I want to make an installer, and in the guide it says that I only need to sign it in order to have all the plugins signed:
Notarization is indeed needed for plugins, but if you are distributing through a PKG or DMG (which contains a PKG), you can just notarize the PKG or the DMG, and everything inside will be notarized.
So basically I’m following this part of the guide:
I’ve created an Apple Developer Account, and I’ve downloaded a certificate (“Developer ID Installer: myname mysurname”). I downloaded from here: Apple PKI - Apple some other certificates in order to have mine working, and now in the keychain app I see my certificate like this:
What I’m supposed to do? My certificate is valid everywhere, even White Packages says that, how can I fix this problem? All this notarization and certificate madness is driving me insane. Thank you!
Notarization and signing are two different things.
If I recall correctly:
the plugin must be signed with a “Developer ID Application”
the installer must be signed with a “Developer ID Installer”
Whatever you intend the user to download (could be a .pkg, a .dmg or a .zip) must be notarized
But I’m not sure if that’s the problem here, as the error message sounds like it just doesn’t accept your installer certificate? I’ve never used Whitebox, so never encountered that particular message. Did you sign the binaries with an Application certificate?
This is correct (as are the following bullet points).
Another potential issue (that I’m not sure how you fix with Packages1) is that you might need to “force” the signing of the plugin with the Developer ID Application Certificate, as it may have been “ad hoc” signed when built.
Are your certificates added to the “login” Key Chain? If not this might be the cause of the error in Packages.
1 : my advice is to forget Packages, it’s just a needless dependency, instead spend a few hours looking at the Surge VST repo to figure out how to make your installer manually with a script.
with the “codesign” command line utility I’ve found that I’m not signing my code, so the cmake commands that I’ve posted above are not correct. Anyone knows what is the correct way to sign a plugin compiled with CMake?
There should be an official JUCE tutorial on these topics!!
Ok, in the meantime I was trying to do something like that, thank you. I have a couple of questions:
what is bundle_path? in the second step is treated like a variable but not in the first one.
“MyPlugin_AU” is the name of the plugin followed by “_AU” and automatically it signs the .component file? So if I would like to do the same for the VST3 I should use “MyPlugin_VST3”?
I’ve noticed that I need to add the entitlements file generated in the JuceLibraryCode folder, otherwise the standalone app does not asks for the microphone permission and therefore it does not work (no audio input)
The first line gets the path to the .component file from the target and saves it into the bundle_path variable. CMake can be confusing at times.
When you do a juce_add_plugin( MyPlugin … ) it builds a couple of sub-targets according to the formats you’ve enabled. So it’s similar for _VST3, _AAX etc.
You can also do something like this to loop through all the sub-targets:
Unfortunately the Standalone target used to not have the JUCE_PLUGIN_ARTEFACT_FILE property, but I think that’s fixed now, at least in the develop branch.
By doing this the codesign command is correctly recognized by cmake, but then ends with an error, that says “no identity found”. This is very strange, because if I run the same command from a terminal window, it works perfectly. How is that possible? The same command run alone in the shell works, while run inside cmake it doesn’t.
Just to re-emphasize, altool is deprecated and will stop working by fall next year. Luckily notarytool is a much nicer experience. I blogged about code signing/notarization recently, maybe it can be helpful.
You have to put the -s inside the quotes, otherwise it does not work, the command is not recognized. There are different examples online that shows the same (very strange) syntax.
Btw, I ended up writing my own script that do everything, from compiling to signing to building and notarizing the installer (with notary tool which is way better than altool)
The notarization-history command still works, but the notarize-app one seem to hang forever with no warning, and nothing appearing in history.
That is a bummer because I compile my code on an Intel Mac running Catalina, and keep another M1 Mac up to date for testing the final release (not a development machine).
I like having different OS versions, but now I need to update that Intel Mac to be able to install a recent enough Xcode version…
That’s an interesting interpretation of their own timeline “Fall 2023” for when altool was supposed to stop working!
fyi I just tested on my Intel Big Sur install and xcrun notarytool is possible, so you could just upgrade that one step instead of all the way to Ventura.