Hot Door CORE Forum
notes on notarizing for macOS 10.15 Catalina - Printable Version

+- Hot Door CORE Forum (http://hotdoorcore.com/forum)
+-- Forum: All forums (http://hotdoorcore.com/forum/forumdisplay.php?fid=1)
+--- Forum: General discussion (http://hotdoorcore.com/forum/forumdisplay.php?fid=3)
+--- Thread: notes on notarizing for macOS 10.15 Catalina (/showthread.php?tid=228)



notes on notarizing for macOS 10.15 Catalina - Rick Johnson - 12-15-2019

[ Edited 2-24-2020 with additional info ]

Thanks, Garrett for the detailed notes on notarizing. I'd like to add a couple of additional observations.

Regarding the Code Signing Identity, I believe the setting "Mac App Distribution" is for *.pkg installers. For plugins like mine that are simply downloaded in zip archives, one should use "Developer ID Application." More great info on code signing can be found here. Here are the settings I use:
  • Code Signing Identity: Developer ID Application
  • Code Signing Inject Base Entitlements: Yes
  • Code Signing Style: Manual
  • Development Team: <my name>
  • Enable Hardened Runtime: Yes
  • Other Code Signing Flags: --timestamp
  • Provisioning Profile: None
Apple talks at length about the importance of "Hardened Runtime" but I wonder if this applies to Illustrator plugins. It seems to work either way.

This blog post on Tweaking4All addresses a puzzling “resource fork, Finder information, or similar detritus not allowed” error I was getting. It was caused by resource forks in some PNG images, which were easily removed with a simple terminal command, per the link above:

$ xattr -cr <path_to_app_bundle>

Am I correct in assuming that every minor update to a plugin will need to be notarized and stapled again before releasing? I tend to release updates quickly rather than make users wait, but if we have to jump through these command-line hoops every time, I think I'll release updates less often.

Many thanks to Hot Door!


RE: notes on notarizing for macOS 10.15 Catalina - garrett - 12-22-2019

(12-15-2019, 10:02 AM)Rick Johnson Wrote: Am I correct in assuming that every minor update to a plugin will need to be notarized and stapled again before releasing? I tend to release updates quickly rather than make users wait, but if we have to jump through these command-line hoops every time, I think I'll release updates less often.

Yes you will need to notarize every single time you intend to release to the public.