Notarizing Adobe InDesign Plugins

Report · Apr 29, 2022

Hi,

This may possibly be a beaten down question, but somehow I am not clear about what notarization means in context of InDesign Plugins.

From the link https://helpx.adobe.com/in/indesign/kb/indesign-plugin-notarization.html, it appears that InDesign plugins need to be signed (and only signed) and the containing dmg/pkg needs to be both signed and notarized.

However, the above article seems to be confusingly worded. Specifically,

"Hence, there arises the need to notarize plugin installers/binaries even though InDesign plugins do not require any notarization or code sign."

What exactly is meant by "binaries" part in installers/binaries above? I have tried notarizing .InDesignPlugin extension files but they give error saying it is a directory and not an app.

Can I please get some clarification on this matter?

Also, I have noticed that .InDesignPlugin files get quarantined, which I believe happens if not signed. This is not necessarily due to notarization. Is that correct understanding?

Thanks,

Report · Apr 29, 2022

Hi @asaxena,

So here is what I have understood based on my experimentations.

Notarisation is done to avoid getting the file getting quaratined(which is just a file attribute) when the file is downloaded from the internet.
So if a file is not notarised it is quarantined when you download it and then all sorts of issues popup with the Gatekeeper.
InDesign plugins don't need to be signed per se(I have not been able to test it to be totally sure). Since the normal mode of transferring the file from one machine to another is via the network/browser download it gets quarantined if not notarised.
If you use something like curl to transfer the plugin from one machine to another, you should be able to run your unsigned plugin as well. Although I have not tried this due to limited availiblity of no. of MAC's to me.
Notarisation can only be done on a signed entity
So now you sign the plugin, but notarisation can't be done on folder it can only be done on pkg, dmg or zip's. So in turn you create one of these. Barring zip you again will have to sign it before notarisation and for that you use a different signing certificate.
So the crux is everything inside the pkg, dmg, zip needs to be signed. Then the pkg, dmg needs to be signed and then they are notarised to bypass the Gatekeeper check.
Signing is needed because notarisation can't proceed without it.
If you want to avoid all this rigmarole of signing/notarisation avoid using browsers to download your installers/plugins and you should be good.

I hope this makes sense. These are my personal observations/inferences, I may be wrong on some points and am all ears to someone who wants to share their story.

P.S.:- I also concur that Adobe documentation would have been more helpful if they added some more explanation or context to it.

P.P.S:- Don't try too much time understanding whether this is needed or not, because I am quite sure Apple will sooner or later make it increasingly difficult to bypass this. So it's better to sign/notarise it and get it over with

-Manan

Report · Aug 25, 2022

Hi @asaxena ,

I'm curious if you received an answer that satisfies your question. I'm running into similar confusion as to what exact steps are needed to notarize and sign multiple plug-ins that get zip'd for transfer to a customer. I've built and signed on one Mac and can use them on that Mac since they were signed using it. But when I copy them to another Mac through an internal connection, whether as plug-in or as a zip'd file containing the plug-in it complains that they aren't valid. While I've worked with InDesign plug-ins for quite a while it has primarily been using PCs and not as versed in necessary steps to do proper natorizing and signing for M1 Mac development using Xcode or command line functions. I've read the document you referenced but as you stated, "seems to be confusingly worded" and the things I've tried have not been successful.

I'm hoping you or someone else can offer a clearer step-by-step process of how to notarize and code sign plug-ins directly and/or the zip file in which they are placed for Macs in order to avoid being flagged for quarantine.

Looking forward to anyone's reply to this.

Thanks

Report · Aug 25, 2022

Hi @bprieb,

Did you read my post above? That should clear out some confusion for you, if not then list specifically what aspects are unclear/confusing to you I will see if I know the answers to it else someone else would possibly chime in.

Now regarding the steps to use, I follow the following steps and it has not troubled me so far.

Avoid using zip as the format to ship the plugins because you can't staple the notarization ticket on a zip file and if the destination computer does not have access to internet then things could go sideways.
Better is to use a dmg file instead of zip and dmg can be stapled. Use command hdutil
Codesign your plugin during build in XCode, using the Developer ID Application Certificate.
Create dmg as stated above, sample command would be

hdiutil create -srcFolder source MyPlugin.dmg

Codesign the dmg, using the Developer ID Application Certificate. Sample command below

codesign --sign "Developer ID Application: <you full id>" --timestamp ./MyPlugin.dmg

Notarize the dmg

xcrun altool --notarize-app --primary-bundle-id com.testplugin.xx --username <Username> --password <password> -f ./MyPlugin.dmg

Staple the ticket on the dmg
```
xcrun stapler staple MyPlugin.dmg
```

This should give you the dmg that you can now ship to other MAC's and it should work fine without any warnings.

-Manan

Adobe Support Community

Notarizing Adobe InDesign Plugins