Problem with AAX plugins on Catalina - SUCCESS!

[quikquak]

So I've removed the AAX completely from the pkg and it Notarized OK.
Waiting to here back from PACE, I suppose it'll be a few days...

[Fender19]

So I've removed the AAX completely from the pkg and it Notarized OK.
Waiting to here back from PACE, I suppose it'll be a few days...

Make sure your Apple signing of the AAX includes a timestamp. At least in your case it appears that is what Pace is complaining about.

In my case I have a valid notarization, valid Pace signature and valid Apple signature but it doesn’t work in Catalina. Works in Mojave but not Catalina. I’m wondering now if there is a remnant 32-bit file in the package somewhere. Not sure how to find it if there is. I’m building 64-bit only so IDK where the 32-bit issue would be if that’s what’s wrong.

[quikquak]

Are you using the latest Pace SDK? I'm guessing you are.

[Fender19]

Are you using the latest Pace SDK? I'm guessing you are.

I'm using Eden Fusion dated 15 Jan 2020. I just downloaded again and got the same. If there is a later version, IDK.

[Fender19]

Are you using the latest Pace SDK? I'm guessing you are.

I'm using Eden Fusion dated 15 Jan 2020. I just downloaded again and got the same. If there is a later version, IDK.

I found the root of my problem with notarizing the AAX. It appears that the Pace signature is blocking notarization of the AAX plugin.  All other plugins in the same package (VST, VST3 and AU) come back from notarization with "source=Notarized Developer ID" but the Pace-signed AAX plugin comes back "source=Unnotarized Developer ID". 

Anyone come across this or have any idea why?

[quikquak]

Have you asked Pace? They are always helpful to me.

[Fender19]

Have you asked Pace? They are always helpful to me.

Yes - that's who actually pointed this out to me! They suggested I contact Apple (the finger pointing begins). However, IMO, this appears to be a problem with Pace. It's blocking notarization of the signature for some reason. All other plugins in the same zip come back with notarized signatures, AAX does not.

Any luck with your AAX builds?

[gnjp]

I'm maybe wasting my time, but did you actually try the exact steps I outlined? All my pkgs (VST, VST3, AU, AAX) pass notarization and all AAX plugin load, so I don't see that it's a Pace problem.
- XCode, no --timestamp flag, just sign all plugins using "Sign to run Locally"
- sign AAX with "Mac Developer" cert
- sign packages in a separate step using productsign --timestamp ("Developer ID Installer" cert)

[quikquak]

- sign AAX with "Mac Developer" cert

This is where confusion comes in, because using 'Mac Developer' instead of 'Developer ID Application' was causing my notorisation failures for the my other plug-ins. Since January anyhoo.

[gnjp]

You aren't comparing like for like if you're approach in XCode and packages signing is different. Notarization broke for my pkgs a week or two back. Removing the cert from Packages (1.2.8 (588)) and signing them separately fixed it, and AAX load ok:
productsign --timestamp --sign "Developer ID Installer: XXXX XXXX (XXXXXXX)" my.pkg" my_signed.pkg

[Fender19]

I'm maybe wasting my time, but did you actually try the exact steps I outlined? All my pkgs (VST, VST3, AU, AAX) pass notarization and all AAX plugin load, so I don't see that it's a Pace problem.
- XCode, no --timestamp flag, just sign all plugins using "Sign to run Locally"
- sign AAX with "Mac Developer" cert
- sign packages in a separate step using productsign --timestamp ("Developer ID Installer" cert)

Wasting your time? I have spent weeks trying to get this to work using every combination, check tool and cert I have!

However, I did not (and cannot) try your exact steps for several reasons:

1) I am on Xcode 10.3, not 11. According to Apple XC 10 is all that is required. I tried to migrate my projects to 11 at one point but it was a compilation disaster so I went back to 10.3. I don't want to break everything else trying to get AAX for Catalina to work.

2) "XCode, no --timestamp flag, just sign all plugins using "Sign to run Locally"

This is flat out wrong according to Apple's documentation - why it works for YOU must be because you are signing the top level INSTALLER package and it's grabbing everything inside it.

3) I am not building installer packages - I am distributing a ZIP bundle. Per Apple instructions this requires the "Application" cert for each plugin, not the "Installer" cert for the package. There is no top-level cert for zip packages.

4) I am Pace "signing only" with the wrap tool. Is that what you are doing or are you building for full iLok support? Regardless, Eden reports the Pace signature is VALID.

5) The entire signed bundle comes back from Apple notarization with "Success", "Approved", "Ready for Distribution". However, the AAX plugin - and ONLY the AAX - fails to open on Catalina. Investigating shows that the AAX plugin ID was somehow corrupted in the process. Spctl reports "Unnotarized Developer ID" on that plugin version. How is the Apple notarization check ignoring that important little detail?!

So, how do you explain this? The only place I see a problem is with the Pace signature. Plugins WITHOUT it notarize successfully - the one WITH it does not.

[Fender19]

Just as an experiment I tried submitting my AAX plugin for notarization without the Pace signature, only the Apple Developer ID Application signature.

It notarized with a valid signature:

accepted
source=Notarized Developer ID

I then signed that same build with my Pace signature (required for Pro Tools) and submitted THAT for notarization. It also successfully completed notarization "Ready for Distribution" but upon checking with spctl the signature ID is invalid:

rejected
source=Unnotarized Developer ID

SO, my only conclusion here is that the Pace signature is BLOCKING the Apple notarization process. There is a flaw in the process and tools somewhere. I'm asking Pace why and they don't know. I've asked Apple why and they sent me to some outdated info on their website...(no help)

[gnjp]

I checked using a zip instead of a package.
Notarization is successful, no errors from xcrun altool --notarization-info, zip contains .aaxplugin, .vst, .vst3, .component.
But when I upload then download the zip and install in ProTools, the AAX now won't load "can’t be opened because Apple cannot check it for malicious software".
I would recommend using a package instead of zip.

[Fender19]

I checked using a zip instead of a package.
Notarization is successful, no errors from xcrun altool --notarization-info, zip contains .aaxplugin, .vst, .vst3, .component.
But when I upload then download the zip and install in ProTools, the AAX now won't load "can’t be opened because Apple cannot check it for malicious software".
I would recommend using a package instead of zip.

Thank you for confirming what I am reporting.

However I have fault-isolated the problem to the Pace signature and it occurs before upload/download of the finished plugin. It occurs at notarization. The Pace signature is - perhaps - doing what it is supposed to do in blocking change to the file. Unfortunately that is preventing Apple from notarizing the signature.

I will look into an installer package but was hoping to avoid the additional complications of THAT software. “Drag and drop” from zip file to desired plugin folder seems so much more streamlined.

[Fender19]

BTW - Pace wrap tool has command line options for directly notarizing the plugin:

"Apple Notarization options:
If you wish to notarize your signed binary, you will need to set up the notarization prerequisites required by Apple. Then at a minimum you must provide the following arguments to wraptool: --notarize-username YOUR_APPLE_ID --notarize-password @keychain:APP_PASSWORD_ITEM_NAME"

Adding these options to the command line engages a wrap tool macro that signs, then zips, then sends the zip file off for notarization. It polls for "Success" confirmation then unzips the plugin file and staples it. Neat little tool! It said the plugin was GOOD to go.

However, checking with spctl again confirmed the "good" plugin had an "Unnotarized Developer ID" and did not work in Catalina. So whatever is at the core of the Pace command line signing process - and also the Apple notarization check system - does not seem to be working.