November 27, 2019
by Ákos Somorjai

Notarizing add-ons for macOS Catalina

When you download anything on macOS from the internet, the download mechanism adds extra info to the downloaded file (called the quarantine flag; you can check for it with ls -lA@ [you_add-on].bundle). This informs the operating the system that the downloaded file may contain malicious code, and so the operating system tries to verify the identity of the developer to ensure the user’s safety. If that verification fails for some reason then ARCHICAD won’t be able to load your add-on, even though ARCHICAD 23 is set to load non-codesigned add-ons without complaining. Your users will see a dialog similar to this:

So, if you want to distribute your add-on in its pure form (i.e. a compressed .bundle) on macOS, then you’ll have to codesign and notarize your add-ons to make them work correctly on Catalina. It is also advisable to complete the process for add-ons for earlier ARCHICAD versions as well.

You’ll have to perform a similar process if you ship installers or any accompanying tool or application

Here’s how to do it:

  1. Enroll in the Apple Developer program (yes, the paid one, see this forum thread)
  2. Set up the App Manager role for a developer (or add a special account with a separate email address)

3. Get your code signing identities for Developer ID: Application & Mac Developer
The easiest way to do that is to add your developer account in Xcode / Preferences / Accounts.
(I guess most of you have already done this, so I don’t go into any detail here)

4. Prepare for notarization

Note that you don’t have to enable the hardened runtime, because it is not required for add-ons, and it’s not easy to setup the proper entitlements anyway.

More details from Apple:
Customizing the Notarization Workflow

Customizing the Xcode Archive Process

5. Install at least Xcode 10

6. Set up your keychain via Terminal

security add-generic-password -a 'AC_USERNAME' -w 'AC_secret_pass' -s 'AC_PASSWORD_HOLDER’

where:
AC_USERNAME is the email of the identity to be used for notarization (AC == AppStore Connect)
AC_secret_pass is that account’s password
AC_PASSWORD_HOLDER is a keychain which stores this info.

6. Set up code signing in your project:

“Automatic”, “Team”, and “Signing Certificate: Development” are important

7. Build a release version of your add-on (it’ll be code signed automatically)

8. Add a new Aggregate target to the project, name it to ‘[your_add-on] notarized’

New Aggregate target

9. Place the enclosed notarize.sh script beside your .xcodeproj file

10. Add the following custom build settings to this target (replace ‘com.graphisoft.notarizationtest23‘ with your own bundle identifier):

11. Add a new Run Script build phase, and call the downloaded notarize.sh script

if [[ "$CONFIGURATION" = "Release" ]]; then
  "$PROJECT_DIR"/notarize.sh
fi

12. Set the Build Configuration to ‘Release’ for this aggregate scheme

13. Select this new aggregate scheme, and build it, it will send the add-on to Apple for notarization.

Please note that the process takes some time, so wait for the feedback from Apple. If all is well this will notarize the add-on bundle in place.

You can also check if the process was successful:

codesign --test-requirement="=notarized" --verify -vvv --deep [full_path_to_your_add-on.bundle]

After this you can compress and send out the add-on bundle for distribution.