You’ve heard the rumours: don’t update your Mac to Catalina or your music applications won’t work. I thought that was referring to the ended support of 32-bit applications, but it turns out that wasn’t the only issue in Catalina.
Trying to install a few of my favorite VSTs to use in Reaper on a freshly installed Catalina I got this:
The problem is that Gatekeeper has become more aggressive and now also blocks VSTs. Gatekeeper is what keeps MacOS users from inadvertently launching unsigned apps downloaded from the internet. Just like in previous versions of MacOS you can make Gatekeeper allow downloaded applications by right-clicking them and then holding down shift and clicking open. This presents you with a new button named “open” that will permanently allow the application to run. Another way of doing the same thing is trying to launch an unsigned application, and when it fails go into System Preferences > Privacy & Security where the application is listed and you can “Allow anyway”.
The problem is, a VST is runnable code but it’s not an application. VSTs that come with installers normally work, but those that are just VSTs don’t. When you do a rescan of Reapers VST paths the blocked VSTs are listed in Privacy & Security but clicking “Allow anyway” does nothing. You can right-click and shift-open the VST outside of the DAW, which actually provides you with the third button labeled open, but that doesn’t help. You can go into the VST with is actually a directory, find the executable file and shift open that too – but that’s not the solution either.
The actual solution is running this in a terminal:
sudo xattr -rd com.apple.quarantine /path/to/your.vst
After doing this you will be able to re-scan your VST paths and use your.vst in Reaper. What this does is that it clears file attributes that mark downloaded files as unsafe and put in quarantine – exactly the same as when you shift open an application and click the “open” button.
I’ve seen a lot of alternative solutions including permanently disabling Gatekeeper (not recommended!) or workarounds that have to be redone after every reboot. This, the proper and ultimate solution, I found as a comment in a Reddit thread.