InDesign plugin notarization for third-party plugin developers
Notarization provides confidence that the Developer ID-signed software you distribute has been checked by Apple for malicious components. For more details about Apple's notarization rules and requirements, see Notarizing macOS Software Before Distribution.
To align with Apple's notarization rules, InDesign 2020 has enabled hardened runtime entitlement that allows third-party plugins to load into InDesign without the need to code sign them. However, plugin developers typically distribute plugins over the web via installers (.pkg or .dmg). As Apple's gatekeeper on macOS automatically quarantine any binary that's not notarized, your plugin installers would fail while you run them. For more details, see InDesign and macOS 10.15 (Catalina). Hence, there arises the need to notarize plugin installers/binaries even though InDesign plugins do not require any notarization or code sign.
Certificate generation process
- Request certificate (Keychain Access Menu > Certificate Assistant > Request a Certificate from a Certificate Authority)
- Save the .certSigningRequest file to disk.
- Login into Apple Developer portal.
- Click Certificates, Identifiers & Profiles.
- Choose Developer ID Application to create a new certificate.
- Upload the .certSigningRequest file from step 1 and complete the process. Download the presented .cer to disk.
- Choose Developer ID Installer and repeat steps 4-6.
- Upload the same .certSigningRequest from step 1 and complete the process. Download the presented .cer to disk.
- Double click both the downloaded .cer certificates generated from step 6 and 8 to import import them into Keychain.
Notarization steps for .pkg or .dmg files
This example uses the BasicDialog sample plugin from the SDK.
# code sign .InDesignPlugin
codesign --sign "Developer ID Application: <Developer Name>" --verbose=4 --deep --force --strict BasicDialog.InDesignPlugin
# code sign verification
codesign -dv --verbose=4 BasicDialog.InDesignPlugin
- # create .pkg or .dmg by adding the above code signed .InDesignPlugin into the package/installer
# sign your installers (like .dmg or .pkg)
productsign --sign "Developer ID Installer: <Developer Name>" ./BasicDialog.pkg ./BasicDialogSigned.pkg
# code sign verification
pkgutil --check-signature BasicDialogSigned.pkg
# send for notarization
xcrun altool --notarize-app --primary-bundle-id "com.demo.plugin" --username "firstname.lastname@example.org" --password "xxxx-xxxx-xxxx-xxxx" --file BasicDialogSigned.pkg
# check notarization status online (step6 should return Request UID)
xcrun altool --notarization-info <Request UID> --username "email@example.com" --password "xxxx-xxxx-xxxx-xxxx"
# staple notarized file for offline use
xcrun stapler staple BasicDialogSigned.pkg
# check if staple is in place
stapler validate --verbose BasicDialogSigned.pkg