VST across Macs | CMake & AAX/AU/VST Exporting | Forum

I've given up on Notarization - I spent two days on it, read +/- 100 web pages, each either copying the other or with slightly different suggestions. Got my plugins signed, and have now found a workaround for when I've downloaded them from the web to test that: In System Preferences -> Security & Private -> General: Open Anyway. You only need to do it once, then you'll never get bothered again.

I only bought my Mac in November and my Apple Developer Subscription in January, so I have a whole year now to decide whether to discontinue support for Apple in the long run, or maybe I'll get lucky and find a way to notarize plugins, but I'm not going to lose any more sleep over it, I'm already suffering from serious fatigue.

StevieD said
I actually opened a support ticket with Apple Developer for this, as I think they should give developers commands that work. I sent the support staff member output from my auval and spctl. I'm not really hopeful of any groundbreaking progress, but I got two free support tickets with my subscription, so thought I may as well use it.  

I only got a 1st-Line response from Apple, with links to pages I'd already visited. Seems I needed to open a Code-Level support ticket, which I thought I'd done. I don't think I shall bother right now.

I have noticed though, that when creating the archive, no "product" is copied into the archive, so the required options to 'distribute' it, an essential step to getting it notarized, aren't available 

I read online that this can be caused by too few, or too many products in the archive, and that this is related to the "Skip install" option on the various targets. I tried every possible permutation of this setting across all the targets, but I always get zero Products in the archive. I also tried a scripted archive & notarization, but the error I get back when running xcodebuild -exportArchive, is indicative of the same, the missing options. It complains that the method developer-is isn't a valid method (with an empty list of methods, {}).

Is there something I can change in the cmake files to get this set up right for the build? I'm pretty new to cmake, but I've bought a book and intended to at least the basics under my belt. I've already spent far too long on this, and do have a workaround https://github.com/DoomyDwyer/ASPiKProjects/blob/main/UserGuides/workaround_macos_notarization.md

I did finally get this working, so I shall put the steps below, to help anyone else struggling with this.

I'm releasing a zip file to GitHub, not an Apple package, so archiving the product and using the Organizer to distribute it isn't appropriate for this type of distribution.

Also, it appears that Apple have changed the notarization process at some point. Websites such as KVR Audio mention executing the 

xcrun altool --notarize-app ...

command, but I could never get this working. A possibly newer? Apple page mentions using

xcrun notarytool submit ...

I've created a number of build scripts, batch files for building VST3s on Windows, and zsh scripts for building VST3 & AUs on MacOS (I'm on an M1 Silicon Mac running Big Sur) and I'm building for both Apple architectures. I'm also building multiple plugins and packaging those into 1 zip file. I shall however try to distill the steps executed in my script to the essential steps for building, signing & notarizing.

It's also quite plausible that steps are being executed which aren't strictly speaking necessary, all I can say is, that this works for me. One user downloaded my archive of arm64 Audio Units from my GitHub page, and could unpack the zip file into her ~/Library/Audio/Plug-Ins/Components directory and load them in GarageBand, without the OS raising any warnings, so I'm assuming that this notarization has worked.

These are the steps I take to build, sign & notarize my plugins. Firstly, building & signing. The essential commands are in bold:

...

# Build VST3 and AU plaugins, for the required configuration (Debug or Release) and the required platform (x86_64 or arm64)

xcodebuild -target ${project}_VST -configuration $configuration -arch $arch $extra_args
xcodebuild -target ${project}_AU_CocoaUI -configuration $configuration -arch $arch $extra_args
xcodebuild -target ${project}_AU -configuration $configuration -arch $arch $extra_args

vst3_buildfile=VST3/$configuration/$vst3file
au_buildfile=AU/$configuration/$au_file
au_bundlefile=AU/$configuration/${project}_AU.bundle

# Sign the AU bundle prior to copying it - only bother with Release builds
if [[ "$configuration" == "Release" ]] then
  developer_id=$(cat ../../developer_id.txt)
  echo "Signing $au_bundlefile as $developer_id"
  codesign --deep --force --verify --verbose --options runtime --sign "$developer_id" --arch $arch $au_bundlefile --timestamp

  # Validate signing
  codesign -d --deep -vvv $au_bundlefile
fi

# Copy bundle into component directory
echo Adding bundle file $au_bundlefile to Component $au_buildfile
cp -Rp $au_bundlefile $au_buildfile/Contents/Resources

# Only bother signing Release builds
if [[ "$configuration" == "Release" ]] then
  developer_id=$(cat ../../developer_id.txt)
  echo "Signing $vst3_buildfile as $developer_id"
  codesign --deep --force --verify --verbose --options runtime --sign "$developer_id" --arch $arch $vst3_buildfile --timestamp

  # Validate signing
  codesign -d --deep -vvv $vst3_buildfile

  echo "Signing $au_buildfile as $developer_id"
  codesign --deep --force --verify --verbose --options runtime --sign "$developer_id" --arch $arch $au_buildfile --timestamp

  # Validate signing
  codesign -d --deep -vvv $au_buildfile
fi

echo Copying $vst3_buildfile to $vst3_targetdir
sudo cp -Rp $vst3_buildfile $vst3_targetdir

# Delete symbolic link to VST3 created during build
vst3_linkdir=~/Library/Audio/Plug-Ins/VST3/
vst3_linkfile=${vst3_linkdir}$vst3file
echo "Deleting symbolic link $vst3_linkfile"
rm -R $vst3_linkfile

echo Copying $au_buildfile to $au_targetdir
sudo cp -Rp $au_buildfile $au_targetdir

echo "Waiting for 6 seconds for file copy to complete prior to AU validation..."
read -t 6

auval -v $plugintype $pluginsubtype $pluginmanufacturer

...

Zip up the VST3 or AU plugin, then submit the zip file for notarization:

archivefile=$1
keychain_profile=$(cat keychain-profile.txt)

echo Notarizing artefacts present in ${archivefile}...
xcrun notarytool submit $archivefile --keychain-profile "$keychain_profile" --wait

Then, according to my findings at least, the notarized zip file needs to be unzipped, the plugin "stapled", then, if you wish to distribute it as a zip file, zipped back up again. The for loop is present in my script because I have multiple plugins in the zip file which was submitted for notarization:

pushd $(dirname ${archivefile})

zipdirname=$(basename $archivefile)
zipdirname="${zipdirname%.*}"

unzip -q ${archivefile} -d $zipdirname

for file in "${zipdirname}"/*
do
  xcrun stapler staple $file
done

echo Rebuilding $archivefile with stapled and validated artefacts...
pushd $zipdirname
zip -rq $archivefile *
popd
rm -Rf $zipdirname

The zip file created from this process can be hosted on the Internet, and any user can download it, unpack it & load the plugins without any security prompts being raised.

It may seem a bit cumbersome having to unzip the notarized archive, staple each individual plugin, then zip them up again, and it's possible that this process could be done more efficiently, but I struggled to find other MacOS users who were willing to put in any time to help me to test this. The above process does however work for me, and so I consider it good enough, for now at least...

Sources:

https://www.kvraudio.com/forum/viewtopic.php?t=531663

https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow