KVR Audio

discoDSP · Post by **discoDSP** » Fri Jan 10, 2020 12:55 pm

AnalogObsession wrote: ↑Fri Jan 10, 2020 12:50 pm So, i have to use minimum macOS SDK 10.9, right? If yes, i can compile normal versions with 10.7 and compile with 10.9 for notarization. Then, i can jump to Catalina for notarization.

Yes, I think so.

Should i use Catalina for notarization? At the moment, i have El Capitan and Mojave. I believe, it's possible to notarize on Mojave, right?

IIRC you need XCode 10 which has the required tools for notarization. A quick Google search states it needs 10.13 minimum, so yes.

quikquak · Post by **quikquak** » Fri Jan 10, 2020 3:53 pm

I've finally had success with this Notarizing nightmare, it turns out I was putting quotes where they are not needed.
Here is maybe a slightly better script just for .pkg files.
Just use 1 parameter - the pkg name without the extension.

Code: Select all

    # For pgk files, use one parameter without the extension
    # Fill these 3 lines in...
    USERNAME=myemail@mycompany.com     # Your standard Apple ID
    PASSWORD=xxxx-xxxx-xxxx-xxxx       # app specific password    
    COMPANYID=com.mycompany.$1         # Note the .$1 here adds the file's name to the bundle ID 
     
    printf "Submitting to Apple...\n\n"
    printf  "#xcrun altool --notarize-app -f "$1.pkg" --primary-bundle-id $COMPANYID --username $USERNAME --password $PASSWORD"


    xcrun altool --notarize-app -f "$1.pkg" --primary-bundle-id $COMPANYID --username $USERNAME --password $PASSWORD &> notarisation.result

    ASSET_UUID=`grep RequestUUID notarisation.result | cut -d" " -f 3`

    Printf  "\n\nChecking result of notarisation.."

    while true; do
    	echo -n '.'
    	if [[ `xcrun altool --notarization-info $ASSET_UUID --username $USERNAME --password $PASSWORD 2>&1  >/dev/null | grep -c "Package Approved"` == "1" ]]; then
    		break
    	fi
    	sleep 30
    done


    printf "\nStapling package...\n"

    xcrun stapler staple "$1.pkg"

I'm guessing the app specific password is used so other team members can use it without knowing the main AppleID login password for your company? I don't know.
Thanks again for everyone's help with this (especially George from DiscoDSP)

AnalogObsession · Post by **AnalogObsession** » Fri Jan 10, 2020 6:02 pm

discoDSP wrote: ↑Fri Jan 10, 2020 12:55 pm
AnalogObsession wrote: ↑Fri Jan 10, 2020 12:50 pm So, i have to use minimum macOS SDK 10.9, right? If yes, i can compile normal versions with 10.7 and compile with 10.9 for notarization. Then, i can jump to Catalina for notarization.
Yes, I think so.

Should i use Catalina for notarization? At the moment, i have El Capitan and Mojave. I believe, it's possible to notarize on Mojave, right?
IIRC you need XCode 10 which has the required tools for notarization. A quick Google search states it needs 10.13 minimum, so yes.

Thanks for replies!

Finally, i understood.

So, time to re-compile plugins.

Thanks!

Fender19 · Post by **Fender19** » Sat Jan 11, 2020 3:51 pm

I have gone back and digitally signed all of my plugins directly in XCode using a newly-purchased "Apple Developer ID". I do not use an installer program with my plugins - just a simple copy and paste to plugins folder - so I understood per Apple/Catalina instructions that only SIGNING was required.

The plugins work fine on MY system but now customers are reporting, "plugin was blocked from use because it is not from an identified developer".

I purchased the Apple ID FROM Apple - what does it mean "not an identified developer"? Why is the Apple ID not recognized?

audiothing · Post by **audiothing** » Sat Jan 11, 2020 3:58 pm

Fender19 wrote: ↑Sat Jan 11, 2020 3:51 pm I have gone back and digitally signed all of my plugins directly in XCode using a newly-purchased "Apple Developer ID". I do not use an installer program with my plugins - just a simple copy and paste to plugins folder - so I understood per Apple/Catalina instructions that only SIGNING was required.

The plugins work fine on MY system but now customers are reporting, "plugin was blocked from use because it is not from an identified developer".

I purchased the Apple ID FROM Apple - what does it mean "not an identified developer"? Why is the Apple ID not recognized?

If you are distributing them using a .zip or .dmg you need to notarize that.

Fender19 · Post by **Fender19** » Sat Jan 11, 2020 4:58 pm

audiothing wrote: ↑Sat Jan 11, 2020 3:58 pm
Fender19 wrote: ↑Sat Jan 11, 2020 3:51 pm I have gone back and digitally signed all of my plugins directly in XCode using a newly-purchased "Apple Developer ID". I do not use an installer program with my plugins - just a simple copy and paste to plugins folder - so I understood per Apple/Catalina instructions that only SIGNING was required.

The plugins work fine on MY system but now customers are reporting, "plugin was blocked from use because it is not from an identified developer".

I purchased the Apple ID FROM Apple - what does it mean "not an identified developer"? Why is the Apple ID not recognized?
If you are distributing them using a .zip or .dmg you need to notarize that.

Ok, I am distributing using zip but "unzipping" isn't where the problem shows up. It's the actual unzipped VST3, for example, that is bringing up the error - and THAT file has been signed.

So does the processes of "zipping" corrupt the file signature? That's odd because it PRESERVES Pace iLok signatures!

audiothing · Post by **audiothing** » Sat Jan 11, 2020 10:57 pm

Fender19 wrote: ↑Sat Jan 11, 2020 4:58 pmOk, I am distributing using zip but "unzipping" isn't where the problem shows up. It's the actual unzipped VST3, for example, that is bringing up the error - and THAT file has been signed.

So does the processes of "zipping" corrupt the file signature? That's odd because it PRESERVES Pace iLok signatures!

It's not about the signature, it's the notarization. You have to notarize .zip, .dmg, .pkg, etc, especially if downloaded or copied from somewhere else (that's why you are not seeing any error message on your Mac).

Fender19 · Post by **Fender19** » Sun Jan 12, 2020 1:54 am

audiothing wrote: ↑Sat Jan 11, 2020 10:57 pmIt's not about the signature, it's the notarization. You have to notarize .zip, .dmg, .pkg, etc, especially if downloaded or copied from somewhere else (that's why you are not seeing any error message on your Mac).

Wow, that's frustrating news. The direction from Apple seems to indicate that signing is required but notarization is OPTIONAL for "additional assurance". If that's not true then this is very poorly written:

https://help.apple.com/xcode/mac/current/#/dev033e997ca

So does that mean "ZIP" is basically obsolete on Macs with OS Catalina? How will typical users - who don't have Developer IDs - create, share and open zip files?

Fender19 · Post by **Fender19** » Sun Jan 12, 2020 5:36 am

quikquak wrote: ↑Thu Jan 09, 2020 7:17 pm This is just terrible! I can't notarize because it keeps telling me my Apple ID OR password are incorrect!!!
I've tried using the script as well, but no. Are you sure you can use the normal Apple login (ie. the one you log into the dev tools area? And it's not the Apple developer program 'Team name'? I'm going in bloody circles here!

I'm having the same problem notarizing a simple ZIP package. I have a signed VST inside a signed Zip and I'm trying to notarize it using a newly created "app-specific" password. I'm getting this error from altool:

*** Error: Unable to validate your application. Sign in with the app-specific password you generated. If you forgot the app-specific password or need to create a new one, go to appleid.apple.com

What could be wrong? I am following the instructions from page 1 of this thread using altool from XC 10.3.

Fender19 · Post by **Fender19** » Sun Jan 12, 2020 6:06 am

Fender19 wrote: ↑Sun Jan 12, 2020 5:36 amI'm having the same problem notarizing a simple ZIP package. I have a signed VST inside a signed Zip and I'm trying to notarize it using a newly created "app-specific" password. I'm getting this error from altool:

*** Error: Unable to validate your application. Sign in with the app-specific password you generated. If you forgot the app-specific password or need to create a new one, go to appleid.apple.com

What could be wrong? I am following the instructions from page 1 of this thread using altool from XC 10.3.

OK, I found out one "detail" that I had wrong - the VST file has to be signed with "codesign - developer ID Application" whereas the Zip file containing it has to be signed with "productsign developer ID Installer" - TWO different certs, yes?

So far, still same error trying to notarize.

discoDSP · Post by **discoDSP** » Sun Jan 12, 2020 10:48 am

audiothing wrote: ↑Sat Jan 11, 2020 10:57 pm It's not about the signature, it's the notarization. You have to notarize .zip, .dmg, .pkg, etc, especially if downloaded or copied from somewhere else (that's why you are not seeing any error message on your Mac).

I have been notarizing .PKG only and compressed them on a ZIP file with a PDF manual. No complains so far, and asked people to test and no issues. But based on your comments I have to notarize the ZIP files too?

audiothing · Post by **audiothing** » Sun Jan 12, 2020 11:22 am

Fender19 wrote: ↑Sun Jan 12, 2020 1:54 amSo does that mean "ZIP" is basically obsolete on Macs with OS Catalina? How will typical users - who don't have Developer IDs - create, share and open zip files?

Of course not. Notarization is for software only (apps, plugins, kernel extensions). Think of it as a virus/malware/issue scanner performed by Apple.
Since apps and plugins are bundles, to notarize them you need to zip them (or make a pkg installer or a dmg, or both) and send them to Apple. As your customer reported, they can easily unzip the plugins but they can't run them unless notarized.

audiothing · Post by **audiothing** » Sun Jan 12, 2020 11:48 am

discoDSP wrote: ↑Sun Jan 12, 2020 10:48 amI have been notarizing .PKG only and compressed them on a ZIP file with a PDF manual. No complains so far, and asked people to test and no issues. But based on your comments I have to notarize the ZIP files too?

No, if you notarize the PKG containing the plugins, then you are fine. Same if you have a DMG with a PKG inside.
As far as I understand, you don't actually notarize the ZIP when you submit it, you notarize its content. In your case, you have a ZIP with an already notarized PKG containing the plugins, so that should be fine.

I did a few tests over the last few months here (between two macs) and with several customers.
Right now we distribute a DMG containing a signed PKG that installs the signed plugins. We notarize only the DMG (as the notarization process takes care of all nested things). No problems so far.
I've also distributed signed plugins with a ZIP (without installer). I've tested signed and un-signed ZIPs, it's doesn't matter. What matters is that the ZIP must be notarized and the plugins signed.

discoDSP · Post by **discoDSP** » Sun Jan 12, 2020 11:55 am

audiothing wrote: ↑Sun Jan 12, 2020 11:48 am As far as I understand, you don't actually notarize the ZIP when you submit it, you notarize its content. In your case, you have a ZIP with an already notarized PKG containing the plugins, so that should be fine.

What I'm doing is:

1. Notarize and staple the PKG file only.
2. Create a ZIP (not signed or notarized) that contains the stapled PKG and a PDF.
3. Upload the ZIP to the server.

No issues from users so far. Thanks.

Fender19 · Post by **Fender19** » Mon Jan 13, 2020 1:27 am

audiothing wrote: ↑Sun Jan 12, 2020 11:22 am
Fender19 wrote: ↑Sun Jan 12, 2020 1:54 amSo does that mean "ZIP" is basically obsolete on Macs with OS Catalina? How will typical users - who don't have Developer IDs - create, share and open zip files?
Of course not. Notarization is for software only (apps, plugins, kernel extensions). Think of it as a virus/malware/issue scanner performed by Apple.
Since apps and plugins are bundles, to notarize them you need to zip them (or make a pkg installer or a dmg, or both) and send them to Apple. As your customer reported, they can easily unzip the plugins but they can't run them unless notarized.

Ok, understood. Thank you.

HOWTO macOS notarization (plugins, app, pkg installers)