Currently mails are popping in asking me to update my plugins because they don’t run on Catalina anymore. Is there any documentation what to do? Some say the plugin (developer) cannot be verified (and OS will not verify its absence of malware).
1 Like
I also find this whole notarization thing confusing. My current Apple Developer account does not seem to support that so I “enrolled”. What the heck does this mean? I don’t know. And I have been waiting for the enrolment to complete for over a week now but that does not seem to be unusual. I hope notarization will be possible once I have upgraded (?) my account.
Will let you know in case I gain more insight.
In the meantime, this should be a work-around for your users:
1 Like
The following plugins slow down the start of Glyphs. Please update them, or contact the developer to improve performance.
| SpeedPunk.glyphsReporter |
This one keeps popping up and doesn’t show in the privacy window like the others.
Now, Font Spy doesn’t show as a menu item like it did before. All plugins not installed through the plugin manager are no longer there.
Everything is bought and paid for, including Glyphs App, so none of these are demo items.
Thanks for any help. I don’t get a report to send as Glyphs App is not crashing any more. It is just the plugins.
Also, I could only add two users per post but as @yanone is the developer for SpeedPunk, I think they should be included in the discussion! 
Hi everyone,
I was asked to write up a tutorial on how to notarize plugins for Glyphs, which I plan to do over the weekend.
Yes, it requires an Apple Developer account and it’s not exactly straight forward.
Plugins that are installed from sources external to Glyphs (so downloaded from a website or received by email) need to be notarized by the developer. Users can’t do anything about that unless they want to go where only developers normally go.
Plugins that Glyphs downloads (via the Plugin Manager) are exempt, I’m guessing because Glyphs itself is notarized, so Apple trusts that. (But be aware that as security screws tighten over time, we might lose this privilege at some point)
@PaperMariner I have already updated my own plugins and informed customers by email. Please log into my online shop at https://yanone.de/buy/ to download the latest version.
2 Likes
Is Font Spy still not working after doing what @TimAhrens and @yanone wrote?
I already got feedback from users that the other plugins work (for example the Variable Font Preview, which should behave the same as Font Spy).
@yanone I finally managed to go through the tutorial and put it to the test. I want to thank you a lot for this! Everything was clear. It is a superb resource. And thank you guys for having developed such a great Plugin SDK, besides the actual type design tool that GlyphsApp is, the API is my favourite playground. Hands down 
@GeorgSeifert @mekkablue
1 Like
I just tried to notarize a Python Plugin and stumbled upon some things. Maybe you can add those to the tutorial as a reference?
-
In the line
xcrun altool --notarize-app --primary-bundle-id "MyPlugin" ...before I stopped here typing it out here, there shall come the primary-bundle-id. Which one is it exactly? The bundle name in the info.plist? The className of the plugin? Can you please specify? -
xcrun altool --notarize-app --primary-bundle-id ...
threw this Error:
xcrun: error: unable to find utility "altool", not a developer tool or in PATH
The fix that I found was to select the current Xcode installation:
sudo xcode-select -s /Applications/Xcode.app
One more feedback on the notarization tutorial
I tried using the script and it works until the Stapling.py
It returned an Error, refusing to continue. But when I ran xcrun stapler staple MyPlugin.glyphsReporter (of course with the actual plugin name (which was the same as I set in the script)) directly in Terminal, it executed properly.
One Question: When I get it successfully stapled with the ticket, can I be sure that the zipped file will run on a user’s Catalina? I still sometimes get users telling me that it doesn’t work. But maybe I made sth wrong …
Sorry, overlooked that one back then. It should be the one in your Info.plist. But I usually keep them all the same anyway, so I wouldn’t notice the difference myself. 
Thank for your feedback, I just incorporated it unto the tutorial.
1 Like
I am trying to sign and notarise our plug-in in objc/swift.
I managed to get it signed up with a Developer ID Application certificate, timestamped and sent to notarisation. I’ve also received an e-mail that the notarisation succeeded.
However, when I run
spctl --assess --verbose=4 --type install “pluginpath.glyphsTool”
I got
pluginpath.glyphsTool: rejected
source=Unnotarized Developer ID
Any ideas what’s wrong / how to fix it?
Thanks.
@mekkablue @yanone @GeorgSeifert
I have an issue notarizing a plugin. The mail returned from Apple says:
“The Mac software that you uploaded was not notarized. Please review the notarization log with Xcode or altool, address the issues it shows, and upload your software again.”
…
There are some links about notarization included. Of course I read them, but my question is: How can I get the notarization log the talk about. Since I followed your tutorial, I won’t get the notarization log imported into Xcode. Do you know where that log can be found?
In the meantime I’ll try to check off all things mentioned here and hope that another try might already work then.
Thank you so much!
Check the Status of Your Request at https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow?language=objc
1 Like
I’m away from my computer over the weekend. I just looked at my own logs yesterday, but can’t recall the commands. I can help on monday.
@MartinCetkovsky, @yanone Thank you so much, guys! I’ll have a look this weened. Please, no rush, Yanone!
Looks like I can also try to implement the notarization somehow in Xcode. Will also check how that could work.
Yes, Martin pointed it out correctly: The “Check the Status of Your Request” of the link he posted shows you how. Ultimately, you want to reach the LogFileURL variable in the third step, which contains the logs.
1 Like
Thank you so much @yanone and @MartinCetkovsky. I managed to get the report.
Will have to investigate, apparently a timestamp is missing and a binary needs to be signed (I thought I signed everything, though).
Will keep you updated. Thanks so much again!
So I am struggling again 
In the logs, I tend to get
"issues": [
{
"severity": "error",
"code": null,
"path": "XYZ.glyphsReporter.notarize.zip/XYZ.glyphsReporter/Contents/MacOS/XYZ",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "XYZ.glyphsReporter.notarize.zip/XYZ.glyphsReporter/Contents/MacOS/XYZ",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
}
]
(I changed the plugin name to XYZ here in the example)
In Xcode my plugin has the Automatically Manage Signing activated and my Team is active. For Signing Certificate I tried both available options: “Sign to Run Locally” and “Development”
I get these errors with 2 plugins now and cannot finish the notarisation hence. Weirdly one other plugin works however.
Any ideas?
Also how to fix this:
It used to work
EDIT:
I made one notarization work. I revoked all the certificates and genereated new ones. Took me a while with tons of trial and errors. Finally I unchecked the “Automatically Manage Signing” after my "Manage Certificates was clean up from the errorous ones. Then it let me choose “Developer ID Application” for my Team and this seemed to work for the Apple notarization confirmation to come. Now I’ll see what the user reports …