Notarizing suddenly giving errors

I am getting errors when notarizing such as: “The binary is not signed with a valid Developer ID certificate.” and “The signature does not include a secure timestamp.” This is with a script that has been working for months. The only thing that changed was an update to JUCE 6.1.3. I’m not sure how/why that might affect things, if at all.

Example error:

      "severity": "error",
      "code": null,
      "path": "MyPluginInstaller.pkg/MyPlugin_VST3.pkg Contents/Payload/Library/Audio/Plug-Ins/VST3/MyPlugin.vst3/Contents/MacOS/MyPlugin",
      "message": "The binary is not signed with a valid Developer ID certificate.",
      "docUrl": null,
      "architecture": "x86_64"

I initially thought that codesign was not signing the binary when I gave it the path to the vst3. I updated it to pass in the actual binary path. I still got the same error

My CI script verifies that the codesigning was successful.

Can anyone offer a clue as to what may have gone wrong?

Potentially unrelated, but I would get this kind of error when Apple pushed out changes to their developer T&C’s. It might be worth logging into their Developer portal and seeing if it wants you to agree to anything.

It could well be that. I seem to remember it happening once before… Just checked and there was one agreement I needed to renew relating to Paid Apps, in App Store Connect. Let’s see if that fixes the issue…

Well that didn’t seem to help

So it turns out that the JUCE update was the culprit after all!

in checkBundleSigning.cmake:

    COMMAND "${JUCE_XCRUN}" codesign --verify "${src}"

    message(STATUS "Replacing invalid signature with ad-hoc signature")
    execute_process(COMMAND "${JUCE_XCRUN}" codesign -s - "${src}")

This caused my binaries to get signed with an ad-hoc certificate. Which then meant my codesign call did not codesign because the binaries had already been code signed. Adding --force fixed the issue.

I’m wondering what problem this change was aiming to solve? Perhaps being able to test plugins on recent macOS versions?

1 Like

Some versions of Ableton Live on recent macOS fail to load plugins unless the entire bundle has a valid signature.