COCKOS
CONFEDERATED FORUMS
Cockos : REAPER : NINJAM : Forums
Forum Home : Register : FAQ : Members List : Search :

Go Back   Cockos Incorporated Forums > Other Software Discussion > WDL users forum

Reply
 
Thread Tools Display Modes
Old 02-06-2020, 06:40 AM   #1
Tunca
Human being with feelings
 
Join Date: Apr 2016
Posts: 253
Default Steps for PKG/PLUGIN Notarization (At least for me)

Hello,

I tried to notarize my plugins to use with Catalina. Followed this topic on KVR but not worked.

https://www.kvraudio.com/forum/viewt...?f=33&t=531663

Then talked with Apple support. They were really fast!

Here is my steps for signing and notarizing plugins and pkg files...

First, we need Apple Developer ID, keychains for signing (Developer ID Application), altool password for notarization. (I guess, you already have...)

I'm using Mojave 10.14.6 and Xcode 10.3.

As i said, i followed KVR topic but no luck.

In Xcode type "--timestamp" in "Build Settings -> Other Code Signing Flags".

According to KVR topic, Packages app should already add timestamp with your certificate but it can't. So, we need to add it inXcode. (At least, i had to do that like this)

Then, use your "Developer ID Application" certificate to sign plugins in Xcode. In "Target's General" tab, you can set your "Team" and "Signing Certificate", manually. It must be Developer ID Application" cert. Also, if you select "Automatic Signing", Xcode will use your "Mac Developer" and it won't work.

Now, our Xcode settings are ready.

After building, plugins will be signed but needs to be notarized.

Then, use this command to notarize your zip files if you share your plugins with zip file. (Same as KVR topic)

Code:
xcrun altool --notarize-app --primary-bundle-id "com.company.vst.plugin" --username "USERNAME" --password "PASSWORD" --asc-provider "SHORT_PROVIDER_NAME" --file plugin.zip
But, if you use .pkg, notarization will be little different.

I'm using WhiteBox Packages to build pkg files. Imported my "DEVELOPER ID INSTALLER" certificate but no luck. No timestamp or codesign in Packages app.

So, i used it to create pkg files, only.

After creating pkg file, need to sign it, manually. To do that, use this command;

Code:
codesign -s "Developer ID Application: XXX" "XXX.pkg"
Actually, looks like it must be "Developer ID Installer". But, when i use it, it says "this identity cannot be use for signing code". So, i have to use "Developer ID Application".

Now, we signed out pkg files. Time to notarize...

Notarization section same as KVR. Just use this command;

Code:
xcrun altool --notarize-app -f "/Users/home/Desktop/Install.pkg" --primary-bundle-id com.yourapp.pkg --username "YourAppleID" --password "YourAltoolPassword"
Note: This section is annoying cause altool takes really long time to upload and notarize your app. My pkg file is just 50MB but uploading takes around 1 hour...

Anyway, after notarization you will get an email from Apple. If your app is notarized, no worry. But if not, check you REQUEST IDENTIFIER to check errors. Shows really clear and easy to understand.

After notarization, you can follow same steps in KVR topic.

As i said, that's it at least for me.

There are some minor differences than KVR topic but i solved like this.

No idea about why Packages can't use my certificate to sign and can't use timestamp. But, manually possible to do these steps.

Actually, it's really easy...

Hope, someone find this topic useful.

Thanks.
Tunca is online now   Reply With Quote
Old 02-06-2020, 09:22 AM   #2
Tale
Human being with feelings
 
Tale's Avatar
 
Join Date: Jul 2008
Location: The Netherlands
Posts: 3,057
Default

Quote:
Originally Posted by Tunca View Post
Actually, looks like it must be "Developer ID Installer". But, when i use it, it says "this identity cannot be use for signing code". So, i have to use "Developer ID Application".
I'm not really sure, but maybe that's because you should use productsign to sign a PKG, not codesign? Anyway, that's what I do, and it seems to work.

Code:
productsign --sign "Developer ID Installer: XXX" "XXX_IN.pkg" "XXX_OUT.pkg"
Tale is offline   Reply With Quote
Old 02-06-2020, 09:29 AM   #3
Tale
Human being with feelings
 
Tale's Avatar
 
Join Date: Jul 2008
Location: The Netherlands
Posts: 3,057
Default

And also:

Quote:
Originally Posted by Tunca View Post
Note: This section is annoying cause altool takes really long time to upload and notarize your app. My pkg file is just 50MB but uploading takes around 1 hour...
I think you can ZIP your PKG before uploading, which might speed up things a bit. However, I was too lazy to test this myself (and my upload is fast enough anyway).

Quote:
Originally Posted by Tunca View Post
No idea about why Packages can't use my certificate to sign and can't use timestamp.
Which version of Packages are you running? Because I think this was fixed in 1.2.8.
Tale is offline   Reply With Quote
Old 02-06-2020, 10:44 AM   #4
Tunca
Human being with feelings
 
Join Date: Apr 2016
Posts: 253
Default

Hi Tale,

Thanks for reply.

Code:
productsign --sign "Developer ID Installer: XXX" "XXX_IN.pkg" "XXX_OUT.pkg"
Hmm.. I had no idea about that. I will test it for final release.

With this command, It will generate signed new pkg? Should i change out pkg name?

About Packages, i used version 1.2.7. I guess, 1.2.8 "really" new. Will check it!

And uploading... In Turkey, upload and download speeds are really slow! My download speed: 6.9 Mbps and upload speed: 0.7 Mbps... I want to cry...

EDIT:

Just tested Packages lastest version but no luck, again... After "codesign -d -vvv" command, getting this error "code object is not signed at all"

Last edited by Tunca; 02-06-2020 at 10:52 AM.
Tunca is online now   Reply With Quote
Old 02-06-2020, 11:51 AM   #5
Tunca
Human being with feelings
 
Join Date: Apr 2016
Posts: 253
Default

I just tried this one but after checking, it says "code is not signed at all"

Code:
productsign --sign "Developer ID Installer: XXX" "XXX_IN.pkg" "XXX_OUT.pkg"
And tried this command;

Code:
codesign -s "Developer ID Application: XXX" "XXX.pkg"
Then, checked it if it's signed or not. And it's signed!
Tunca is online now   Reply With Quote
Old 02-06-2020, 05:13 PM   #6
Nonlinear
Human being with feelings
 
Join Date: Apr 2018
Posts: 293
Default

You have your signing and notarizing steps in the wrong order. You have to sign the binary with certified Apple Developer cert first, then create the package then notarize the package as final step.

I sign the binary in X-code
Then ZIP the plugin
Then notarize the zip file
Nonlinear is offline   Reply With Quote
Old 02-07-2020, 02:02 AM   #7
Tunca
Human being with feelings
 
Join Date: Apr 2016
Posts: 253
Default

Quote:
Originally Posted by Nonlinear View Post
You have your signing and notarizing steps in the wrong order. You have to sign the binary with certified Apple Developer cert first, then create the package then notarize the package as final step.

I sign the binary in X-code
Then ZIP the plugin
Then notarize the zip file
No, I'm already signing binaries in Xcode with certificate while building.

Then creating pkg file but Packages can't sign it, even if i import my certificate.

Pkg files must be signed, too. This is second step but Packages can't sign. So, i need to manually sign my pkg.
Tunca is online now   Reply With Quote
Old 02-07-2020, 02:07 AM   #8
Tale
Human being with feelings
 
Tale's Avatar
 
Join Date: Jul 2008
Location: The Netherlands
Posts: 3,057
Default

Quote:
Originally Posted by Tunca View Post
Just tested Packages lastest version but no luck, again... After "codesign -d -vvv" command, getting this error "code object is not signed at all"
Are you sure you've checked the output file, and not the input file?
Tale is offline   Reply With Quote
Old 02-07-2020, 05:15 AM   #9
Tunca
Human being with feelings
 
Join Date: Apr 2016
Posts: 253
Default

Quote:
Originally Posted by Tale View Post
Are you sure you've checked the output file, and not the input file?
Yes, only output file but it says not signed.
Tunca is online now   Reply With Quote
Old 02-07-2020, 05:49 AM   #10
Tale
Human being with feelings
 
Tale's Avatar
 
Join Date: Jul 2008
Location: The Netherlands
Posts: 3,057
Default

Wait, you're checking this with codesign, right? I guess you need to check with pkgutil:

Code:
pkgutil --check-signature XXX.pkg
Tale is offline   Reply With Quote
Old 02-07-2020, 06:03 AM   #11
Tunca
Human being with feelings
 
Join Date: Apr 2016
Posts: 253
Default

Quote:
Originally Posted by Tale View Post
Wait, you're checking this with codesign, right? I guess you need to check with pkgutil:

Code:
pkgutil --check-signature XXX.pkg
Hmm, didn't know that. Will check it.
Tunca is online now   Reply With Quote
Old 02-07-2020, 07:33 AM   #12
Tunca
Human being with feelings
 
Join Date: Apr 2016
Posts: 253
Default

Yes!

I just made pkg with Packages with my cert. Then used this command "pkgutil --check-signature XXX.pkg".

And it says that it's signed!

I had no idea about pkgutil. Thanks for letting me know!
Tunca is online now   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -7. The time now is 12:33 PM.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2020, vBulletin Solutions Inc.