JUCE Newbie question: How do I code sign plugins with XCode?

Hi! I’m new on the forum. I’m a 15-year professional software engineer with very little DSP or C++ experience. After playing around with ChucK and AudioKit and Supercollider last year, I’ve picked up JUCE and built a synth. It compiles to AU/AUv3/VST3/standalone, I think it sounds pretty cool, and I want to share it with some friends to get feedback.

But I can’t share my builds with people because of code signing issues. I’ve done some iOS development before, so I understand a little about code signing in general, but I don’t know how any of this translates to AUs and VSTs and JUCE.

My project Build settings for Signing look like this:

Can anyone tell me what might be going wrong or point me to where I can help myself understand how this is all supposed to work?

EDIT: I should perhaps add: My intention is probably to drop the standalone app and build a dmg for the AU and VST. I also do not have a paid developer account, and I don’t know if I need to have one or not for this.

I got a little farther: I went to each Target individually and set the Code Signing Identity and Development Team. I’m getting _CodeSignature folders inside my .component and .vst3 now. However, the “…can’t be opened because Apple cannot check it for malicious software” message persists.

After code signing you have to send it off to Apple for Notarization.

Take a look here as a starting point.

useful links:

https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/resolving_common_notarization_issues?language=objc

https://developer.apple.com/library/archive/technotes/tn2206/_index.html

Here’s a tool I’ve tried in the past. Never really got it working but was useful for reading logs from Apple.