Codesigning binaries in bundle

I am building plug-ins for audio software. I am using the JUCE framework and I am building with VScode / CMake / Ninja / LLVM

I want to package the output, which are two bundles "Sinensis.component" (the AU plugin) and "Sinensis.vst3" (the vst3 plugin)

I am using this script :

codesign -s "Developer ID Application: $DEVELOPER_ID" --timestamp --force -o runtime -i "$PLUGIN_NAME".component "$PLUGIN_NAME".component/Contents/MacOs/"$PLUGIN_NAME" #--options=runtime

pkgbuild --install-location /Library/Audio/Plug-Ins/Components --sign "Developer ID Installer: $DEVELOPER_ID" --timestamp --identifier "$IDENTIFIER"au --version "$VERSION" --root "$PLUGIN_NAME".component "$PLUGIN_NAME"_au.pkg

  

codesign -s "Developer ID Application: $DEVELOPER_ID" --timestamp --force -o runtime -i "$PLUGIN_NAME".vst3 "$PLUGIN_NAME".vst3/Contents/MacOs/"$PLUGIN_NAME" #--options=runtime

pkgbuild --install-location /Library/Audio/Plug-Ins/VST3 --sign "Developer ID Installer: $DEVELOPER_ID" --timestamp --identifier "$IDENTIFIER"vst3 --version "$VERSION" --root "$PLUGIN_NAME".vst3 "$PLUGIN_NAME"_vst3.pkg

  

productbuild --synthesize --package "$PLUGIN_NAME"_au.pkg --package "$PLUGIN_NAME"_vst3.pkg distribution.xml

productbuild --distribution distribution.xml --resources Resources/ "$PLUGIN_NAME".pkg

productsign --sign "Developer ID Installer: $DEVELOPER_ID" "$PLUGIN_NAME".pkg "$PLUGIN_NAME"_installer.pkg --timestamp

xcrun notarytool submit --keychain-profile "thomas" "$PLUGIN_NAME"_installer.pkg --wait

xcrun stapler staple "$PLUGIN_NAME"_installer.pkg

feeding it distribute.sh Sinensis "Thomas Xxxxxx (<personal identifier>)" <indentifier for the package> 101

I am using --force because of a post on the juce forum that I strangely cannot link to here. tl;dr the binary is signed at the build stage and need --force to overwrite with my signature

But it ends up with error 65

Conducting pre-submission checks for Sinensis_installer.pkg and initiating connection to the Apple notary service...

Submission ID received

  id: 38ba301b-f857-4408-b665-9e11e8647ca1

Upload progress: 100,00 % (6,10 MB of 6,10 MB)   

Successfully uploaded file

  id: 38ba301b-f857-4408-b665-9e11e8647ca1

  path: /Users/thomas/Desktop/Sinensis_installer.pkg

Waiting for processing to complete.

Current status: Invalid............

Processing complete

  id: 38ba301b-f857-4408-b665-9e11e8647ca1

  status: Invalid

Processing: /Users/thomas/Desktop/Sinensis_installer.pkg

CloudKit query for Sinensis_installer.pkg (1/dc8136b4b82a4e9c9f7b5e6064238488e97f04ad) failed due to "Record not found".

Could not find base64 encoded ticket in response for 1/dc8136b4b82a4e9c9f7b5e6064238488e97f04ad

The staple and validate action failed! Error 65.

Looking at the log via xcrun notarytool log return

{

  "logFormatVersion": 1,

  "jobId": "75fa5853-d19d-42a5-9069-4ed0d8f735be",

  "status": "Invalid",

  "statusSummary": "Archive contains critical validation errors",

  "statusCode": 4000,

  "archiveFilename": "Sinensis_installer.pkg",

  "uploadDate": "2024-04-19T10:11:07.372Z",

  "sha256": "da6457f73d1b93995392f844a25f4b9bc9750eac0555ae72854b14e270e32685",

  "ticketContents": null,

  "issues": [

    {

      "severity": "error",

      "code": null,

      "path": "Sinensis_installer.pkg/Sinensis_au.pkg Contents/Payload/Library/Audio/Plug-Ins/Components/Contents/MacOS/Sinensis",

      "message": "The signature of the binary is invalid.",

      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",

      "architecture": "arm64"

    },

    {

      "severity": "error",

      "code": null,

      "path": "Sinensis_installer.pkg/Sinensis_vst3.pkg Contents/Payload/Library/Audio/Plug-Ins/VST3/Contents/MacOS/Sinensis",

      "message": "The signature of the binary is invalid.",

      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",

      "architecture": "arm64"

    }

  ]

}

codesign -vvv --deep --strict Sinensis.vst3 returns

Sinensis.vst3: valid on disk
Sinensis.vst3: satisfies its Designated Requirement

pkgutil --check-signature Sinensis_installer.pkg returns

Package "Sinensis_installer.pkg":
   Status: signed by a developer certificate issued by Apple for distribution
   Signed with a trusted timestamp on: 2024-04-19 10:21:59 +0000
   Certificate Chain:
    1. Developer ID Installer: Thomas Guillory (53B2GD4XYM)
       Expires: 2027-02-01 22:12:15 +0000
       SHA256 Fingerprint:
           E8 D7 4A 6D CD 19 56 A2 39 C9 15 00 09 06 EA 98 01 B0 AF 85 59 AA 
           AE 26 71 89 56 9B 54 EF 48 B3
       ------------------------------------------------------------------------
    2. Developer ID Certification Authority
       Expires: 2027-02-01 22:12:15 +0000
       SHA256 Fingerprint:
           7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03 
           F2 9C 88 CF B0 B1 BA 63 58 7F
       ------------------------------------------------------------------------
    3. Apple Root CA
       Expires: 2035-02-09 21:40:36 +0000
       SHA256 Fingerprint:
           B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C 
           68 C5 BE 91 B5 A1 10 01 F0 24

I tried to unpack the .pkg using pacifist as recommended in multiple thread but the bundle wasn't recognized as such, I may have not follow the correct procedure.

I've read the man page for productbuild, codesign and productsign.

I've also read the MacOS code signing technical note althought I didn't understood everything clearly (especially on the nested part, which seems relevant).

The closest thing I could find was this forum post but the bundles seems to be correctly seen by MacOs as a bundle and not as a folder

I really lost at this point

may Eskimo come shed some enlightenment on my poor newbie soul 🙏

Have a nice day !

Answered by DTS Engineer in 785911022

a post on the juce forum that I strangely cannot link to here.

You should be able to post the link in the clear. See tip 14 in my [I swear the title made sense when I started] Quinn’s Top Ten DevForums Tips post.

But it ends up with error 65

Error 65 means that the notarisation failed, so stapler couldn’t find a notarised ticket to apply.

Your notarisation is failing because of a code signing problems. I’m not entirely sure what that is. My general advice on this topic in:

Looking at the commands your posted, the one thing that leapt out was this:

…/MacOs/…

That should be /MacOS/. Case problems like this generally don’t trigger an error locally, because APFS defaults to case insensitive. However, you can run into problems on case-sensitive volumes, like the one used by the notary service.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Accepted Answer

a post on the juce forum that I strangely cannot link to here.

You should be able to post the link in the clear. See tip 14 in my [I swear the title made sense when I started] Quinn’s Top Ten DevForums Tips post.

But it ends up with error 65

Error 65 means that the notarisation failed, so stapler couldn’t find a notarised ticket to apply.

Your notarisation is failing because of a code signing problems. I’m not entirely sure what that is. My general advice on this topic in:

Looking at the commands your posted, the one thing that leapt out was this:

…/MacOs/…

That should be /MacOS/. Case problems like this generally don’t trigger an error locally, because APFS defaults to case insensitive. However, you can run into problems on case-sensitive volumes, like the one used by the notary service.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Codesigning binaries in bundle
 
 
Q