Post not yet marked as solved
Hi everyone !
This post is a following of this one.
I'm trying to make a .pkg out of two bundles that lands in two different folders, namely :
~/Library/Audio/Plug-Ins/VST3
~/Library/Audio/Plug-Ins/Components
I am still using the script described in the previous post.
The installer works fine on the computer that builds the package, on another computer in installs successfully but the aforementioned folders remains empty.
My main computer is a MPB M1 (Ventura), I also have a 2015 MBA (Monterey). I tried to make the package on the air and the problem is the same : works on the machine that makes it, not on the receiver.
When I try to install to Desktop for test purposes :
The MPB correctly ask me for
password / touch ID to install
permission to use desktop
permission to access file in the downloads (which are the extracted file of the .pkg I guess).
But nothings happens.
The package correctly indicate an installation of ~30Mo so it is not empty.
I also tried using the mid process package for one of the two files with the same problem.
I tried to use the CLI installer in verbose mode but it doesn't gave much information on what it is actually doing.
My two main guess would be :
already existing package ID
permissions stuff
But I don't really know how i could test for this...
I would be grateful for any insights,
Have a nice day !
-Thomas
PS : I haven't found a "package" or "distribution" tag so I used the debugging one, feel free to modify if something seems more appropriate
I am building plug-ins for audio software.
I am using the JUCE framework and I am building with VScode / CMake / Ninja / LLVM
I want to package the output, which are two bundles "Sinensis.component" (the AU plugin) and "Sinensis.vst3" (the vst3 plugin)
I am using this script :
codesign -s "Developer ID Application: $DEVELOPER_ID" --timestamp --force -o runtime -i "$PLUGIN_NAME".component "$PLUGIN_NAME".component/Contents/MacOs/"$PLUGIN_NAME" #--options=runtime
pkgbuild --install-location /Library/Audio/Plug-Ins/Components --sign "Developer ID Installer: $DEVELOPER_ID" --timestamp --identifier "$IDENTIFIER"au --version "$VERSION" --root "$PLUGIN_NAME".component "$PLUGIN_NAME"_au.pkg
codesign -s "Developer ID Application: $DEVELOPER_ID" --timestamp --force -o runtime -i "$PLUGIN_NAME".vst3 "$PLUGIN_NAME".vst3/Contents/MacOs/"$PLUGIN_NAME" #--options=runtime
pkgbuild --install-location /Library/Audio/Plug-Ins/VST3 --sign "Developer ID Installer: $DEVELOPER_ID" --timestamp --identifier "$IDENTIFIER"vst3 --version "$VERSION" --root "$PLUGIN_NAME".vst3 "$PLUGIN_NAME"_vst3.pkg
productbuild --synthesize --package "$PLUGIN_NAME"_au.pkg --package "$PLUGIN_NAME"_vst3.pkg distribution.xml
productbuild --distribution distribution.xml --resources Resources/ "$PLUGIN_NAME".pkg
productsign --sign "Developer ID Installer: $DEVELOPER_ID" "$PLUGIN_NAME".pkg "$PLUGIN_NAME"_installer.pkg --timestamp
xcrun notarytool submit --keychain-profile "thomas" "$PLUGIN_NAME"_installer.pkg --wait
xcrun stapler staple "$PLUGIN_NAME"_installer.pkg
feeding it distribute.sh Sinensis "Thomas Xxxxxx (<personal identifier>)" <indentifier for the package> 101
I am using --force because of a post on the juce forum that I strangely cannot link to here. tl;dr the binary is signed at the build stage and need --force to overwrite with my signature
But it ends up with error 65
Conducting pre-submission checks for Sinensis_installer.pkg and initiating connection to the Apple notary service...
Submission ID received
id: 38ba301b-f857-4408-b665-9e11e8647ca1
Upload progress: 100,00 % (6,10 MB of 6,10 MB)
Successfully uploaded file
id: 38ba301b-f857-4408-b665-9e11e8647ca1
path: /Users/thomas/Desktop/Sinensis_installer.pkg
Waiting for processing to complete.
Current status: Invalid............
Processing complete
id: 38ba301b-f857-4408-b665-9e11e8647ca1
status: Invalid
Processing: /Users/thomas/Desktop/Sinensis_installer.pkg
CloudKit query for Sinensis_installer.pkg (1/dc8136b4b82a4e9c9f7b5e6064238488e97f04ad) failed due to "Record not found".
Could not find base64 encoded ticket in response for 1/dc8136b4b82a4e9c9f7b5e6064238488e97f04ad
The staple and validate action failed! Error 65.
Looking at the log via xcrun notarytool log return
{
"logFormatVersion": 1,
"jobId": "75fa5853-d19d-42a5-9069-4ed0d8f735be",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "Sinensis_installer.pkg",
"uploadDate": "2024-04-19T10:11:07.372Z",
"sha256": "da6457f73d1b93995392f844a25f4b9bc9750eac0555ae72854b14e270e32685",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "Sinensis_installer.pkg/Sinensis_au.pkg Contents/Payload/Library/Audio/Plug-Ins/Components/Contents/MacOS/Sinensis",
"message": "The signature of the binary is invalid.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "Sinensis_installer.pkg/Sinensis_vst3.pkg Contents/Payload/Library/Audio/Plug-Ins/VST3/Contents/MacOS/Sinensis",
"message": "The signature of the binary is invalid.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
"architecture": "arm64"
}
]
}
codesign -vvv --deep --strict Sinensis.vst3 returns
Sinensis.vst3: valid on disk
Sinensis.vst3: satisfies its Designated Requirement
pkgutil --check-signature Sinensis_installer.pkg returns
Package "Sinensis_installer.pkg":
Status: signed by a developer certificate issued by Apple for distribution
Signed with a trusted timestamp on: 2024-04-19 10:21:59 +0000
Certificate Chain:
1. Developer ID Installer: Thomas Guillory (53B2GD4XYM)
Expires: 2027-02-01 22:12:15 +0000
SHA256 Fingerprint:
E8 D7 4A 6D CD 19 56 A2 39 C9 15 00 09 06 EA 98 01 B0 AF 85 59 AA
AE 26 71 89 56 9B 54 EF 48 B3
------------------------------------------------------------------------
2. Developer ID Certification Authority
Expires: 2027-02-01 22:12:15 +0000
SHA256 Fingerprint:
7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03
F2 9C 88 CF B0 B1 BA 63 58 7F
------------------------------------------------------------------------
3. Apple Root CA
Expires: 2035-02-09 21:40:36 +0000
SHA256 Fingerprint:
B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C
68 C5 BE 91 B5 A1 10 01 F0 24
I tried to unpack the .pkg using pacifist as recommended in multiple thread but the bundle wasn't recognized as such, I may have not follow the correct procedure.
I've read the man page for productbuild, codesign and productsign.
I've also read the MacOS code signing technical note althought I didn't understood everything clearly (especially on the nested part, which seems relevant).
The closest thing I could find was this forum post but the bundles seems to be correctly seen by MacOs as a bundle and not as a folder
I really lost at this point
may Eskimo come shed some enlightenment on my poor newbie soul 🙏
Have a nice day !
LNDF.