12-15-2019, 10:02 AM
[ Edited 2-24-2020 with additional info ]
Thanks, Garrett for the detailed notes on notarizing. I'd like to add a couple of additional observations.
Regarding the Code Signing Identity, I believe the setting "Mac App Distribution" is for *.pkg installers. For plugins like mine that are simply downloaded in zip archives, one should use "Developer ID Application." More great info on code signing can be found here. Here are the settings I use:
This blog post on Tweaking4All addresses a puzzling “resource fork, Finder information, or similar detritus not allowed” error I was getting. It was caused by resource forks in some PNG images, which were easily removed with a simple terminal command, per the link above:
$ xattr -cr <path_to_app_bundle>
Am I correct in assuming that every minor update to a plugin will need to be notarized and stapled again before releasing? I tend to release updates quickly rather than make users wait, but if we have to jump through these command-line hoops every time, I think I'll release updates less often.
Many thanks to Hot Door!
Thanks, Garrett for the detailed notes on notarizing. I'd like to add a couple of additional observations.
Regarding the Code Signing Identity, I believe the setting "Mac App Distribution" is for *.pkg installers. For plugins like mine that are simply downloaded in zip archives, one should use "Developer ID Application." More great info on code signing can be found here. Here are the settings I use:
- Code Signing Identity: Developer ID Application
- Code Signing Inject Base Entitlements: Yes
- Code Signing Style: Manual
- Development Team: <my name>
- Enable Hardened Runtime: Yes
- Other Code Signing Flags: --timestamp
- Provisioning Profile: None
This blog post on Tweaking4All addresses a puzzling “resource fork, Finder information, or similar detritus not allowed” error I was getting. It was caused by resource forks in some PNG images, which were easily removed with a simple terminal command, per the link above:
$ xattr -cr <path_to_app_bundle>
Am I correct in assuming that every minor update to a plugin will need to be notarized and stapled again before releasing? I tend to release updates quickly rather than make users wait, but if we have to jump through these command-line hoops every time, I think I'll release updates less often.
Many thanks to Hot Door!