Notarizing after Code-Signing?

So I have successfully signed my plugins, however notarizing them seems to be a whole other issue. I have taken all the steps necessary I think.

  1. Xcode 10 compatibility
  2. Harden Runtime in Xcode Project

If I just add these two commands to after my signing commands it should work, right?
I am still getting an error that my file is invalid. Am I missing anything?

–notarize-username YOUR_APPLE_ID
–notarize-password @keychain:APP_PASSWORD_ITEM_NAME

Usually you’d want to notarise the installer. Scripts to help are in this thread.

1 Like

I think the two flags you mentioned are for xcrun altool, but it sounds like you’re adding them to the Projucer?

I found the first post on this KVR thread very helpful: https://www.kvraudio.com/forum/viewtopic.php?t=531663

As @hill_matthew said, you possibly want to notarize a plugin installer (e.g. .pkg) but if it helps here are my notes for notarizing a single plugin:

Zip your vst/vst3/component, then on the command line:

xcrun altool --notarize-app --primary-bundle-id "PLUGIN IDENTIFIER" --username "EMAIL" --password "APP-SPECIFIC-PASSWORD" --asc-provider "SHORTNAME" --file file.zip

–primary-bundle-id: Anything you like. Should probably be unique to your plugin.
–username: Your Apple ID username/email
–password: An app-specific password (https://support.apple.com/en-us/HT204397)
–asc-provider: Only required if you are a member of more than one Apple developer team

Wait a few moments while your file is upload. A success message will be displayed and Apple will email you too.

Once your notarization is confirmed, you should (but don’t have to) staple the notarization ticket to the software, so that users can open it even without internet access:

xcrun stapler staple file.vst

Test that the file is notarized:

codesign --test-requirement="=notarized" --verify --verbose file.vst
1 Like

I’ll try this out now.

I was trying to notarize with Eden while I code sign, but maybe it’s easier to code sign then notarize. I’ll check back. After I have succeeded or failed a few times.

Thanks @jnicol & @hill_matthew

Possibly a naive question, but what is Eden?

It’s how you code sign your binaries for AAX.
So your plugins work in protools.

Aka iLok

2020-05-11 16:20:44.329 altool[32168:561555] *** Error: Unable to notarize app.

2020-05-11 16:20:44.329 altool[32168:561555] *** Error: code -22016 (Unable to validate your application. We are unable to create an authentication session.)

I followed your instructions, however I am getting these errors.

I’m far from an expert in this area (just muddling my way through), but some things I’d check:

Is the plugin properly code signed?

codesign -dvv "path/to/file.vst"

Does the result show a timestamp? e.g. Timestamp=XXXX

Are all the arguments for your altool command correct?

EDIT: I’m not sure if this process differs at all for AAX, since I’ve only done this for VST, VST3 and AU

I code signed the AU, VST, and VST3.

However, I tried individually as-well as in a one folder like you said.
I do not know about timestamped…

You could try adding the --verbose flag to your altool command, which might give more insight into the error?

It is code signed until I zip it…
I just checked it is properly code signed.

I’m talking to the people at Eden maybe they can help me since I do my signing with them.

I was able to start a notarizing session earlier but my package was invalid it said.

Brain bender. Thanks for the help.

Do you mean that you sign your plug-in, then zip it, and when when unzipped its signature is invalid?
If that is the case, it may be an issue with symbolic links not being restored exactly as they were, if your bundle contains some of those (also as a result of the code signing process).
That alone would be a sufficient cause for invalidating the digital signature.

Check with a tool like Kdiff3 if the signed plug-in bundle prior to zipping is exactly equal to what comes out of the unzipping of it

Apparently in February they changed warnings to be errors so everything has to be exact. I included --timestamp in my project however even after signing with a certificate from my apple developer account I am still getting this error?
Do I have to use a Developer ID Application .cer from Xcode? If so that has no keys available.

Should I be trying this on an archive instead of a build?

Does anybody know how to get a valid Developer Certificate swell as how to timestamp?

{
“logFormatVersion”: 1,
“jobId”: “7a96ba85-0f25-42c4-ac6f-43910a7b513b”,
“status”: “Invalid”,
“statusSummary”: “Archive contains critical validation errors”,
“statusCode”: 4000,
“archiveFilename”: “MYPLUGIN_signed.component.zip”,
“uploadDate”: “2020-05-12T13:04:18Z”,
“sha256”: “7865c45f80328bfb95082eb0301582133d4325e886bc2936b2d0bf02b6c82724”,
“ticketContents”: null,
“issues”: [
{
“severity”: “error”,
“code”: null,
“path”: “MYPLUGIN_signed.component.zip/MYPLUGIN_signed.component/Contents/MacOS/MYPLUGIN”,
“message”: “The binary is not signed with a valid Developer ID certificate.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “MYPLUGIN_signed.component.zip/MYPLUGIN_signed.component/Contents/__Pace_Eden.bundle/Contents/MacOS/__Pace_Eden”,
“message”: “The binary is not signed with a valid Developer ID certificate.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “MYPLUGIN_signed.component.zip/MYPLUGIN_signed.component/Contents/__Pace_Eden.bundle/Contents/MacOS/__Pace_Eden”,
“message”: “The signature does not include a secure timestamp.”,
“docUrl”: null,
“architecture”: “x86_64”
}
]
}

I am trying to sign then notarize with one command using the Eden SDK.

For the “secure timestamp”, you need to pass --timestamp (usually without any value) to codesign when initially signing (i.e. before notarization). See the man page of codesign for reference:

--timestamp [=URL]
         During signing, requests that a timestamp authority server be contacted to authenticate the time of signing. The
         server contacted is given by the URL value.  If this option is given without a value, a default server provided by
         Apple is used.  Note that this server may not support signatures made with identities not furnished by Apple.

I believe that, for using the EDEN SDK, you had to sign an NDA that forbids public discussions of technical details.
While I agree that we’re not discussing sensitive aspects, I think we’re not formally allowed to talk about this here.
Perhaps, now that PACE owns the place, a separate section of the forum could be created for discussion of EDEN usage, with access restricted to only those accounts that also have signed the NDA?

3 Likes

https://developer.apple.com/account/resources/certificates/add

You will need one of each if you plan to use a standard macOS installer package :

but you use the latter to sign your plugins before notarisation.

Besides the PACE’s wraptool I also use DropDMG and SD Notary:

https://c-command.com/dropdmg/

Rail

After testing for a few days I came up with this thanks to everyone with the resources.
@jnicol that really helped.
I am going to leave an exact guide here for anyone in the future wanting a straight forward guide to the entire process of notarizing. I ended up code signing with apple rather than Eden, which is a whole other bear.

1 Like

If the process with Apple is easier than Eden, then wow. Because Apple’s process is is royal PITA.