Not exactly I think. You can install the Command Line Tools without installing Xcode, and they get installed in /Library/Developer. It's the whole purpose of that installer package. If you have Xcode, you don't need to install CLT, as they're then bundled within /Application/Xcode.app, including all the SDKs and stuff.
HOWTO macOS notarization (plugins, app, pkg installers)
- KVRist
- 303 posts since 1 Apr, 2009 from Hannover, Germany
- KVRAF
- 2280 posts since 25 Sep, 2014 from Specific Northwest
Yup, you're right. I think you can install the CLTs without installing Xcode at all. I'm still figuring this stuff out--I've allowed myself to be too dependant on Xcode.hugoderwolf wrote: ↑Wed Mar 08, 2023 7:43 amNot exactly I think. You can install the Command Line Tools without installing Xcode, and they get installed in /Library/Developer. It's the whole purpose of that installer package. If you have Xcode, you don't need to install CLT, as they're then bundled within /Application/Xcode.app, including all the SDKs and stuff.
I started on Logic 5 with a PowerBook G4 550Mhz. I now have a MacBook Air M1 and it's ~165x faster! So, why is my music not proportionally better?
-
- KVRist
- 358 posts since 26 Jun, 2010
Just migrated from altool to notarytool, seems to work ok
In case it saves others time, heres the relevant change in my script...
In case it saves others time, heres the relevant change in my script...
Code: Select all
#xcrun altool --notarize-app --primary-bundle-id "$BUNDLEID" --username "$USERNAME" --password "$PASSWORD" --file "$FILE"
xcrun notarytool submit --apple-id "$USERNAME" --password "$PASSWORD" --team-id "$TEAMID" --wait "$FILE"
James Walker-Hall
www.newsonicarts.com
www.newsonicarts.com
- KVRian
- 872 posts since 6 Aug, 2005 from England
Hey, I've just started to use the norarytool. Still got some weirdness.newsonicarts wrote: ↑Sun Mar 19, 2023 12:56 pm Just migrated from altool to notarytool, seems to work ok
In case it saves others time, heres the relevant change in my script...
Code: Select all
#xcrun altool --notarize-app --primary-bundle-id "$BUNDLEID" --username "$USERNAME" --password "$PASSWORD" --file "$FILE" xcrun notarytool submit --apple-id "$USERNAME" --password "$PASSWORD" --team-id "$TEAMID" --wait "$FILE"
I'm getting an error:
I don't use the Apple store, is that where that comes from? And my normal ID still brings up the error above. I don't know any other 10 letter/number key to use.Help: -d <key-id> App Store Connect API Key ID. Usually alphanumeric characters.
Last edited by quikquak on Mon Jun 05, 2023 6:27 pm, edited 2 times in total.
Dave Hoskins. http://www.quikquak.com
- KVRAF
- 7933 posts since 12 Feb, 2006 from Helsinki, Finland
If I recall correctly, take any fresh macOS system, open terminal and type "xcode-select --install" and it'll fetch and install the command line tools for you. You might have to click "agree" on some licence prompt, but that's it.
- KVRian
- 872 posts since 6 Aug, 2005 from England
I just set up a notary keychain profile, which I can use for everything.
I followed these instructions:
https://youtu.be/2xJcMzoi0EI
And it worked perfectly, the new notarytool is a lot faster than the old way.
I followed these instructions:
https://youtu.be/2xJcMzoi0EI
And it worked perfectly, the new notarytool is a lot faster than the old way.
Dave Hoskins. http://www.quikquak.com
- KVRAF
- 1748 posts since 2 Jul, 2018
Some useful info for people on BigSur or those who do not want to migrate their current XCode version to XCode 13.2 or higher (as their projects might break).
You do not need to migrate your projects to XCode13 to be able to use notarytool. Instead you can stick with your old XCode version (in my case 12.5). You just need download and install the 'Command Line Tools for XCode 13.2' from Apple Developer.
Update:
Things seem to be buggy from Apple's side. I am getting weird errors (which can be ignored?):
You do not need to migrate your projects to XCode13 to be able to use notarytool. Instead you can stick with your old XCode version (in my case 12.5). You just need download and install the 'Command Line Tools for XCode 13.2' from Apple Developer.
Update:
Things seem to be buggy from Apple's side. I am getting weird errors (which can be ignored?):
objc[2131]: Class SPExecutionPolicy is implemented in both /System/Library/PrivateFrameworks/SystemPolicy.framework/Versions/A/SystemPolicy and /usr/sbin/spctl. One of the two will be used. Which one is undefined.
objc[2131]: Class AppWrapper is implemented in both /System/Library/PrivateFrameworks/SystemPolicy.framework/Versions/A/SystemPolicy and /usr/sbin/spctl. One of the two will be used. Which one is undefined.
...
Last edited by Markus Krause on Fri Aug 18, 2023 9:35 am, edited 1 time in total.
- KVRAF
- 1748 posts since 2 Jul, 2018
altool will stop working on November the 1st 2023. After this date you can not longer use it. You must use notarytool instead.
Here I a short tutorial how you can migrate from altool and notarize your stuff.
1) Compile your plugin or App
2) Codesign the App:
Codsign a VST3 plugin
3) Build the installer
4) Sign the installer:
5) Upload and notarize:
6) Staple
Note: sudo is essential here. Otherwise this won't work.
7) Test
Further notes:
Things seem to be buggy from Apple's side.
Here I a short tutorial how you can migrate from altool and notarize your stuff.
1) Compile your plugin or App
2) Codesign the App:
Code: Select all
codesign --force -s 'Developer ID Application: YourName (XYZ123456789)' -v "/YourApp.app" --deep --strict --options=runtime --timestamp
Code: Select all
codesign -s 'Developer ID Application: YourName (XYZ123456789)' "/YourPlugin.vst3" --timestamp --force
4) Sign the installer:
Code: Select all
sudo productsign --sign 'Developer ID Installer: YourName (XYZ123456789))' 'unsigned.pkg' 'signed.pkg'
Code: Select all
xcrun notarytool submit --apple-id "your@email.com" --password "abcd-defg-hijk-lmno" --team-id "XYZ123456789" --wait signed.pkg
Code: Select all
sudo xcrun stapler staple signed.pkg
7) Test
Code: Select all
spctl -a -vvv -t install "signed.pkg"
Things seem to be buggy from Apple's side.
-
- KVRAF
- Topic Starter
- 5428 posts since 18 Jul, 2002
The original post has been revised and updated, using the notary tool in place of the now-deprecated altool. This change has significantly expedited the process. Additionally, both the process and its verification are now accessible through the terminal.
-
- KVRAF
- Topic Starter
- 5428 posts since 18 Jul, 2002
Works here without sudo.Markus Krause wrote: ↑Fri Aug 18, 2023 9:27 am 6) StapleNote: sudo is essential here. Otherwise this won't work.Code: Select all
sudo xcrun stapler staple signed.pkg
-
- KVRer
- 21 posts since 25 Jan, 2013
I have been receiving a few user reports lately getting "Apple cannot check it for malicious software" errors.
These are plugins notarized with altool a few month ago (when the service was still up), and distributed directly in zip files (ie not stapled).
This means Apple has to reach its gatekeeper service, and I insist in the installation instructions that the Mac must be online the first time the plugin is run.
So far I have had very few problems with this approach over the years, but the recent surge of user reports and the deprecation of the altool method (which is supposed not to impact already notarized software) makes me fear something might not be working properly on Apple's side.
Any similar experience out there?
EDIT: I just realized vst3/component files could indeed be stapled...
I don't why I was convinced only pkg and dmg could be stapled, and plugin distributed in zip had to resort to online checking.
Hopefully this will solve my problem, which I am probably alone to face as the one and only stupid enough person to notarize a plugin without stapling it
These are plugins notarized with altool a few month ago (when the service was still up), and distributed directly in zip files (ie not stapled).
This means Apple has to reach its gatekeeper service, and I insist in the installation instructions that the Mac must be online the first time the plugin is run.
So far I have had very few problems with this approach over the years, but the recent surge of user reports and the deprecation of the altool method (which is supposed not to impact already notarized software) makes me fear something might not be working properly on Apple's side.
Any similar experience out there?
EDIT: I just realized vst3/component files could indeed be stapled...
I don't why I was convinced only pkg and dmg could be stapled, and plugin distributed in zip had to resort to online checking.
Hopefully this will solve my problem, which I am probably alone to face as the one and only stupid enough person to notarize a plugin without stapling it
-
- KVRAF
- Topic Starter
- 5428 posts since 18 Jul, 2002
If you choose to distribute your plugins via a simple ZIP file, it is still necessary to notarize them. While it's not possible to staple a ZIP file directly, you can staple the contents after the ZIP has been notarized and then proceed to package them.fuo wrote: ↑Fri Nov 24, 2023 11:37 pm EDIT: I just realized vst3/component files could indeed be stapled...
I don't why I was convinced only pkg and dmg could be stapled, and plugin distributed in zip had to resort to online checking.
Hopefully this will solve my problem, which I am probably alone to face as the one and only stupid enough person to notarize a plugin without stapling it
-
- KVRer
- 21 posts since 25 Jan, 2013
Thank you for confirming this.
Do you reckon I can just run "xcrun stapler staple" each plugin that has been notarized months ago and it will work as intended.
The command does report a success and puts a 1.6KB "CodeRessources" file in the "Contents" directory. I simply hope it is okay to staple a software that was notarized with a now deprecated method.
Do you reckon I can just run "xcrun stapler staple" each plugin that has been notarized months ago and it will work as intended.
The command does report a success and puts a 1.6KB "CodeRessources" file in the "Contents" directory. I simply hope it is okay to staple a software that was notarized with a now deprecated method.
-
- KVRAF
- Topic Starter
- 5428 posts since 18 Jul, 2002
It should work as intended. The command's success and the addition of a 1.6KB "CodeResources" file to the "Contents" directory are positive indicators. It should be acceptable to staple software that was notarized using a method that is now deprecated, provided the notarization remains valid. However, notarizing and stapling with the latest tools is indeed a wise approach to ensure safety.