Notarizing a user-space CoreAudio driver (aka AudioServerPlugin)

I have an application that works in conjunction with a user-space CoreAudio driver (aka AudioServerPlugin) (see https://github.com/q-p/SoundPusher if you're curious -- it's open source). As far as I'm aware, these plug-ins are already sandboxed. How do I go about hardening / notarizing this plug-in? Note: This is a plug-in for the macOS audio system, not really my app (although my app will look for the sound-device provided by this driver and read from it). I assume notarizing the app itself (it's already code-signed and only needs "microphone" entitlement to access audio-input from my user-space driver) as well as the installer that contains both the app and driver happens as usual...?

Up vote post of maven Down vote post of maven
2.1k views
Posted by
maven
Reply
Add a Comment

Accepted Reply

Thanks Quinn, I (think I) got it to work... It is a flat-package (`.pkg`) installer. I was unclear on how the notarization for an installer package works (in that it is only used as a container that can contain multiple items to be notarized), but after figuring out I can just upload the .pkg (and don't have to notarize the contents separately) I eventually got it working.

Biggest hurdle was figuring out how to ensure that `--timestamp` was included while code-signing (=> `OTHER_CODE_SIGN_FLAGS`), as that is needed for some included .dylibs.

Then I had to learn the hard way that entitlements for sandbox and hardened run-time access are separate, and that one should not enabled the "Hardened run-time" project-wide, but only for individual targets (otherwise the entitlements are not handled correctly by Xcode's Capabilities UI).

One thing I'm slightly unclear with the stapling, though:
I have a ticket that covers the installer and everything it contains. I can staple the ticket to the installer, as well individual copies of the included app & driver. *But* the copies of the app & driver included in the installer obviously are not stapled (only the installer is). Can this be a problem?

Posted by
maven
Up vote reply of maven Down vote reply of maven
Post marked as solved
Add a Comment

Replies

I’ve never tried notarising a CoreAudio driver but, as it’s a bundle that contains code, I can’t see any reason why it wouldn’t work. I think this is a case of s*ck it and see [1].

I assume notarizing the app itself … as well as the installer that contains both the app and driver happens as usual...?

Is this a custom installer? Or a package (

.pkg
) for the Apple Installer?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"

[1] *chuckle* The fact that I had to disguise the word s*ck in order to post this reference is deliciously ironic.

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thanks Quinn, I (think I) got it to work... It is a flat-package (`.pkg`) installer. I was unclear on how the notarization for an installer package works (in that it is only used as a container that can contain multiple items to be notarized), but after figuring out I can just upload the .pkg (and don't have to notarize the contents separately) I eventually got it working.

Biggest hurdle was figuring out how to ensure that `--timestamp` was included while code-signing (=> `OTHER_CODE_SIGN_FLAGS`), as that is needed for some included .dylibs.

Then I had to learn the hard way that entitlements for sandbox and hardened run-time access are separate, and that one should not enabled the "Hardened run-time" project-wide, but only for individual targets (otherwise the entitlements are not handled correctly by Xcode's Capabilities UI).

One thing I'm slightly unclear with the stapling, though:
I have a ticket that covers the installer and everything it contains. I can staple the ticket to the installer, as well individual copies of the included app & driver. *But* the copies of the app & driver included in the installer obviously are not stapled (only the installer is). Can this be a problem?

Posted by
maven
Up vote reply of maven Down vote reply of maven
Post marked as solved
Add a Comment

Can this be a problem?

Do you ever distribute these components outside of the installer? If not, I think you’ll be fine. The ticket stapled to the installer covers all the components parts.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment