It took me a while to figure out how to properly notarize plugins for Apple devices. Now that I've finally got it, I want to document it here for myself and anyone else who may find it useful. So here's a full walkthrough from exporting from Xcode to having a packaged and notarized dmg file. Please note that to follow these steps, you must have an active Apple Developer Program membership.
(1) Export the release versions of the plugins
I use JUCE and Xcode, so what works for me is: I go to Xcode, select the version of the plugin I want to export (VST3 or AU), then make sure to select "Any Mac (Apple Silicon, Intel)" before going to Product > Archive. Then from the Organizer I Distribute Content > Built Content so that I have the plugin file itself in an accessible place.
(2) Create Developer ID Installer certificate and Developer ID Application certificate
On the Apple Developer website, developer.apple.com , create Developer ID Installer and Developer ID Application certificates. Once they are created, download and install them to your computer.
(3) Create an app-specific password for notarization
Head to appleid.apple.com and create an app-specific password for notarization. Make sure to copy this down somewhere, you'll need it for a later step. You only need to do this the first time you set up notarization on a device.
(4) Sign the plugins
Now it's time to sign the plugins themselves. Even if they were signed as part of the Xcode export, it's important to re-sign them with the proper options. Use the following command (substituting "<development team id>" and "<plugin file name >" appropriately):
codesign --force -s "Developer ID Application: <development team id>" <plugin file name> --timestamp --options runtime
Do this for each plugin individually. Also note that for whatever reason, the development team ID needs to be the whole name, not just the ten-character string. e.g. for me it would be "Dmitri Volkov (0123456789)" (that's not my 10-character string of course). If you installed the Developer ID Application certificate prproperly in step 2, you can can look up "Developer ID Application" in Keychain to see the exact string you should use.
If you get an error along the lines of "resource fork, Finder information, or similar detritus not allowed" the run
dot_clean . in the folder and try again.
(5) Create the installer dmg
Place the plugin files and aliases to the proper install locations in a folder. For AU, this is
/Library/Audio/Plug-Ins/Components . For VST3, this is
/Library/Audio/Plug-Ins/VST3 . Then open Disk Utility and use File > New Image > Image From Disk, and select the folder. Choose the "Read only" image format and the output location, then create the dmg.
(6) Set up notarizing credentials
This step stores the notarization credentials for when the notarization actually happens. It's technically possible to skip this step and use a different command later, but most resources seem to reccomend doing it this way. Another advantage is that you only need to do this step once per machine. Use the following command, substituting appropriately:
xcrun notarytool store-credentials --apple-id "<apple id email>" --team-id "<development team id>"
When it asks for a profile name, I reccomend using "notarytool" . When it asks for a password, use the app-specific password obtained in step 3. Also note that for this step, the development team id is just the 10-character string, unlike step 4.
(7) Notarize the installer!
Run the following command, substituting appropriately:
xcrun notarytool submit <installer file name> --keychain-profile "notarytool" --wait
If you chose to use a profile name other than "notarytool" in step 6, you should use that instead of "notarytool" in the command. If this goes well, you should get some text that says "accepted" or the like. If not, you can use the following command to get more info (substituting appropriately):
xcrun notarytool info <submission id> --keychain-profile "notarytool"
The submission id should have shown up when you ran the initial command, and again if you set a different profile name, you should use that instead of "notarytool."
(8) Staple the notarization
My understanding of what this does is it attaches the notarization to the file itself somehow. I guess this is technically optional, but if you don't do this whoever uses the plugin needs an internet connection to check with Apple if the plugin is actually notarized or not. But this step is very easy and straightforward, so there's really no reason not to do it. Just use the following command, substituting appropriately:
xcrun stapler staple <installer file name>
The plugin and installer should now be all set for distribtion! I like to zip the installer before sending it out to make it a bit smaller, but whatver you do now is up to you. You are in control of your own future.
Huge thanks to Sonosaurus and EyalAmir in the The Audio Programmer discord server for helping me get this figured out!updated 2022-09-30