HOWTO macOS notarization (plugins, app, pkg installers)

[hugoderwolf]

Cool, thanks. It's still Terminal based then... One day they might make an App for that!

But why? This kind of stuff is supposed to go into some script. Write once and forget about it (until it fails for some reason). Doing this kind of stuff manually is my biggest horror.

Ideally, I'd just run a script (probably not even manually) that would just build/test/wrap/sign/notarize everything and drop it to a download server and release database automatically, including release notes and so on. I'd then just do the remaining manual testing for final approval and click "publish" in a backend to roll it out.

[Markus Krause]

I am very careful with using too much automation with scripts. If something goes wrong you can seriously introduce new points of failure like copying wrong/old/missing/broken files. Such stuff quickly gets overlooked when things are automated

[quikquak]

I was just making a joke about forever using terminal scripts. Why can’t Apple make an App with their own OS that is useful and easy to use? Where you fill in the boxes with all the data, and passwords etc, then press ‘send’ or something. I guess it’s not programmery enough, and ironically, they’ll have to update it all the time
I really don’t mind using scripts, it’s just from an ancient world.

[audiothing]

I just can't see what notarytool does give as an advantage compared to altool except the possibility to dump the notarization result to a file and to break things ... again...

The main advantage is that you don't need to create a wait loop in your script. Using the --wait option you can upload for notarization, wait for the result, and then staple with just a bunch of commands (check the script I posted earlier) compared to the old method of adding a wait loop, retrieving the status, etc... Also, uploads are much faster, no idea why, but if you have big installers it helps a lot.

More info: https://developer.apple.com/videos/play/wwdc2021/10261

The main 'feature' seems to be that we developers are forced to drop support for older Mac OS versions as we need to use XCode 13 or higher now.

You sound like a broken record. Once again, that's not true. I'll keep repeating the same thing over and over (perhaps you blocked me?). Yes, you need to use XCode 13, but, as long as you use it on macOS 12 (Monterey) you can compile, in a single run, a plugin that works from OS X 10.9 to macOS 13 (Ventura), universal 2 binary of course. Isn't that enough?

[Markus Krause]

Unlike you I don't use JUCE which makes such things a lot more easy. My stuff is created with the VSTSDK.
I am using XCode 12 on Big Sur as a build machine. The minimum requirement I was able to compile and notarize (VST3+VST2.4+AudioUnit+VSTGUI4+M1+Intel) was macOS 10.12 or higher.

[audiothing]

Unlike you I don't use JUCE which makes such things a lot more easy. My stuff is created with the VSTSDK.
I am using XCode 12 on Big Sur as a build machine. The minimum requirement I was able to compile and notarize (VST3+VST2.4+AudioUnit+VSTGUI4+M1+Intel) was macOS 10.12 or higher.

Notarization, in this case, has nothing to do with the minimum OS X/macOS requirement.
Apple actually listened to us and reintroduced SHA1 signature with Big Sur 11.3 (on both codesign and productsign) so we can actually easily support down to 10.9 with a single Mac. The macOS 10.12 limit you are facing is coming from somewhere else then.

Anyway, it seems like JUCE would solve most of the issues you keep spending time on. Worth checking IMO.

[syntonica]

The macOS 10.12 limit you are facing is coming from somewhere else then.

These limitations are usually MacOS feature related, such as using Metal. If you stick to basic Cocoa, you can go back further, barring any deprecations. 10.12 is 6+ years old, so it's on its way out...

[BertKoor]

Cool, thanks. It's still Terminal based then... One day they might make an App for that!

Build processes should always be CLI-based, for the purpose of scripting / automation. Can't do that with an app.

[quikquak]

Cool, thanks. It's still Terminal based then... One day they might make an App for that!

Build processes should always be CLI-based, for the purpose of scripting / automation. Can't do that with an app.

Could it still use command line code to phone home at the end?

[BertKoor]

if "calling home" can be done with curl, wget, or the notarisation / code signing tool of your choice, then sure yes.

[Markus Krause]

I am wondering if it would be possible to extract notarytool from the XCode directory and run it as a standalone-app without a full XCode 13 installation. Has anyone tried this?

[discoDSP]

I am wondering if it would be possible to extract notarytool from the XCode directory and run it as a standalone-app without a full XCode 13 installation. Has anyone tried this?

We have copied the notarytool file from the path /Applications/Xcode.app/Contents/Developer/usr/bin/notarytool to Desktop, and have verified that it continues to function correctly.

It is worth noting that, according to this article (https://scriptingosx.com/2021/07/notari ... otarytool/), it appears feasible to run the notarytool outside of XCode. The article provides information on how to notarize a command-line tool with the notarytool, which suggests that the notarytool can indeed be used as a standalone application.

[Markus Krause]

I am wondering if it would be possible to extract notarytool from the XCode directory and run it as a standalone-app without a full XCode 13 installation. Has anyone tried this?

We have copied the notarytool file from the path /Applications/Xcode.app/Contents/Developer/usr/bin/notarytool to Desktop, and have verified that it continues to function correctly.

It is worth noting that, according to this article (https://scriptingosx.com/2021/07/notari ... otarytool/), it appears feasible to run the notarytool outside of XCode. The article provides information on how to notarize a command-line tool with the notarytool, which suggests that the notarytool can indeed be used as a standalone application.

Thanks a lot for this useful info!

[Lind0n]

[snip]

It is worth noting that, according to this article (https://scriptingosx.com/2021/07/notari ... otarytool/), it appears feasible to run the notarytool outside of XCode. The article provides information on how to notarize a command-line tool with the notarytool, which suggests that the notarytool can indeed be used as a standalone application.

Thanks a lot for this useful info!

If you work out how to do this Markus - I'd be interested to know...

[syntonica]

[snip]

It is worth noting that, according to this article (https://scriptingosx.com/2021/07/notari ... otarytool/), it appears feasible to run the notarytool outside of XCode. The article provides information on how to notarize a command-line tool with the notarytool, which suggests that the notarytool can indeed be used as a standalone application.

Thanks a lot for this useful info!

If you work out how to do this Markus - I'd be interested to know...

Just a quick note that Xcode doesn't really have any secret, special powers, other than screwing up your projects royally when you update it.

Xcode just sits on top of all the command line tools. Technically, once you've installed the tools, you can delete Xcode. The tools and SDKs live in /Library/Developer as copied out of the Xcode bundle.

I'm actually learning make so that I can get rid of as much dependency on Xcode as I can. Hopefully, all of it as it's so obtrusive.