HOWTO macOS notarization (plugins, app, pkg installers)

[Fender19]

I'm having the same problem notarizing a simple ZIP package. I have a signed VST inside a signed Zip and I'm trying to notarize it using a newly created "app-specific" password. I'm getting this error from altool:

*** Error: Unable to validate your application. Sign in with the app-specific password you generated. If you forgot the app-specific password or need to create a new one, go to appleid.apple.com

What could be wrong? I am following the instructions from page 1 of this thread using altool from XC 10.3.

I discovered what I was doing wrong here. Maybe this has been brought up before but being that I am not a daily Mac user it was not clear to me - the "app-specific" password is NOT the "password label" you type in when creating a new app-specific password in the Apple ID website - it is the GREYED OUT, 16-digit cryptic code that shows up after you hit enter (which I thought was just a text placeholder indicating that what I typed in had been recorded). AFAIK, that code remains hidden forevermore after you close that window. If you forget it you have to delete it and generate a new one.

That's really confusing, Apple! Why is that all-important code GREYED OUT and not RED or something else apparent?

Notarizing is now working. Where's the Tylenol....

[quikquak]

If you hit App-specific again with the same name, it’ll return a different code!
Which is confusing, and makes it all a pretty badly named exercise in button pushing.

[Azeteg]

Now that stricter notarization is in process, I'm having some issues notarizing packages containing executables without bundles. Running

Code: Select all

spctl -vvv --assess --type exec myexecutable

returns

Code: Select all

myexecutable: rejected (the code is valid but does not seem to be an app)

This causes the final package to fail notarization. Any ideas how to properly sign bundle-less executables?

[Fender19]

Now that stricter notarization is in process, I'm having some issues notarizing packages containing executables without bundles. Running

Code: Select all

spctl -vvv --assess --type exec myexecutable

returns

Code: Select all

myexecutable: rejected (the code is valid but does not seem to be an app)

This causes the final package to fail notarization. Any ideas how to properly sign bundle-less executables?

I got that result too when checking a notarized zip package however that same package shows good with "--notarize-info" and it works on Catalina. So, apparently this check doesn't work with zip packages.

More confusion from Apple...

[xhunaudio]

I spent the last 45 minutes *just* reading, and reading again, and re-reading again all the posts here and also the multiple Apple "support notes" url links provided here.

So to recap :
- Apple IDs for 99usd/year (mandatory) for signing AND notarization is required
- APP-specific passwords (???) are required
- special 2-FACTOR-AppleID-authentications (???) required
- ...or also special 2-STEPS-AppleID-authentications (???) required
- multiple Mac hardware / vm is required
- multiple OSes and/or clones are required
- multiple Xcode versions installations required (one just to notarize)
- installation of more and more Catalina+, Catalina++, Catalina+++, etc. OS in the next years
- more and more contortions are coming over the next months and years
- INFINITE problems and incompatibilities...

and everything just for this out-of-mind notarization procedure !!

I really have enough of this fake company.

I'm just a small, indie developer but personally, I'll never buy an Apple hardware/product anymore in my life.

From today I'll stop supporting Apple in my developments and future products.
My products will always remain compatible with macOS (up to Mojave) but not compatible with Catalina.

I'll officially start promoting the migration to more serious OSes/environments to all my Customers and I really wish other developers will have the stoutness to admit it publicly and consequently to take this road too.

It seems this fake company is making fun of people.

[discoDSP]

Hey xhunaudio, Catalina is not required for notarization. XCode 10 should do just fine as it has the required tools. I'm notarizing everything in Mojave / XCode 10 and no issues so far (fingers crossed).

From my experience, rants are not really beneficial and sometimes will backfire, which isn't the best result at all. The goal on this thread is helping out developers on this process. I think inflammatory speech is counterproductive.

I'd recommend thinking twice about those decisions because the benefits provided by their user base still make it worthy.

Cheers,
George.

[quikquak]

@xhunaudio To keep up Apple Mac's reputation as a 'virus free computer' they've basically resorted to doing a virus check at HQ, rather than doing it locally, like on Windows, who are also trying to make software seem more legit with there own software licencing scheme.
It's all about the 'optics' as a salesman would say, offline.
I'm a single dev, and I know what you mean. People who know me ask, "why are you in such a foul mood today? Did you code on the Mac today?" LOL.
Some people love Apple so much though, that they'll buy a new one as soon as it comes out. And are convinced that it's the best machine for the job. Which that leaves us in and exciting and ever changing paradigm of fun!!! - Oh the joy.
The next bundle-oh-joy will be the loss of OpenGL... (Someone please tell Juce they've been left behind...)

[discoDSP]

I'm a single dev, and I know what you mean. People who know me ask, "why are you in such a foul mood today? Did you code on the Mac today?" LOL.

still loving my 2013 iMac here.

[xhunaudio]

@George/discoDSP
You're right, my apologies, the last thing I wanted to do here is to make "rants" or to start a fight. I'll stop suddenly

As I mentioned earlier, this thread is really well-thought and helpful - and again, my thank you (to you and to all other users) for all your "tips" and step-by-step attempts. Nothing against you guys.

What is extremely discouraging and irritating here is the behaviour of such "company". I think about it on the long term. Development has to be FREE and easygoing. Period. 3rd party Developers made apple's whole fortune. And now I have to pay money for an AppleID, just to have the further privilege to ask for an app-specific password, with a 2-step login which ultimately doesn't work, etc... Eheh, I'm definitely out.

By the way, my apologies for my rants I'll never annoy you again !

[xhunaudio]

I'm a single dev, and I know what you mean. People who know me ask, "why are you in such a foul mood today? Did you code on the Mac today?" LOL.

still loving my 2013 iMac here.

He's one of them ! Let's catch him !

[quikquak]

I'm a single dev, and I know what you mean. People who know me ask, "why are you in such a foul mood today? Did you code on the Mac today?" LOL.

still loving my 2013 iMac here.

Yeah, I had a 2010 Mac, which just seemed to get slower and slower for no reason at all. So I took the plunge at bought a 27 inch iMac ( I think it was a 2017 model because they hadn't updated it that year). The things are expensive - still don't use it much

[discoDSP]

@George/discoDSP
You're right, my apologies, the last thing I wanted to do here is to make "rants" or to start a fight. I'll stop suddenly

Appreciated! Thanks.

As I mentioned earlier, this thread is really well-thought and helpful - and again, my thank you (to you and to all other users) for all your "tips" and step-by-step attempts. Nothing against you guys.

What is extremely discouraging and irritating here is the behaviour of such "company". I think about it on the long term. Development has to be FREE and easygoing. Period. 3rd party Developers made apple's whole fortune. And now I have to pay money for an AppleID, just to have the further privilege to ask for an app-specific password, with a 2-step login which ultimately doesn't work, etc... Eheh, I'm definitely out.

Putting things on perspective, the situation has been getting better. IIRC previously you needed to purchase a macOS and iOS developer memberships ($99/year each).

I do agree this notarization thing is a bit overwhelming for indie devs like us.

[xhunaudio]

@xhunaudio To keep up Apple Mac's reputation as a 'virus free computer' they've basically resorted to doing a virus check at HQ, rather than doing it locally, like on Windows, who are also trying to make software seem more legit with there own software licencing scheme.
It's all about the 'optics' as a salesman would say, offline.
I'm a single dev, and I know what you mean. People who know me ask, "why are you in such a foul mood today? Did you code on the Mac today?" LOL.
Some people love Apple so much though, that they'll buy a new one as soon as it comes out. And are convinced that it's the best machine for the job. Which that leaves us in and exciting and ever changing paradigm of fun!!! - Oh the joy.
The next bundle-oh-joy will be the loss of OpenGL... (Someone please tell Juce they've been left behind...)

+1

[otristan]

FWIW, I've seen that the requirements from Apple depends on the OS and/or Xcode version you upload with.
It could be stricter especially regarding the signing used (older signature format are deprecated) and the requirements regarding hardened runtime for .app

my 2 cents

[Fender19]

I have waded my way through this process and it is working but the "bookkeeping" is really something else. Adding that extra layer of signing (notarization) now requires 3 layers for AAX plugins - code sign + Pace sign + notarize. Get one wrong - or forget a step - or use the wrong password or ID - and the whole thing doesn't work! Many of you clever folk probably have this automated but for now I'm doing it all manually.

Now, something I don't understand is how exactly does all of this prevent malicious software? Hackers are hackers - can't they could just force sign a malicious app and notarize with a bogus account? How is any of this nightmare preventing that?