I am building plug-ins for audio software. I am using the JUCE framework and I am building with VScode / CMake / Ninja / LLVM
I want to package the output, which are two bundles "Sinensis.component" (the AU plugin) and "Sinensis.vst3" (the vst3 plugin)
I am using this script :
codesign -s "Developer ID Application: $DEVELOPER_ID" --timestamp --force -o runtime -i "$PLUGIN_NAME".component "$PLUGIN_NAME".component/Contents/MacOs/"$PLUGIN_NAME" #--options=runtime
pkgbuild --install-location /Library/Audio/Plug-Ins/Components --sign "Developer ID Installer: $DEVELOPER_ID" --timestamp --identifier "$IDENTIFIER"au --version "$VERSION" --root "$PLUGIN_NAME".component "$PLUGIN_NAME"_au.pkg
codesign -s "Developer ID Application: $DEVELOPER_ID" --timestamp --force -o runtime -i "$PLUGIN_NAME".vst3 "$PLUGIN_NAME".vst3/Contents/MacOs/"$PLUGIN_NAME" #--options=runtime
pkgbuild --install-location /Library/Audio/Plug-Ins/VST3 --sign "Developer ID Installer: $DEVELOPER_ID" --timestamp --identifier "$IDENTIFIER"vst3 --version "$VERSION" --root "$PLUGIN_NAME".vst3 "$PLUGIN_NAME"_vst3.pkg
productbuild --synthesize --package "$PLUGIN_NAME"_au.pkg --package "$PLUGIN_NAME"_vst3.pkg distribution.xml
productbuild --distribution distribution.xml --resources Resources/ "$PLUGIN_NAME".pkg
productsign --sign "Developer ID Installer: $DEVELOPER_ID" "$PLUGIN_NAME".pkg "$PLUGIN_NAME"_installer.pkg --timestamp
xcrun notarytool submit --keychain-profile "thomas" "$PLUGIN_NAME"_installer.pkg --wait
xcrun stapler staple "$PLUGIN_NAME"_installer.pkg
feeding it distribute.sh Sinensis "Thomas Xxxxxx (<personal identifier>)" <indentifier for the package> 101
I am using --force because of a post on the juce forum that I strangely cannot link to here. tl;dr the binary is signed at the build stage and need --force to overwrite with my signature
But it ends up with error 65
Conducting pre-submission checks for Sinensis_installer.pkg and initiating connection to the Apple notary service...
Submission ID received
id: 38ba301b-f857-4408-b665-9e11e8647ca1
Upload progress: 100,00 % (6,10 MB of 6,10 MB)
Successfully uploaded file
id: 38ba301b-f857-4408-b665-9e11e8647ca1
path: /Users/thomas/Desktop/Sinensis_installer.pkg
Waiting for processing to complete.
Current status: Invalid............
Processing complete
id: 38ba301b-f857-4408-b665-9e11e8647ca1
status: Invalid
Processing: /Users/thomas/Desktop/Sinensis_installer.pkg
CloudKit query for Sinensis_installer.pkg (1/dc8136b4b82a4e9c9f7b5e6064238488e97f04ad) failed due to "Record not found".
Could not find base64 encoded ticket in response for 1/dc8136b4b82a4e9c9f7b5e6064238488e97f04ad
The staple and validate action failed! Error 65.
Looking at the log via xcrun notarytool log return
{
"logFormatVersion": 1,
"jobId": "75fa5853-d19d-42a5-9069-4ed0d8f735be",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "Sinensis_installer.pkg",
"uploadDate": "2024-04-19T10:11:07.372Z",
"sha256": "da6457f73d1b93995392f844a25f4b9bc9750eac0555ae72854b14e270e32685",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "Sinensis_installer.pkg/Sinensis_au.pkg Contents/Payload/Library/Audio/Plug-Ins/Components/Contents/MacOS/Sinensis",
"message": "The signature of the binary is invalid.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "Sinensis_installer.pkg/Sinensis_vst3.pkg Contents/Payload/Library/Audio/Plug-Ins/VST3/Contents/MacOS/Sinensis",
"message": "The signature of the binary is invalid.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
"architecture": "arm64"
}
]
}
codesign -vvv --deep --strict Sinensis.vst3 returns
Sinensis.vst3: valid on disk
Sinensis.vst3: satisfies its Designated Requirement
pkgutil --check-signature Sinensis_installer.pkg returns
Package "Sinensis_installer.pkg":
Status: signed by a developer certificate issued by Apple for distribution
Signed with a trusted timestamp on: 2024-04-19 10:21:59 +0000
Certificate Chain:
1. Developer ID Installer: Thomas Guillory (53B2GD4XYM)
Expires: 2027-02-01 22:12:15 +0000
SHA256 Fingerprint:
E8 D7 4A 6D CD 19 56 A2 39 C9 15 00 09 06 EA 98 01 B0 AF 85 59 AA
AE 26 71 89 56 9B 54 EF 48 B3
------------------------------------------------------------------------
2. Developer ID Certification Authority
Expires: 2027-02-01 22:12:15 +0000
SHA256 Fingerprint:
7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03
F2 9C 88 CF B0 B1 BA 63 58 7F
------------------------------------------------------------------------
3. Apple Root CA
Expires: 2035-02-09 21:40:36 +0000
SHA256 Fingerprint:
B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C
68 C5 BE 91 B5 A1 10 01 F0 24
I tried to unpack the .pkg using pacifist as recommended in multiple thread but the bundle wasn't recognized as such, I may have not follow the correct procedure.
I've read the man page for productbuild, codesign and productsign.
I've also read the MacOS code signing technical note althought I didn't understood everything clearly (especially on the nested part, which seems relevant).
The closest thing I could find was this forum post but the bundles seems to be correctly seen by MacOs as a bundle and not as a folder
I really lost at this point
may Eskimo come shed some enlightenment on my poor newbie soul 🙏
Have a nice day !
a post on the juce forum that I strangely cannot link to here.
You should be able to post the link in the clear. See tip 14 in my [I swear the title made sense when I started] Quinn’s Top Ten DevForums Tips post.
But it ends up with error 65
Error 65 means that the notarisation failed, so stapler couldn’t find a notarised ticket to apply.
Your notarisation is failing because of a code signing problems. I’m not entirely sure what that is. My general advice on this topic in:
Looking at the commands your posted, the one thing that leapt out was this:
…/MacOs/…
That should be /MacOS/. Case problems like this generally don’t trigger an error locally, because APFS defaults to case insensitive. However, you can run into problems on case-sensitive volumes, like the one used by the notary service.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"