HOWTO macOS notarization (plugins, app, pkg installers)
- KVRAF
- 1748 posts since 2 Jul, 2018
...and waste lots of development time by jumping though many hoops to make it work
-
- KVRian
- 664 posts since 16 Sep, 2002 from Amsterdam, the Netherlands
As far I know, plugins also need to be notarized. I couldn't run my signed plugins after they are downloaded from the internet. After notarization they run fine.
PJ
-
- KVRAF
- Topic Starter
- 5427 posts since 18 Jul, 2002
Are you referring to .app or .component/vst/vst3/aax?
I have the latter signed only and they run fine on Catalina.
- KVRAF
- 1748 posts since 2 Jul, 2018
To be safe that the notarized software works:
Is is sufficient to run only the check "spctl -a -vvv -t install "/Users/home/Desktop/Install.pkg"
or do i have to first upload then download and install it?
Is is sufficient to run only the check "spctl -a -vvv -t install "/Users/home/Desktop/Install.pkg"
or do i have to first upload then download and install it?
-
- KVRAF
- Topic Starter
- 5427 posts since 18 Jul, 2002
I think it should be enough.Markus Krause wrote: ↑Sat Oct 19, 2019 9:56 am Is is sufficient to run only the check "spctl -a -vvv -t install "/Users/home/Desktop/Install.pkg"
- KVRAF
- 1748 posts since 2 Jul, 2018
Thanks a lot for all your info!
Markus
Markus
-
- KVRian
- 664 posts since 16 Sep, 2002 from Amsterdam, the Netherlands
It’s a .vst.discoDSP wrote: ↑Sat Oct 19, 2019 8:17 amAre you referring to .app or .component/vst/vst3/aax?
I have the latter signed only and they run fine on Catalina.
When it’s signed it seems to run fine first. But when I upload it and download it again, it will not run anymore. I’ve read somewhere in the documentation that all software needs to be notarized. They specifically mention plugins too.
-
- KVRian
- 664 posts since 16 Sep, 2002 from Amsterdam, the Netherlands
I tested in Reaper and Studio One.
You can notarize a plugin by zipping it and using the commandline tool to send it to the notarization service.
You can find some info about notarizing plugins here:
https://developer.apple.com/documentati ... n_workflow
You can notarize a plugin by zipping it and using the commandline tool to send it to the notarization service.
You can find some info about notarizing plugins here:
https://developer.apple.com/documentati ... n_workflow
-
Richard_Synapse Richard_Synapse https://www.kvraudio.com/forum/memberlist.php?mode=viewprofile&u=245936
- KVRian
- 1136 posts since 20 Dec, 2010
Our plugins seem to work fine under OS X 10.15 thus far, seems we just need to update all the packages/installers. I'm not sure how/why Studio One or Reaper would check notarization? Perhaps your problem is simply that you don't use an installer.
Richard
Richard
Synapse Audio Software - www.synapse-audio.com
-
- KVRian
- 664 posts since 16 Sep, 2002 from Amsterdam, the Netherlands
Hmmm. Not sure too. And yes, I’m not using an installer. It’s just a vst file that needs to be copied to the VST folder. I started getting emails from users about ‘unidentified developer’ popups blocking the loading of Drumatic after updating to Catalina. I tried signing the plugin first. That didn’t resolve the issue for plugins that were downloaded from my website. Then after notarizing, all issues are fixed.
Last edited by e-phonic on Sat Oct 19, 2019 2:56 pm, edited 1 time in total.
-
- KVRist
- 110 posts since 8 Jan, 2018
Probably a noob question: if the DAW doesn't check the notarization, what'S the use of notarization and how does that prevent piracy? Couldn't you just provide cracked plugin binaries without any installer like in a zip file or so?Richard_Synapse wrote: ↑Sat Oct 19, 2019 2:43 pmI'm not sure how/why Studio One or Reaper would check notarization?
- KVRAF
- 1873 posts since 13 Apr, 2011 from EU
From that link:e-phonic wrote: ↑Sat Oct 19, 2019 12:49 pmYou can find some info about notarizing plugins here:
https://developer.apple.com/documentati ... n_workflow
I only submit the dmg with a pkg installer containing the plugins and I can confirm that the PKG gets notarized as well. If I check the notarization for the plugins with the commandThe notary service generates a ticket for the top-level file that you specify, as well as each nested file. For example, if you submit a disk image that contains a signed installer package with an app bundle inside, the notarization service generates tickets for the disk image, installer package, and app bundle.
Code: Select all
spctl --assess --verbose
Code: Select all
rejected (the code is valid but does not seem to be an app)
-
Richard_Synapse Richard_Synapse https://www.kvraudio.com/forum/memberlist.php?mode=viewprofile&u=245936
- KVRian
- 1136 posts since 20 Dec, 2010
Good question, interestingly this does not seem to be working as e-phonic wrote above. Perhaps there is a mechanism in OS X 10.15 blocking Audio Units that have not been installed via a notarized package.
Richard
Synapse Audio Software - www.synapse-audio.com
- KVRAF
- 7890 posts since 12 Feb, 2006 from Helsinki, Finland
I would imagine (and a Google search seems to support this) that the runtime just fails dlopen() if you try load something that Gatekeeper isn't happy with.Richard_Synapse wrote: ↑Sat Oct 19, 2019 2:43 pm Our plugins seem to work fine under OS X 10.15 thus far, seems we just need to update all the packages/installers. I'm not sure how/why Studio One or Reaper would check notarization? Perhaps your problem is simply that you don't use an installer.
That said, what seems fundamentally broken about this whole concept (as far as audio plugins go) is that plugins apparently don't get to have any entitlements, so if you need to do something like dynamic code generation that the runtime isn't happy with by default, then it looks like you will have to convince every host vendor to add the relevant entitlements to their application.