No matter what https://helpx.adobe.com/in/indesign/kb/indesign-plugin-notarization.html says, it seems the DMG images cannot be processed with productsign. It gives an error, plus the documentation of productsign doesn't mention DMG files at all, plus every resource I can find suggests that DMG files should be signed with the App cert, not the Installer one, and productsign flatly refuses to accept that cert.
Did any of you successfully notarize a DMG? Or you all went the PKG route? For twenty years or so my plugin has been simply installed by dragging it into the appropriate folder. Is this not viable any more?
(And while we're at it, if someone at Adobe could find the time to fix it, the codesign command segfaults unless --timestamp=none is also provided, at least on Catalina. The bug is discussed on the web in many places).
Besides, sorry, about codesign: the --sign argument has to be provided the last in the command line. It doesn't work otherwise. MacOS singing commands are full of bugs...
Codesign of my CC2019 plug-ins worked from within 10.13, Xcode 9.3, no manual step after initial setup of certs.
I'd have to dig deep for more details.
For notorisation I succeeded with a zip of several plug-ins.
Xcode 11.7, separate Catalina VM
xcrun altool --notarize-app --type osx --primary-bundle-id "com.example.id" --username "firstname.lastname@example.org" --password "xxxx-xxxx-xxxx-xxxx" --file "example.zip"
That bundle ID is from the info.plist of one plug-in.
Right now I'm experimenting, what I found is that items 4 and 5 are not required with a DMG. But the notarization still returns an invalid result.
OK. Please, Adobe, could you fix the description?
"Certification generation process"
1. Steps 7 and 8 are only required if you use a .pkg installer.
"Notarization steps for .pkg or .dmg files"
1. The timestamp=none was false alarm, sorry. It's not needed, actually, it causes to notarization to fail if included. But the --sign has to go to the end for sure. Also, please, include a small description like this:
"The string you need to pass to the --sign argument is the Common Name of the certificate you use. You don't need to copy the entire string, it's enough to include as many characters as necessary to identify it uniquely in your keychain."
2. Steps 4 and 5 are only required for .pkg files. If you have a .dmg, skip this. In the case of .dmg, you upload that for notarization in step 6.
3. You might mention in step 7 that if you receive anything but a success message, visit the LogFileURL displayed to find out the cause.