Notarize plugin for OSX

Maybe somebody has experience with it:

What is the correct way to notarize the Rhino plugin under OSX?
I was not able to test it but as far as I know Catalina will block the plugin if it was not notarized.

I have tried to validate the plugin but I get error messages such as: no Bundle found or now info file etc.

Márton

@dan has info on that, I believe.

Hi @marton.parlagh-

You should not have to Notarize your plugin unless you are distributing your own custom installer.

If you are allowing Rhino for Mac to install using a .macrhi, Notarization should not be necessary.

If you think otherwise, please let me know. Notarization is not a road you want to go down unless you have to.

-Dan

Hello Dan,

I usually prefer the installer, but if it is really complicated I have to reconsider this. Which part is complicated, specifically to notarize the rhino plugin, or the apple notarization itself?

Márton

Hi Márton-

Sorry for the delayed reply.

What kind of installer are you considering?

This question really does not make sense, but I can fully understand why you might ask. Notarization is rather “opaque.” There is only Apple Notarization.

Notarization is a process whereby you upload your app (or installer) to Apple, they run tests on it and, if you pass, your app is whitelisted and you can “staple” a certificate to it (though you don’t have to do the stapling part; only if you want it to work in offline mode).

macOS has a feature called “Gatekeeper” which checks to see if your app is Notarized - read: “on the whitelist” and/or if it’s “stapled”.

But that just describes Notarization in crude “broad brush strokes.” The details are quite involved. The following guides from Apple go into those details:

I have found, in practice, the actual work of passing Notarization is getting code signing “just right.” The bulk of your work will be spent there.

Or you can just distribute your plugin with a .macrhi and avoid it all together.

Hello Dan,

Thanks for your answer. I have managed to notarize the plugin, it seems I have over-complicated it a bit but at the end the final process is simple.

Márton

I was incorrect about one aspect of this.

Regardless of how you distribute your plugin, if your plugin contains uses native libraries - .dylib files - that you have wrapped, you will need to code-sign and Notarize those files.

It looks like the Keyshot and Maxwell plugins are having this issue. There is a temporary (if distasteful) workaround listed in those topics.

Thanks for the info!

Márton