KVR Audio

Fender19 · Post by **Fender19** » Thu Feb 20, 2020 5:43 am

UPDATE: SUCCESS - please read page 3 of this thread for solution

I build all of my plugins (VST, VST3, AU and AAX all 64-bit ) on Xcode 10.3 in Mojave and zip into one distribution file that I submit to Apple for notarization.

The plugins are all signed and timestamped in Xcode with my Apple Developer ID Application cert - and verified good with codesign post check

The AAX plugin is signed with Pace Eden wraptool - and verified good with Eden post check

The zip package containing all four plugins is notarized and UUID confirmed good with reply "Success" from Apple

I upload this zip file to my website server, download and unpack on OS Catalina to test.

All of the plugins work EXCEPT the AAX plugin which gives the "can't be opened because Apple cannot check it for malicious software" error. That message is then followed with, "plugin failed to load because it is not a valid 64-bit plugin"

That last message usually means the Pace signature is bad - but it WORKS on Mojave!

What could possibly be wrong here? It seems that Apple notarization has somehow messed up the Pace signature. Anyone else come across this?

audiothing · Post by **audiothing** » Thu Feb 20, 2020 10:33 pm

What certificate are you using with wraptool? We used to have a self-signed certificate, but now we are using the Apple one and, so far

, no issues.

Fender19 · Post by **Fender19** » Fri Feb 21, 2020 1:39 am

audiothing wrote: ↑Thu Feb 20, 2020 10:33 pm What certificate are you using with wraptool? We used to have a self-signed certificate, but now we are using the Apple one and, so far , no issues.

I am using my Apple Developer ID Application cert - same cert I'm using to sign the VST, VST3 and AU plugins that work in Catalina.

The problem does not appear to be with certifying or notarizing in general (since the VST, VST3 and AU plugins work) - it seems the problem is with Pace, Apple or Pro Tools on Catalina.

Have you tested your AAX plugins in Pro Tools on OS Catalina? If so how did you go about it? If you simply loaded it from a thumb drive or something that isn't a valid test - it has to be download from internet for Gatekeeper to run the checks (AFAIK).

quikquak · Post by **quikquak** » Fri Feb 21, 2020 4:18 pm

I’m using the same configuration, and it failed to notarise recently, with nothing changed.
Looking at the history of atool, it complains about my plug-in Pkg’s not signed. I’m using ‘packages 1.2.8’ to make and sign the package, and Xcode to sign the plugins.
Bizarrely it passes the notarise if I use ‘productsign’, but the history info tells me the package is corrupt!!! So it passes a corrupt package, that I can install with, which someone could exploit. if they wanted to do naughty things with viruses etc?
This is someone with a similar problem, with a bizarre fix I don’t understand:

https://forums.developer.apple.com/thread/125071

This is driving me nuts as everything is done correctly, AFAIK.

Fender19 · Post by **Fender19** » Fri Feb 21, 2020 9:45 pm

quikquak wrote: ↑Fri Feb 21, 2020 4:18 pm I’m using the same configuration, and it failed to notarise recently, with nothing changed.

This is driving me nuts as everything is done correctly, AFAIK.

Exactly the same situation here. Apple and/or Pace changed something recently. The process I used successfully a month ago is not working NOW.

What is especially frustrating, as indicated in my OP here, is that all the verification tools say everything is good!

quikquak · Post by **quikquak** » Fri Feb 21, 2020 9:58 pm

i found these links quite useful,especially the second.. One change they made was the check for a time stamp...
https://developer.apple.com/documentati ... guage=objc

Getting atool information...
https://developer.apple.com/documentati ... jc#3087732
The convoluted way to get any info back is so over complex and beardy, it’s almost comical.

why can’t they just print out the error automatically?
But no, you have to run a command that lists atool history, then run another command using the massive hex number responding to the recent try. Then you have to copy and paste a returned html link, which opens your browser to display the error returned.

Someone on the Juce forum posted a script which displays the error after waiting for the Notarise to finish, so hats off to them and their bash skills.

Fender19 · Post by **Fender19** » Fri Feb 21, 2020 10:26 pm

quikquak wrote: ↑Fri Feb 21, 2020 9:58 pmOne change they made was the check for a time stamp...

The convoluted way to get any info back is so over complex and beardy, it’s almost comical. why can’t they just print out the error automatically?
But no, you have to run a command that lists atool history, then run another command using the massive hex number responding to the recent try. Then you have to copy and paste a returned html link, which opens your browser to display the error returned.

Yes, I just added the “—timestamp” flag to my XCode signing details. I didn’t need that a month ago but it is required now. I suspect Apple made some other changes too OR Pace has not yet caught up.

Yes, checking for a valid notarization takes too many steps. They do send the confirmation email but as I am reporting here it is not 100% reliable information. My verified signed and notarized AAX plugin does not work on Catalina!

BTW - I reported this issue to Pace. They replied that they were “aware of some issues” and requested more info which I provided. So far no reply back...

quikquak · Post by **quikquak** » Fri Feb 21, 2020 10:35 pm

I haven't got as far as testing yet. But I guess the AAX will have to be dropped for Apple if they’ve royally f**ked it up. TBH I’m close to chucking the Mac out the window as it is...

quikquak · Post by **quikquak** » Fri Feb 21, 2020 10:35 pm

Reporting it to pace is great idea, their laid back approach is interesting.

By the way, if the AAX has to be made a 'hardened runtime' for Notarising, then how does the Pace sign work afterwards. Or did I read that wrong, and you don't need it 'hardened.'

Fender19 · Post by **Fender19** » Fri Feb 21, 2020 11:11 pm

quikquak wrote: ↑Fri Feb 21, 2020 10:35 pm TBH I’m close to chucking the Mac out the window as it is...

It seems to me Apple is trying very hard to suppress everything but Apple software. Catalina has been out for half a year now and many huge industry apps - like ProTools - are still only partially compatible with it. I'd be pissed if I bought a new (very expensive) Mac and could only run PART of (very expensive) ProTools.

quikquak · Post by **quikquak** » Fri Feb 21, 2020 11:24 pm

The Protools situation surprises me. If I had just bought a shiny new £6000 Mac pro, with its lovely multi-core processor, I would be slightly miffed to say the least...

Fender19 · Post by **Fender19** » Fri Feb 21, 2020 11:36 pm

quikquak wrote: ↑Fri Feb 21, 2020 10:35 pm By the way, if the AAX has to be made a 'hardened runtime' for Notarising, then how does the Pace sign work afterwards. Or did I read that wrong, and you don't need it 'hardened.'

The latest Pace Eden SDK (Jan 2020) has a hardened runtime flag for the wraptool command line:

"If you don’t need to notarize your binary directly but plan to include it in an installer package or disk image that will be notarized, then you must sign your binary with the digital signature options required by Apple for notarization. The following wraptool option will handle setting the appropriate codesign options for you: --dsigharden "

I thought that was my problem since it was not part of the previous command line I saved for the product. I added it however it made no difference. My AAX still doesn't work in Catalina even though Pace and Apple say it's good. So I am at a total loss and have no idea what's wrong. Waiting to hear from Pace.

gnjp · Post by **gnjp** » Sat Feb 22, 2020 11:18 am

I just updated several of my plugins and they download/install and AAX loads in Catalina without issue. The only things I see different to described here is that I:
- use XCode 11.3.1 in Catalina, no --timestamp flag, just using "Sign to run Locally"
- sign my packages in a separate step using productsign --timestamp ("Developer ID Installer" cert)
- sign my AAX with my "Mac Developer" cert in Pace Eden

Fender19 · Post by **Fender19** » Sat Feb 22, 2020 3:29 pm

gnjp wrote: ↑Sat Feb 22, 2020 11:18 am I just updated several of my plugins and they download/install and AAX loads in Catalina without issue. The only things I see different to described here is that I:
- use XCode 11.3.1 in Catalina, no --timestamp flag, just using "Sign to run Locally"
- sign my packages in a separate step using productsign --timestamp ("Developer ID Installer" cert)
- sign my AAX with my "Mac Developer" cert in Pace Eden

Yes, you are using the required timestamp in your signing process. AFAIK it was not required previously. I successfully notarized a dozen or so packages back in Dec/early January without it (I do need to check that they still work).

My problem now is only with AAX plugins. It seems that something between Pace and Apple isn’t getting along even though both signatures verify “good”. All of my other builds - VST, VST3 and AU - open and run without issue in Catalina.

quikquak · Post by **quikquak** » Sat Feb 22, 2020 7:09 pm

Someone just helped me on Juce forum, they said I should use the 'Developer ID Application' instead of 'Mac Developer' in Xcode.
This advice helped crack the VST, AU, VST3 packages anyhow:
[See attached image]
“Code Signing Identity” = Developer ID Application
And “Code Signing Style” = Manual
And “Code Signing Inject…” = No

Seems to work apart from AAX. As doing the Pace thing also removed my ID, it seems.
So, time to get Pace's Eden 5.2 or whatever is the latest. So I guess I have to email them to get the new SDK.

"logFormatVersion": 1,
"jobId": "#####################",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "UpStereoPro.pkg",
"uploadDate": "2020-02-22T17:49:12Z",
"sha256": "###",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "UpStereoPro.pkg/AAX.pkg Contents/Payload/Library/Application Support/Avid/Audio/Plug-ins/UpStereoPro.aaxplugin/Contents/MacOS/UpStereoPro",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "UpStereoPro.pkg/AAX.pkg Contents/Payload/Library/Application Support/Avid/Audio/Plug-ins/UpStereoPro.aaxplugin/Contents/MacOS/UpStereoPro",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "UpStereoPro.pkg/AAX.pkg Contents/Payload/Library/Application Support/Avid/Audio/Plug-ins/UpStereoPro.aaxplugin/Contents/__Pace_Eden.bundle/Contents/MacOS/__Pace_Eden",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "UpStereoPro.pkg/AAX.pkg Contents/Payload/Library/Application Support/Avid/Audio/Plug-ins/UpStereoPro.aaxplugin/Contents/__Pace_Eden.bundle/Contents/MacOS/__Pace_Eden",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
}
]
}

Problem with AAX plugins on Catalina - SUCCESS!