There are some tricks to run the plugin even when it’s unsigned, but this is nothing you want to push to customers.
Now I’m not not familiar with the Apple world and don’t know where to start. I’ve googled and searched this forum, but I’m just blown away by all the content.
I think I found out the following:
You need to sign the VST3 binary somehow with XDebug
You sadly need an Apple Developer account
You need to notarize the installer if you want to have an installer. At the moment I’m not keen on an installer, I just want the VST3 to be signed so Gatekeeper does not block it and the DAW loads it without hassle.
Can someone please tell me where to start or what is a good resource that guides me through the process of signing the VST3 for Apple? What are the steps?
Thank you very much.
P.S. On Windows everything works without signing. With lower priority I also want to sign the Windows version. So if you have the same information for Windows, please post it in. But my main focus at the moment is on Apple.
After enrolled, you need to create certificates for code signing and the installer. Furthermore, you need to do some more to get up and running for the notarization. I don’t remember the steps now, but there’s a thread around in the forum with all you need.
Thank you for the reply. Like said, I don’t want/need an installer at this point. If I sign the VST3 file and it will be placed in the VST3 folder it should work without the warning / block from Apple, is this correct?
I still need the Apple Developer Account and create a certificate as much as I know (but no notarization). If someone knows a good up-to-date article, please let me know
Hey I enroll to the Apple Developer Program, create an certificate there and sign my VST3 binary (and not use an installer at the moment), how long does this process probably take? Do I have to calculate with days/weeks because of Apple?
Days. Once enrolled in the Apple Developer program its just some work to be done. creating a certificate is a matter of minutes (but probably you need some hours to figure out the details). Codesigning takes seconds, but again takes some time to figured it out (there are many posts on it here in the forum and in the web. if you have an app or an installer you need to notarize, this usually takes a few minutes ( but again: for the first time doing it it takes some hours to figure out the details). it took me the better part of a whole day from “damn i need to learn about this code signing / notarisation stuff” to “i have a script that takes care for codesiging and notarisation and creates an installer that works on other peoples computers”.
Ahm, yes on the web and even in this forum there’s a lot of content about this topic but nothing felt like a “how to start” or easy guide.
So if anybody can recommend a good article or post that describes how to sign a simple VST3 audio plugin with the basic steps, I’d appreciate this very much. Otherwise, I try to figure it out as soon as I’m part of the Apple Developer program.
But even regarding this, I’ve two options and I’m not so sure:
### Enrolling as an Individual
If you are an individual or sole proprietor/single person business, get started by signing in with your Apple ID with two-factor authentication turned on. You’ll need to provide basic personal information, including your legal name and address.
### Enrolling as an Organization
If you’re enrolling your organization, you’ll need an Apple ID with two-factor authentication turned on, as well as the following to get started: (...)
I am on one-man organization, so according to the text I still can enroll as an individual, right? Any suggestions?
codesigning is easiest to be done in the terminal with the “codesign -s” command. Important: dont forget to add a timestamp (with “–timestamp”)
you can check with “codesign -vv” … BUT: it just tells you wether it managed to add your certificate. But if you have used the wrong type of certificate (see above) your VST3 will not work well on other machines
if you want to create an installer, eg a .pkg or your want to make an .dmg you need a “Developer ID Installer” certificate. if you use the whitebox Packages tool you can add it there and it will take care for the code signing of the package.
CAUTION: you will need to notarise those, and only read-only disk images and flat packages can be notarised (afaik)
for the notarisation you need a product specific code. This can be generated in your Apple Developer Account and afterwards you can import it to your keychain
Apple asks for a Certificate Signing Request (CSR) file to upload. I’m logged in at developer.apple.com from my Windows machine - so I need to switch again to the other machine and try to follow those steps.
I followed all steps and uploaded the file.
It worked and now I can download my certificate. But, the information alert says I have to notarize my software. This leaves me a bit confused, because I thought I only need to notarize installers but not the VST3. In my case (where I don’t have/want an installer) it remains an open question to me if I have to notarize the VST3 then or not. We’ll find out later I think.
Download your certificate to your Mac, then double click the .cer file to install in Keychain Access. Make sure to save a backup copy of your private and public keys somewhere secure.
Open the Terminal and run: codesign -s "My common name" "path/to/Plugin.vst3" --timestamp
This seems to be everything regarding code signing. It worked.
However, when you installed the certificate on your mac, it’s maybe enough to set the “Code-Signing Identity” in Producer to the “common name” EDIT: No, because I get an error “No certificate matching ‘’ found” so maybe this way you need to do more… (using the Terminal worked). But does someone know more about that Producer option here?
Run the command:
xcrun altool --notarize-app
–username “Your Apple Email”
–password “The password created in step 3”
Just seconds after that I got an success email. I’m not sure if you can wait or do the next step even before the success email. EDIT: You have to wait until you get the success email and then continue.
Use “Stapler” so that the file also makes no trouble for offline users… command: xcrun stapler staple "Plugin.vst3"
You can now share the VST3 file.
For an installer / package it’s maybe a bit different. And yes, you probably should consider to create an installer, but you don’t need to.
AFAIK the hardened runtime option only affects app builds. So if you are planning to distribute a Standalone build of your project, that would matter (since it’s required to pass Apple’s notarization) - but if you’re just doing VST3 it doesn’t matter.
Ah, interesting. I also observed this when I accidentally forgot to enable the hardening.
But my understanding is: when the host running the plugin has the hardened runtime enabled, then also the plugins need to have the correct entitlements; otherwise that would put a big hole
into the whole security philosophy of “hardened runtime”, no?
At least here@op414 seems to have experienced this. I am not sure if there are hosts out in the market where you currently run into this problem, but i thought its better to err on the safe side.
By the way, my beta tester confirmed it works now on his Apple. The notarize process took just a few minutes, the biggest part was the upload. But just minutes after that I got an email from Apple, saying it was successful.
One thing that I find an interesting question, maybe someone knows more about this:
The certificate is valid for 5 years. So in case I finished the plugin and don’t want to create new plugins or make updates, can I quit the Apple Developer program and save costs? Do I need to make new versions after 5 years because the certificate is no longer valid? What happens to customers that downloaded it >5 years ago and still use that version?
The certificate is valid for 5 years, so it will stay valid even if you are no longer an Apple developer.
After 5 years, I don’t know what will happen, to be franc. Depends on how Apple implemented the scheme, and of course, even if they say something today, in 5 years, they may have changed it…
I’m still using this for the whole motorisation code signing process for plugins, no need for hardened runtime as that is app only. All I do is build with no special settings in the producer/Xcode and then let the Terminal commands do the rest (however I do add dev team id for iOS builds as there is no other option but to let Xcode sign that - which causes problems with iCloud etc so is less easy). One thing to add is that I am still using Catalina for this as signing with Big Sur can cause compatibility problems with older versions of MacOS.
Yeah, the process uploads your package/file to apple for virus scanning etc. Once they have checked it then they will allow you to staple the certificate to say it is “safe”.
You can leave this blank as the code signing is being done from terminal instead of from Xcode.