Notarize plugins for Gatekeeper

To avoid the Gatekeeper warnings, Apple wants us to sign on with an Apple Developer account (99$ a year). For my workflow, I will try to support Sierra 10.12 as a minimum system. So, I build on Sierra and notarize on Catalina. For others, you can do all your work on a single Mac.

Register for an Apple Developer account.

Generate an app password.

  1. Sign in to your Apple ID account page.
  2. In the Security section, click Generate Password below App-Specific Passwords.
  3. Give the password a name such as “Software Notarization”. Take note of the password shown to you upon confirmation. Copy it to a safe place.
  4. In Catalina macOS’ Keychain.app, navigate to the Login Keychain and manually add a new password (⌘N). Give it a name such as “Software Notarization” (need not be identical to the previous step’s name). Enter your Apple ID (e-mail) for account name as well as the actual password generated on the Apple ID account page. You will later reference this keychain item in your build script instead of hard-coding the password into your build files, in case you are hosting your files in a public repository.

The plugin is PlugName.plugin at version 1.5.3 and the other variables are the Apple Developer account name – “Your Name” and account email – “your.email@domain.com”

If you get the error – *** Error: code -1003 (No command was specified. Unable to run altool.) – check to see that you have default double quotes and double dash – ” and —

In Sierra, using terminal –

Remove resource forks :: xattr -cr PlugName.plugin

Sign the plug-in using your Developer ID Application certificate stored in your keychain :: codesign –deep -s “Developer ID Application: Your Name” -f PlugName.plugin

Compress the plugin using ditto :: ditto -c -k –keepParent –rsrc PlugName.plugin PlugName.plugin.notarize.zip

In Catalina, in terminal –

Send the zip file to Apple for notarization :: xcrun altool –notarize-app –primary-bundle-id “PlugName” –username “your.email@domain.com” –password “@keychain:Software Notarization” –file PlugName.plugin.notarize.zip

Wait for an email from Apple telling you that the notarization succeeded. It will take about 5 mins.

unzip PlugName.plugin.notarize.zip

xcrun stapler staple -v PlugName.plugin

ditto -c -k –keepParent –rsrc PlugName.plugin PlugName.plugin_v1.5.3.zip

References –

https://glyphsapp.com/learn/how-to-notarize-your-plug-ins

https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution

https://www.theverge.com/2019/10/12/20908567/apple-macos-catalina-breaking-apps-32-bit-support-how-to-prepare-avoid-update

Anmol

Software Engineer, Dancer and Filmmaker. Currently rebooting his life.

Leave a Reply