I can share my findings …
- activate “hardened runtime” (easy in Projucer)
- build a release version (otherwise you may run into strange issues)
- There are various types of certificates. for codesigning the vst3 you need “Developer ID Application” certificate
- For getting a certificate I found this Getting Your Development Signing Certificate helpful
- codesigning is easiest to be done in the terminal with the “codesign -s” command. Important: dont forget to add a timestamp (with “–timestamp”)
- you can check with “codesign -vv” … BUT: it just tells you wether it managed to add your certificate. But if you have used the wrong type of certificate (see above) your VST3 will not work well on other machines
- if you want to create an installer, eg a .pkg or your want to make an .dmg you need a “Developer ID Installer” certificate. if you use the whitebox Packages tool you can add it there and it will take care for the code signing of the package.
- CAUTION: you will need to notarise those, and only read-only disk images and flat packages can be notarised (afaik)
- for the notarisation you need a product specific code. This can be generated in your Apple Developer Account and afterwards you can import it to your keychain
- for the notarisation first i tried tools that are supposed to ease the workflow … but that did not work out for me. Finally I found this post https://forum.juce.com/t/notarizing-after-code-signing/39351/19 by @DavidCNAntonia which did the trick and works flawlessly
I am not an expert in this - so please be forgiving if something does not work for you just because it did work for me by accident. I hope some part of this maybe saves you some time.