Dev Signing Certificate on OS 10.14

Hello, I made an audio VST/AU plugin and need to get a development signing certification.

But before I pull the trigger and pay for Apple Developer Program Membership, I want to make sure I'll be able to do the actual signing/certification process on my older computer, which is currently running 10.14 (I can go up to 10.15 max).

I looks like the process is done online, and with Keychain Access.

However, my computer might be too old to use Xcode and Apple Developer. Is that going to be an issue? Thanks.

Up vote post of GM8 Down vote post of GM8
1.6k views
Posted by
GM8
Reply
Add a Comment

Accepted Reply

The Xcode version doesn’t really matter because, if necessary, you can re-sign using the codesign tool. That tool is built in to macOS, not part of Xcode, and thus it’s the macOS version that’s key.

You will have problems using macOS 10.14 for this. Presumably you want to distribute your product independently, which means Developer ID signing, which means notarisation. The recommended tool for that, notarytool, does not run on 10.14. It should, however, run on 10.15.

IMPORTANT notarytool is bundle inside modern versions of Xcode, versions of Xcode that won’t run on 10.15. However, it’s fine to extract the tool from Xcode and copy it to 10.15. That’s a workflow we specifically support.

The other thing to watch out for is the code signing version. In macOS 11 we enhanced code signature security by switching to DER entitlements and provisioning profiles. iOS 15 — and it’s corresponding child platforms like iPadOS, tvOS, and watchOS — all require this new format. See Using the Latest Code Signature Format for the details. If you ever want to deploy to one of those platforms, you’ll need at least macOS 11.

However, AFAIK macOS does not currently require this, so you should be OK for the moment on that side.

Finally, there’s one ‘nuclear’ option: Run a modern version of macOS in a VM on your old version of macOS. It won’t be fast, but you don’t need it to be fast just to run codesign.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

The Xcode version doesn’t really matter because, if necessary, you can re-sign using the codesign tool. That tool is built in to macOS, not part of Xcode, and thus it’s the macOS version that’s key.

You will have problems using macOS 10.14 for this. Presumably you want to distribute your product independently, which means Developer ID signing, which means notarisation. The recommended tool for that, notarytool, does not run on 10.14. It should, however, run on 10.15.

IMPORTANT notarytool is bundle inside modern versions of Xcode, versions of Xcode that won’t run on 10.15. However, it’s fine to extract the tool from Xcode and copy it to 10.15. That’s a workflow we specifically support.

The other thing to watch out for is the code signing version. In macOS 11 we enhanced code signature security by switching to DER entitlements and provisioning profiles. iOS 15 — and it’s corresponding child platforms like iPadOS, tvOS, and watchOS — all require this new format. See Using the Latest Code Signature Format for the details. If you ever want to deploy to one of those platforms, you’ll need at least macOS 11.

However, AFAIK macOS does not currently require this, so you should be OK for the moment on that side.

Finally, there’s one ‘nuclear’ option: Run a modern version of macOS in a VM on your old version of macOS. It won’t be fast, but you don’t need it to be fast just to run codesign.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Thanks so much for the quick and detailed reply eskimo!

macOS is all I need for the moment, as it's intended to run on a DAW like Logic or Cubase. I just want to prevent the "cannot be opened because the developer cannot be verified" messages that's keeping away customers. It looks like you have laid out a roadmap on how I can do that, so thanks!

Posted by
GM8
Up vote reply of GM8 Down vote reply of GM8
Add a Comment

Hi Quinn, I extracted notarytool (using pacifist) and installed just that (as well as Xcode 12.4).

But it seems not to work on my current OS, 10.15.7.

I get this error error: unable execute utility "/Library/Developer/CommandLineTools/usr/bin/notarytool" because it requires a newer version of macOS.

I am, however, able to get altool to work in terminal now, so there's that. Any ideas on how to get notarytool to work? I haven't yet looked into VM.

Thanks!

Posted by
GM8
Up vote reply of GM8 Down vote reply of GM8
Add a Comment

Weird. I’ve tested this in the past and I just tested it again and it’s working for me. Specifically:

  1. On my macOS 12.5 machine, I copied notarytool to my 10.15 machine:

    % xcrun -f notarytool
/Applications/Xcode.app/Contents/Developer/usr/bin/notarytool
% scp /Applications/Xcode.app/Contents/Developer/usr/bin/notarytool virtual-cat.local.:
…

    virtual-cat.local. stands for Virtual Catalina. And /Applications/Xcode.app is Xcode 13.4.1.

  2. On my 10.15 machine, I ran the tool:

    % sw_vers
ProductName:	Mac OS X
ProductVersion:	10.15.7
BuildVersion:	19H1519
% ./notarytool 
OVERVIEW: Manage submissions to the Apple notary service
…

  3. Just to be 100% sure, I ran an actual notarisation command:

    % ./notarytool history CCC
Successfully received submission history.
  history
    --------------------------------------------------
    createdDate: 2022-08-18T08:44:10.175Z
    id: a6968933-8fb3-4a4f-80fb-96fce6e101bf
    name: Test712463.zip
    status: Invalid
    --------------------------------------------------
…

    Here CCC is my notarisation credentials.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo

  • Trying to get notarytool running on 10.15.7 with Xcode 12.4 here and I've run into an issue with a dylib:

    ~ % /Applications/Xcode12.app/Contents/Developer/usr/bin/notarytool dyld: Library not loaded: /usr/lib/swift/libswift_Concurrency.dylib

    rgrant@mac.com
Add a Comment

You are right, and it works. Thanks Quinn!

Happy to say that notarytool runs on 10.15.7. For anyone else who is attempting this, I'll walk through my experience and hopefully that can help folks in the future.

First I'd recommend going to downloads here: https://developer.apple.com/download/all/ and downloading & installing the most recent version of Xcode that's possible to run on your OS (12.4 in my case). I think you need around 40gb of hard disk space.

To get notarytool, download Command Line Tools for Xcode (in my case, 13.4) From that file I'd use Pacifist (https://www.charlessoft.com/) to extract notarytools and install it. You could also try Quinn's method in Terminal, mentioned above. notarytool should be installed here: /Applications/Xcode.app/Contents/Developer/usr/bin/notarytool.

Open Terminal and send it to the directory that contains notarytool by entering the command cd /Applications/Xcode.app/Contents/Developer/usr/bin/

From here, you use notarytool by beginning your command with ./notarytool instead of xcrun (this last bit is why I was getting the error requires a newer version of macOS.)

Posted by
GM8
Up vote reply of GM8 Down vote reply of GM8
Add a Comment

Moved to a comment on Quinn's post

Posted by
rgrant@mac.com
Up vote reply of rgrant@mac.com Down vote reply of rgrant@mac.com
Add a Comment

Figured it out. The notarytool I tried from Xcode 14.3.1 is broken as it doesn't bundle (or hard link) the libswift_Concurrency.dylib. However copying a notarytool from Xcode 13.4.1 (as Quinn did above) works:

% ~/Desktop/notarytool 
OVERVIEW: Manage submissions to the Apple notary service

USAGE: notarytool <subcommand>

Perhaps it has been fixed in a more recent Xcode build?

Posted by
rgrant@mac.com
Up vote reply of rgrant@mac.com Down vote reply of rgrant@mac.com
Add a Comment

The notarytool I tried from Xcode 14.3.1 … doesn't bundle (or hard link) the libswift_Concurrency.dylib

Well, that’s annoying. I’d appreciate you filing a bug about that, and then posting post your bug number here, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment