To avoid the Gatekeeper warnings, Apple wants us to sign on with an Apple Developer account (99$ a year). For my workflow, I will try to support Sierra 10.12 as a minimum system. So, I build on Sierra and notarize on Catalina. For others, you can do all your work on a single Mac.
Register for an Apple Developer account.
Generate an app password.
- Sign in to your Apple ID account page.
- In the Security section, click Generate Password below App-Specific Passwords.
- Give the password a name such as “Software Notarization”. Take note of the password shown to you upon confirmation. Copy it to a safe place.
- In Catalina macOS’ Keychain.app, navigate to the Login Keychain and manually add a new password (⌘N). Give it a name such as “Software Notarization” (need not be identical to the previous step’s name). Enter your Apple ID (e-mail) for account name as well as the actual password generated on the Apple ID account page. You will later reference this keychain item in your build script instead of hard-coding the password into your build files, in case you are hosting your files in a public repository.
The plugin is PlugName.plugin at version 1.5.3 and the other variables are the Apple Developer account name – “Your Name” and account email – “your.email@domain.com”
If you get the error – *** Error: code -1003 (No command was specified. Unable to run altool.) – check to see that you have default double quotes and double dash – ” and —
In Sierra, using terminal –
Remove resource forks :: xattr -cr PlugName.plugin
Sign the plug-in using your Developer ID Application certificate stored in your keychain :: codesign –deep -s “Developer ID Application: Your Name” -f PlugName.plugin
Compress the plugin using ditto :: ditto -c -k –keepParent –rsrc PlugName.plugin PlugName.plugin.notarize.zip
In Catalina, in terminal –
Send the zip file to Apple for notarization :: xcrun altool –notarize-app –primary-bundle-id “PlugName” –username “your.email@domain.com” –password “@keychain:Software Notarization” –file PlugName.plugin.notarize.zip
Wait for an email from Apple telling you that the notarization succeeded. It will take about 5 mins.
unzip PlugName.plugin.notarize.zip
xcrun stapler staple -v PlugName.plugin
ditto -c -k –keepParent –rsrc PlugName.plugin PlugName.plugin_v1.5.3.zip
References –
https://glyphsapp.com/learn/how-to-notarize-your-plug-ins
https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution