Problem with AAX plugins on Catalina - SUCCESS!
-
- KVRist
- 210 posts since 11 Feb, 2006
Try using a dmg instead of a zip, you retain the same functionality, plus you can staple the dmg instead of the plugins. You can zip the dmg for the server.
The following steps worked in Catalina:
- Sign AAX with "Developer ID Application: XXX" and --dsigharden
- Sign other plugs with: codesign --timestamp --deep -s "Developer ID Application: XXX" -f XXX.component/vst/vst3
I did this separately of XCode, but could be done with XCode.
- Create dmg: hdiutil create -volname XXX -srcfolder ./XXX-Plugs -ov -format UDZO ./XXX.dmg
- Sign dmg: codesign -s "Developer ID Application: XXX" ./XXX.dmg
- Notarize: xcrun altool --notarize-app -primary-bundle-id "xxx" --username "xxx" --password "xxx" --asc-provider "xxx" --file ./XXX.dmg
- Staple dmg: xcrun stapler staple ./XXX.dmg
- Apply the quarantine flag to dmg: xattr -w com.apple.quarantine ./XXX.dmg
- Launch dmg, install AAX in Pro Tools - launches successfully
Check:
spctl -a -t open --context context:primary-signature -v /XX/XX/XX.aaxplugin
/XX/XX/XX.aaxplugin: accepted
source=Notarized Developer ID
origin=Developer ID Application: XXX
The following steps worked in Catalina:
- Sign AAX with "Developer ID Application: XXX" and --dsigharden
- Sign other plugs with: codesign --timestamp --deep -s "Developer ID Application: XXX" -f XXX.component/vst/vst3
I did this separately of XCode, but could be done with XCode.
- Create dmg: hdiutil create -volname XXX -srcfolder ./XXX-Plugs -ov -format UDZO ./XXX.dmg
- Sign dmg: codesign -s "Developer ID Application: XXX" ./XXX.dmg
- Notarize: xcrun altool --notarize-app -primary-bundle-id "xxx" --username "xxx" --password "xxx" --asc-provider "xxx" --file ./XXX.dmg
- Staple dmg: xcrun stapler staple ./XXX.dmg
- Apply the quarantine flag to dmg: xattr -w com.apple.quarantine ./XXX.dmg
- Launch dmg, install AAX in Pro Tools - launches successfully
Check:
spctl -a -t open --context context:primary-signature -v /XX/XX/XX.aaxplugin
/XX/XX/XX.aaxplugin: accepted
source=Notarized Developer ID
origin=Developer ID Application: XXX
Last edited by gnjp on Wed Feb 26, 2020 4:53 pm, edited 1 time in total.
-
- KVRian
- Topic Starter
- 626 posts since 30 Aug, 2012
Thank you VERY much for this - I will give it a go!gnjp wrote: ↑Wed Feb 26, 2020 3:31 pm Try using a dmg instead of a zip, you retain the same functionality, plus you can staple the dmg instead of the plugins. You can zip the dmg for the server.
The following steps worked in Catalina:
- Sign AAX with "Developer ID Application: XXX" and --dsigharden
- Sign other plugs with: codesign --timestamp --deep -s "Developer ID Application: XXX" -f XXX.component/vst/vst3
I did this separately of XCode, but could be done with XCode.
- Create dmg: hdiutil create -volname XXX -srcfolder ./XXX-Plugs -ov -format UDZO ./XXX.dmg
- Sign dmg: codesign -s "Developer ID Application: XXX" ./XXX.dmg
- Notarize: xcrun altool --notarize-app -primary-bundle-id "xxx" --username "xxx" --password "xxx" --asc-provider "xxx" --file ./XXX.dmg
- Staple dmg: xcrun stapler staple ./XXX.dmg
- Apply the quarantine flag to dmg: xattr -w com.apple.quarantine ./XXX.dmg
- Launch dmg, install AAX in Pro Tools - launches successfully
Check:
spctl -a -vv -t install /XX/XX/XX.aaxplugin
/XX/XX/XX.aaxplugin: accepted
source=Notarized Developer ID
origin=Developer ID Application: XXX
Couple of questions about "dmg":
1) shouldn't the dmg be signed with an "Installer" cert? You are using the "Application" cert for all steps?
2) double clicking the dmg will install all of the plugins in the package, right? What is controlling WHERE they get installed and what if a user only wants AAX installed, for example?
-
- KVRist
- 210 posts since 11 Feb, 2006
See https://forums.developer.apple.com/thread/125145
Also, the correct way to verify dmg: spctl -a -t open --context context:primary-signature -v ./XX.dmg
./XX.dmg: accepted
source=Notarized Developer ID
Also, the correct way to verify dmg: spctl -a -t open --context context:primary-signature -v ./XX.dmg
./XX.dmg: accepted
source=Notarized Developer ID
-
- KVRist
- 210 posts since 11 Feb, 2006
A dmg is just a disk container like a mounted zip, it will just open up nothing is run like an installer.
Functionality is identical to distributing a zip, user has to drag and drop plugins to the correct folder.
Functionality is identical to distributing a zip, user has to drag and drop plugins to the correct folder.
-
- KVRian
- Topic Starter
- 626 posts since 30 Aug, 2012
Ah, thank you. I was confused thinking ".pkg". (I don't spend much time on Mac )
-
- KVRian
- Topic Starter
- 626 posts since 30 Aug, 2012
YES! IT WORKS! Thank you gnjp! "DMG" was the key.gnjp wrote: ↑Wed Feb 26, 2020 3:31 pm Try using a dmg instead of a zip, you retain the same functionality, plus you can staple the dmg instead of the plugins. You can zip the dmg for the server.
The following steps worked in Catalina:
- Sign AAX with "Developer ID Application: XXX" and --dsigharden
- Sign other plugs with: codesign --timestamp --deep -s "Developer ID Application: XXX" -f XXX.component/vst/vst3
I did this separately of XCode, but could be done with XCode.
- Create dmg: hdiutil create -volname XXX -srcfolder ./XXX-Plugs -ov -format UDZO ./XXX.dmg
- Sign dmg: codesign -s "Developer ID Application: XXX" ./XXX.dmg
- Notarize: xcrun altool --notarize-app -primary-bundle-id "xxx" --username "xxx" --password "xxx" --asc-provider "xxx" --file ./XXX.dmg
- Staple dmg: xcrun stapler staple ./XXX.dmg
- Apply the quarantine flag to dmg: xattr -w com.apple.quarantine ./XXX.dmg
- Launch dmg, install AAX in Pro Tools - launches successfully
Check:
spctl -a -t open --context context:primary-signature -v /XX/XX/XX.aaxplugin
/XX/XX/XX.aaxplugin: accepted
source=Notarized Developer ID
origin=Developer ID Application: XXX
So - apparently Pace signatures and notarization via "zip" process do not get along. That means at least two things are broken: 1) the Pace command line options for wrap tool (which uses a zip process to submit the plugin for notarization) and 2) the Apple notarization system itself which can return FALSE "Ready for Distribution" status when in fact an executable in the package has an Unnotarized ID and will be rejected by Catalina.
I don't know where to begin with the bug reports. It is frustrating that the people running the show (Pace and Apple) don't seem to know these things.
BTW - I did not use the "--dsigharden" option in the Pace signing command, nor did I use Hardened Runtime option in Xcode and it worked regardless. Seems these are other broken/don't do anything functions as well - or maybe not required for plugins (but maybe for installers, IDK).
- KVRian
- 872 posts since 6 Aug, 2005 from England
The 'hardened runtime’ thing may be phased in as necessary by Apple at some point.
Isn't it a good idea anyway?
https://developer.apple.com/documentati ... ed_runtime
Last edited by quikquak on Fri Feb 28, 2020 5:48 pm, edited 1 time in total.
Dave Hoskins. http://www.quikquak.com
-
- KVRian
- Topic Starter
- 626 posts since 30 Aug, 2012
Could be but I'm afraid to mess with anything else right now! All I know is that I didn't need it TODAY. Will add it in to see if it breaks anything, JIC.quikquak wrote: ↑Fri Feb 28, 2020 4:34 pm
The 'hardened runtime thing may be phased in as necessary by Apple at some point.
Isn't it a good idea anyway?
https://developer.apple.com/documentati ... ed_runtime