installer you need to notarize, this usually takes a few minutes ( but again: for the first time doing it it takes some hours to figure out the details). it took me the better part of a whole day from “damn i need to learn about this code signing / notarisation stuff” to “i have a script that takes care for codesiging and notarisation and creates an installer that works on other peoples computers”.

2 Likes

Ok, that’s exactly what I thought :sweat_smile: Thank you.

Ahm, yes on the web and even in this forum there’s a lot of content about this topic but nothing felt like a “how to start” or easy guide.

So if anybody can recommend a good article or post that describes how to sign a simple VST3 audio plugin with the basic steps, I’d appreciate this very much. Otherwise, I try to figure it out as soon as I’m part of the Apple Developer program.

But even regarding this, I’ve two options and I’m not so sure:

### Enrolling as an Individual

If you are an individual or sole proprietor/single person business, get started by signing in with your Apple ID with two-factor authentication turned on. You’ll need to provide basic personal information, including your legal name and address.

### Enrolling as an Organization

If you’re enrolling your organization, you’ll need an Apple ID with two-factor authentication turned on, as well as the following to get started: (...)

I am on one-man organization, so according to the text I still can enroll as an individual, right? Any suggestions?

Thanks to you all

I can share my findings …

  • activate “hardened runtime” (easy in Projucer)
  • build a release version (otherwise you may run into strange issues)
  • There are various types of certificates. for codesigning the vst3 you need “Developer ID Application” certificate
  • For getting a certificate I found this Getting Your Development Signing Certificate helpful
  • codesigning is easiest to be done in the terminal with the “codesign -s” command. Important: dont forget to add a timestamp (with “–timestamp”)
  • you can check with “codesign -vv” … BUT: it just tells you wether it managed to add your certificate. But if you have used the wrong type of certificate (see above) your VST3 will not work well on other machines
  • if you want to create an installer, eg a .pkg or your want to make an .dmg you need a “Developer ID Installer” certificate. if you use the whitebox Packages tool you can add it there and it will take care for the code signing of the package.
  • CAUTION: you will need to notarise those, and only read-only disk images and flat packages can be notarised (afaik)
  • for the notarisation you need a product specific code. This can be generated in your Apple Developer Account and afterwards you can import it to your keychain
  • for the notarisation first i tried tools that are supposed to ease the workflow … but that did not work out for me. Finally I found this post https://forum.juce.com/t/notarizing-after-code-signing/39351/19 by @DavidCNAntonia which did the trick and works flawlessly

I am not an expert in this - so please be forgiving if something does not work for you just because it did work for me by accident. I hope some part of this maybe saves you some time.

7 Likes

This looks like a good summary, thank you!

This post including all the necessary commands helped me a lot getting started with signing HOWTO macOS Mojave/Catalina notarization (plugins, app, pkg installers) - DSP and Plug-in Development Forum - KVR Audio

1 Like

Very nice, thanks!
BTW, Does the projucer sign with -timestamp or should it be done by “hand” instead?

It does not add a timestamp automatically in my case (Projucer 6.0.4) (hence notarisation does complain about this).

But @DaveH figured out here how to add this in the projucer settings.

1 Like

I have an Apple Developer account now. I’ll try to follow the steps above in order to sign my VST3 and we’ll see if it all works like expected :smiley:

  1. I’ve turned on “Use Hardened Runtime” in the macOS configuration:
  2. I’ve built the release version (VST3)
  3. At https://developer.apple.com I create a new certificate:
  4. Apple asks for a Certificate Signing Request (CSR) file to upload. I’m logged in at developer.apple.com from my Windows machine - so I need to switch again to the other machine and try to follow those steps.
  5. I followed all steps and uploaded the file.
  6. It worked and now I can download my certificate. But, the information alert says I have to notarize my software. This leaves me a bit confused, because I thought I only need to notarize installers but not the VST3. In my case (where I don’t have/want an installer) it remains an open question to me if I have to notarize the VST3 then or not. We’ll find out later I think.
  7. Download your certificate to your Mac, then double click the .cer file to install in Keychain Access. Make sure to save a backup copy of your private and public keys somewhere secure.
  8. Open the Terminal and run:
    codesign -s "My common name" "path/to/Plugin.vst3" --timestamp
  9. This seems to be everything regarding code signing. It worked.

However, when you installed the certificate on your mac, it’s maybe enough to set the “Code-Signing Identity” in Producer to the “common name” :thinking: EDIT: No, because I get an error “No certificate matching ‘’ found” so maybe this way you need to do more… (using the Terminal worked). But does someone know more about that Producer option here?
image

1 Like

In case you want to notarize the VST3 file without package / installer, this is how it works afaik now:

  1. Sign the file in advance
  2. ZIP the VST3 file
  3. Generate an “app-specific password” :point_right: Using app-specific passwords - Apple Support
  4. Run the command:
    xcrun altool --notarize-app
    –primary-bundle-id “com.example.whatever”
    –username “Your Apple Email”
    –password “The password created in step 3”
    –file “Plugin.vst3.zip”
  5. Just seconds after that I got an success email. I’m not sure if you can wait or do the next step even before the success email. EDIT: You have to wait until you get the success email and then continue.
  6. Use “Stapler” so that the file also makes no trouble for offline users… command:
    xcrun stapler staple "Plugin.vst3"
  7. You can now share the VST3 file.

For an installer / package it’s maybe a bit different. And yes, you probably should consider to create an installer, but you don’t need to.

This article helped me: Apple Developer Documentation

2 Likes

AFAIK the hardened runtime option only affects app builds. So if you are planning to distribute a Standalone build of your project, that would matter (since it’s required to pass Apple’s notarization) - but if you’re just doing VST3 it doesn’t matter.

Ah, interesting. I also observed this when I accidentally forgot to enable the hardening.

But my understanding is: when the host running the plugin has the hardened runtime enabled, then also the plugins need to have the correct entitlements; otherwise that would put a big hole
into the whole security philosophy of “hardened runtime”, no?

At least here @op414 seems to have experienced this. I am not sure if there are hosts out in the market where you currently run into this problem, but i thought its better to err on the safe side.

By the way, my beta tester confirmed it works now on his Apple. The notarize process took just a few minutes, the biggest part was the upload. But just minutes after that I got an email from Apple, saying it was successful.

One thing that I find an interesting question, maybe someone knows more about this:

The certificate is valid for 5 years. So in case I finished the plugin and don’t want to create new plugins or make updates, can I quit the Apple Developer program and save costs? Do I need to make new versions after 5 years because the certificate is no longer valid? What happens to customers that downloaded it >5 years ago and still use that version?

The certificate is valid for 5 years, so it will stay valid even if you are no longer an Apple developer.
After 5 years, I don’t know what will happen, to be franc. Depends on how Apple implemented the scheme, and of course, even if they say something today, in 5 years, they may have changed it…

I’m still using this for the whole motorisation code signing process for plugins, no need for hardened runtime as that is app only. All I do is build with no special settings in the producer/Xcode and then let the Terminal commands do the rest (however I do add dev team id for iOS builds as there is no other option but to let Xcode sign that - which causes problems with iCloud etc so is less easy). One thing to add is that I am still using Catalina for this as signing with Big Sur can cause compatibility problems with older versions of MacOS.

Yeah, the process uploads your package/file to apple for virus scanning etc. Once they have checked it then they will allow you to staple the certificate to say it is “safe”.

You can leave this blank as the code signing is being done from terminal instead of from Xcode.

1 Like

Same for me, after I finally decided to move to signing my Apple plugins :sob: