macOS SDK version for M1

DSP, Plug-in and Host development discussion.
KVRAF
6463 posts since 12 Feb, 2006 from Helsinki, Finland

Post Fri Dec 18, 2020 5:30 pm

audiothing wrote:
Fri Dec 18, 2020 4:16 pm
Codesigned plugins on Big Sur seem to work fine on 10.9, but fail to load on 10.10, which doesn't make much sense. Runinng auvaltool on 10.10, I get this error:

Code: Select all

code signature invalid for '/Library/Audio/Plug-Ins/Components/Wires.component/Contents/MacOS/Wires'
FATAL ERROR: OpenAComponent: result: -50,0xFFFFFFCE
However, the same exact version of auvaltool on 10.9 (!) returns AU VALIDATION SUCCEEDED.
Maybe it's a signature that isn't supported by 10.10 and therefore fails, while 10.9 might not check it at all?
Preferred pronouns would be "it/it" because according to this country, I'm a piece of human trash.

User avatar
KVRAF
1609 posts since 13 Apr, 2011 from EU

Post Fri Dec 18, 2020 5:38 pm

mystran wrote:
Fri Dec 18, 2020 5:30 pm
Maybe it's a signature that isn't supported by 10.10 and therefore fails, while 10.9 might not check it at all?
I guess so. It works on 10.13 though. I'll try to check if 10.11 and 10.12 are safe as well.
AudioThing (VST, AU, AAX Plugins)
Instagram | Facebook | Twitter

KVRAF
6463 posts since 12 Feb, 2006 from Helsinki, Finland

Post Fri Dec 18, 2020 8:16 pm

Maybe it's related to https://stackoverflow.com/questions/418 ... n-a-shared and the codesign tool in Big Sur no longer uses SHA-1 even for 10.9 targets? The verbose flags (assuming it still has those) should apparently tell you what hashes it's storing..
Preferred pronouns would be "it/it" because according to this country, I'm a piece of human trash.

KVRist
72 posts since 24 Dec, 2015 from Bristol, UK

Post Sat Dec 19, 2020 3:13 am

audiothing wrote:
Fri Dec 18, 2020 4:16 pm
Codesigned plugins on Big Sur seem to work fine on 10.9, but fail to load on 10.10, which doesn't make much sense.
Off the top of my head I suspect you need to apply an SHA-1 signature and then an SHA-256 signature over the top of that to make it work on 10.9 and then 10.10+.

Please report back if you get it working, I'm keen to not get stuck on Catalina due to this, I've managed to work through every other build problem Apple have throw at me!

User avatar
KVRAF
1609 posts since 13 Apr, 2011 from EU

Post Sat Dec 19, 2020 3:39 am

mystran wrote:
Fri Dec 18, 2020 8:16 pm
Maybe it's related to https://stackoverflow.com/questions/418 ... n-a-shared and the codesign tool in Big Sur no longer uses SHA-1 even for 10.9 targets? The verbose flags (assuming it still has those) should apparently tell you what hashes it's storing..
keithwood wrote:
Sat Dec 19, 2020 3:13 am
Off the top of my head I suspect you need to apply an SHA-1 signature and then an SHA-256 signature over the top of that to make it work on 10.9 and then 10.10+.

Please report back if you get it working, I'm keen to not get stuck on Catalina due to this, I've managed to work through every other build problem Apple have throw at me!
Yes, that's it. Verifying the signatures between Mojave and Big Sur, the codesign on Big Sur (silicon at least) doesn't add sha1, while Mojave adds both sha1 and sha256.

10.9 seems to ignore the signature, so auvaltool validates the plugin
10.10 can't read sha256, so validation fails
10.11 seems to be ok, but I need to verify it properly

Now, how can we make codesign add sha1 on Big Sur (silicon)? For producsign (which has the same "issue") we used xar following the instruction in that juce thread that I linked earlier. Is there an alternative to codesign that we can use?
AudioThing (VST, AU, AAX Plugins)
Instagram | Facebook | Twitter

KVRist
72 posts since 24 Dec, 2015 from Bristol, UK

Post Sat Dec 19, 2020 4:43 am

audiothing wrote:
Sat Dec 19, 2020 3:39 am
Yes, that's it. Verifying the signatures between Mojave and Big Sur, the codesign on Big Sur (silicon at least) doesn't add sha1, while Mojave adds both sha1 and sha256.

10.9 seems to ignore the signature, so auvaltool validates the plugin
10.10 can't read sha256, so validation fails
10.11 seems to be ok, but I need to verify it properly

Now, how can we make codesign add sha1 on Big Sur (silicon)? For producsign (which has the same "issue") we used xar following the instruction in that juce thread that I linked earlier. Is there an alternative to codesign that we can use?
On Windows I do two passes against each binary (only included sign info):

Code: Select all

signtool sign /sha1 [etc] 
signtool sign /td sha256 /fd sha256 /sha1 [etc]
I would hope there's maybe a tool other than productsign which could so similar on macOS.

KVRAF
6463 posts since 12 Feb, 2006 from Helsinki, Finland

Post Sat Dec 19, 2020 11:43 am

audiothing wrote:
Sat Dec 19, 2020 3:39 am
Now, how can we make codesign add sha1 on Big Sur (silicon)? For producsign (which has the same "issue") we used xar following the instruction in that juce thread that I linked earlier. Is there an alternative to codesign that we can use?
No idea, but it seems that Apple has generally dropped support for SHA1 with Big Sur (and can't really blame them, since SHA1 is known to be somewhat broken). It could very well be the case that SHA1 just isn't supported by the new codesign at all anymore.
Preferred pronouns would be "it/it" because according to this country, I'm a piece of human trash.

User avatar
KVRAF
1609 posts since 13 Apr, 2011 from EU

Post Sat Dec 19, 2020 2:47 pm

Yeah, both codesign and productsign don't support it anymore. So, I'm trying to figure out if there's any alternative to codesign like xar for productsign.
If not, I see only three solutions:
1) having a Mac with Catalina (or even Big Sur but on Intel, it seems to be working...) for building everything
2) splitting the build process between a Silicon and an Intel mac (just for signing)
3) having 2 separate installers (as suggested by Apple here)

I feel like the third option, while it might be the easiest to do, it will create unnecessary amount of support tickets due to the "wrong installer".
AudioThing (VST, AU, AAX Plugins)
Instagram | Facebook | Twitter

User avatar
KVRAF
1609 posts since 13 Apr, 2011 from EU

Post Sun Dec 20, 2020 8:59 am

Ok, today I noticed that the AAXs on Big Sur are still signed with both sha1 and sha256, so I tried to code sign using wraptool all plugins (AU, VST, VST3, AAX).
And...it works! :party:
All formats have sha1 and sha256 signatures made on Big Sur, notarization also works. I've tested a full build on 11.1, 10.14, 10.10, 10.9, and they all work!

Now, I'm not sure if it's a good idea to use wraptool for all plugins, since it also needs to connect to PACE servers everytime (not sure if they like that).

The only other codesign tool I could find is this: https://github.com/zhlynn/zsign
But I can't find a way to compile it. I'm getting these errors, despite pointing g++ to the right paths:
openssl.cpp:5:10: fatal error: 'openssl/pem.h' file not found
common/common.cpp:6:10: fatal error: 'openssl/sha.h' file not found
AudioThing (VST, AU, AAX Plugins)
Instagram | Facebook | Twitter

User avatar
KVRist
418 posts since 11 May, 2016 from Serbia

Post Sun Dec 20, 2020 9:40 am

Codesign actually works and it has sha1 on older systems last time I checked, but productsign is the issue. I will check if the latest Big Sur fixed that since they have attached bug log to this issue.

User avatar
KVRAF
1609 posts since 13 Apr, 2011 from EU

Post Sun Dec 20, 2020 11:32 am

Youlean wrote:
Sun Dec 20, 2020 9:40 am
Codesign actually works and it has sha1 on older systems last time I checked, but productsign is the issue. I will check if the latest Big Sur fixed that since they have attached bug log to this issue.
Not here. I have been trying to codesign with all options possible, on Big Sur 11.0 and 11.1, on a MacBook Pro 13" M1. No matter what I do, I only get sha256.

I've installed Big Sur on an external drive, booted on an Intel MacBook, and now codesign correctly applies sha1 and sha256. So, it seems to be an issue only on Silicon Macs.

How are you signing your plugins?
AudioThing (VST, AU, AAX Plugins)
Instagram | Facebook | Twitter

User avatar
KVRist
418 posts since 11 May, 2016 from Serbia

Post Sun Dec 20, 2020 2:54 pm

Ah, yes, I am signing on an Intel mac here.
Just checked Big Sur 11.2 beta and productsign still has an issue. I am guessing this will never be solved, so some workaround needs to be done.

User avatar
KVRAF
1609 posts since 13 Apr, 2011 from EU

Post Sun Dec 20, 2020 3:06 pm

Youlean wrote:
Sun Dec 20, 2020 2:54 pm
Ah, yes, I am signing on an Intel mac here.
Just checked Big Sur 11.2 beta and productsign still has an issue. I am guessing this will never be solved, so some workaround needs to be done.
For productsign, there is a workaround: https://forum.juce.com/t/upgraded-to-bi ... r/42812/10
I've tested it multiple times, and it works.

If we can't find an alternative to codesign, building everything on Silicon and supporting 10.9 won't be possible.
AudioThing (VST, AU, AAX Plugins)
Instagram | Facebook | Twitter

User avatar
KVRian

Topic Starter

1018 posts since 2 Jul, 2018

Post Mon Dec 21, 2020 3:44 am

SHA1 is not longer safe and deprecated since years. You should not longer use it for security.

I don't think I'll use the above this script for signing our software. Seems to be pretty dangerous that something goes wrong. In the worst case Apple could blacklist the certificate, because of 'hacking'.

Looks like we'll have to move the minimum system requirements to MacOS 10.11 or higher. :(
Tone2 Audiosoftware https://www.tone2.com

User avatar
KVRAF
1609 posts since 13 Apr, 2011 from EU

Post Mon Dec 21, 2020 4:49 am

Markus Krause wrote:
Mon Dec 21, 2020 3:44 am
SHA1 is not longer safe and deprecated since years. You should not longer use it for security.

I don't think I'll use the above this script for signing our software. Seems to be pretty dangerous that something goes wrong. In the worst case Apple could blacklist the certificate, because of 'hacking'.

Looks like we'll have to move the minimum system requirements to MacOS 10.11 or higher. :(
Nothing dangerous about that script, you can productsign and codesign with sha1 and sha256 automatically on Mojave for example. Same if you use wraptool for binaries, it automatically adds sha1 and sha256.
Apple can't just blacklist a certificate if you are using Mojave or wraptool :)

But yeah, if we stick to productsign and codesign, and switch to a Silicon mac to build everything, the minimum system requirement will be macOS 10.12 (afaik).

I think that, for now, I'll move my build machine to Catalina, which seems to be enough to run Xcode 12 and support from 10.7 to 11.1. I'll do some tests today.
When it's time to switch the build machine to Silicon, the safest option would be to create two installers: new (10.12 to 11.x) and legacy (10.7 to 10.11).
AudioThing (VST, AU, AAX Plugins)
Instagram | Facebook | Twitter

Return to “DSP and Plug-in Development”