Plugin compiled on macOS Catalina for R23, not working on Big Sur?



  • @r_gigante said in Plugin compiled on macOS Catalina for R23, not working on Big Sur?:

    With regard having the code running on your customers' machine I think you need to notarise (is it what you mean by sign my plugins?)

    Code Signing and Notarizing are two separate things. First you sign your plugins, then you zip them up and send the zip to apple for notarization.



  • Thanks @kbar it's clear to me, I just wanted to know what actually @fwilleke80 was meaning. And for those listening you can sign a plugin during or after the building process.

    Cheers, R



    • Can you ask your customer what "usual" security questions he answered?
    • Can you ask your customer before unpacking the zip archive, that maybe he has downloaded from an email or a website, to run $ xattr -d "com.apple.quarantine <zip archive to your plugin>"

    Ah, thanks, I'll ask him to try that!

    So, to make the plugin run on my beta testers' Macs with Bir Sur without warnings, I not only need to sign the binary, I also need to send the binary to Apple to have it notarised? Every single time I release a beta version to my testers?? 😱

    Cheers,
    Frank



  • Hm, tester days, he did the Terminal call, and he had the security warning when starting Cinema 4D (that the binary from my product is from an unknown developer, so it won't be loaded). He then opened his System Preferences >> Security & Privacy, and confirmed that the library should be loaded. But no success :-(



  • @fwilleke80 said in Plugin compiled on macOS Catalina for R23, not working on Big Sur?:

    • Can you ask your customer what "usual" security questions he answered?
    • Can you ask your customer before unpacking the zip archive, that maybe he has downloaded from an email or a website, to run $ xattr -d "com.apple.quarantine <zip archive to your plugin>"

    Ah, thanks, I'll ask him to try that!

    So, to make the plugin run on my beta testers' Macs with Bir Sur without warnings, I not only need to sign the binary, I also need to send the binary to Apple to have it notarised? Every single time I release a beta version to my testers?? 😱

    Cheers,
    Frank

    This is actually what we do in our building pipeline. My suggestion is to automate the process which, being completely terminal based, should be far from being rocket science.

    Cheers, R



  • That's what I gotta do then ;-)

    Thanks & greetings,
    Frank



  • @fwilleke80 it is what I do in my build system, for every build.

    I automated my build system using Jenkins pipelines. But you can also just write bash scripts and batch files instead, since that is effectively what I do in Jenkins anyway.

    My code is all pulled from GitHub, project tool runs, all additional 3rd party libraries are built, plugins compiled, signed, zipped up, sent to apple for notarization and then uploaded to AWS S3 and my customers can automatically down the new updates after any new build is marked as published.

    Took a while to set up but is such a time saver in the end. I can build all my plugins for every version of C4D and have them available for customers with just one click. It’s a full rebuild every single time I press the button.

    https://Jenkins.io. Then look at pipelines.



  • Thanks, that's a good tip! I'll try that out!

    By the way, @r_gigante , turns out my tester hat installed 23.008 on Big Sur, while I had compiled the plugin against 23.110... so... it works now. Thanks :-)

    Cheers,
    Frank



  • One follow-up question:

    I have followed the steps described in https://developers.maxon.net/docs/Cinema4DCPPSDK/html/page_maxonapi_dev_macos.html#page_maxonapi_dev_macos_notarization_xcodecodesigning. Created a ZIP of my plugin (using Python, but it's still a normal ZIP, with the plugin binary, res folder etc.), signed it with my certificate from apple, and uploaded it using the xcrun altool --notarize-app ...and-so-on... call. Upload successful.

    However, the plugin is never notarised, and looking into the notarisation history, it tells me:
    2020-11-27 08:44:14 +0000 b1cb2d34-a374-40b4-95d3-64a5d9e4df38 invalid 2 Package Invalid

    I saw posts on the web from people who had the same problem. They fixed it by enabling "Hardened Runtime" in their projects. I already did that, as described in the SDK docs, but the problem persists.

    Is there any way to find out what's to invalid about the package?

    Cheers,
    Frank



  • Oh wait, got it by displaying the notarisation log. The binary had no timestamp.

    After googling a bit, I fixed it by adding --timestamp=http://timestamp.apple.com/ts01 to "Other Code Signing Flags", and it was notarised successfully! :-)

    Is --timestamp=http://timestamp.apple.com/ts01 a good choice for this flag? The SDK docs just say "include a secure timestamp with your code-signing signature;", which is not too much information ;-)



  • This post is deleted!


  • @fwilleke80 Thanks for the follow-up Frank! In all the previous cases I always notarized without specifying the timestamp. I'll again and in case update the guide.

    Cheers, r



  • How did you do it without a timestamp?
    The SDK explicitly says a timestamp is needed:
    https://developers.maxon.net/docs/Cinema4DCPPSDK/html/page_maxonapi_dev_macos.html#page_maxonapi_dev_macos_notarization_preliminary

    But yes, a bit more detailed information would be appreciated ;-)



  • @fwilleke80 I think setting the hardened runtime when you code sign solves the timestamp issue. I don’t set a timestamp.

    codesign --force --options runtime --sign 'Developer ID Application: YOURCOMPANYNAME' 'sdk/plugins/yourplugin/yourplugin.xlib'



  • Ah, ok. I've got that enabled, too. I guess adding a timestamp doesn't hurt.



  • @kbar said in Plugin compiled on macOS Catalina for R23, not working on Big Sur?:

    @fwilleke80 I think setting the hardened runtime when you code sign solves the timestamp issue. I don’t set a timestamp.

    codesign --force --options runtime --sign 'Developer ID Application: YOURCOMPANYNAME' 'sdk/plugins/yourplugin/yourplugin.xlib'

    Thanks a lot Kent, for pointing this out!
    The one below is the string I use which, as said by Kent, doesn't need the timestamp because of the hardened runtime.
    codesign -f -s "Developer ID Application: <YOUR DEV ID>" --options runtime <binary file>.xlib

    Documentation updated accordingly


Log in to reply