Problem with AAX plugins on Catalina - SUCCESS!

[gnjp]

Try using a dmg instead of a zip, you retain the same functionality, plus you can staple the dmg instead of the plugins. You can zip the dmg for the server.
The following steps worked in Catalina:

- Sign AAX with "Developer ID Application: XXX" and --dsigharden
- Sign other plugs with: codesign --timestamp --deep -s "Developer ID Application: XXX" -f XXX.component/vst/vst3
I did this separately of XCode, but could be done with XCode.
- Create dmg: hdiutil create -volname XXX -srcfolder ./XXX-Plugs -ov -format UDZO ./XXX.dmg
- Sign dmg: codesign -s "Developer ID Application: XXX" ./XXX.dmg
- Notarize: xcrun altool --notarize-app -primary-bundle-id "xxx" --username "xxx" --password "xxx" --asc-provider "xxx" --file ./XXX.dmg
- Staple dmg: xcrun stapler staple ./XXX.dmg
- Apply the quarantine flag to dmg: xattr -w com.apple.quarantine ./XXX.dmg
- Launch dmg, install AAX in Pro Tools - launches successfully

Check:
spctl -a -t open --context context:primary-signature -v /XX/XX/XX.aaxplugin
/XX/XX/XX.aaxplugin: accepted
source=Notarized Developer ID
origin=Developer ID Application: XXX

[Fender19]

Try using a dmg instead of a zip, you retain the same functionality, plus you can staple the dmg instead of the plugins. You can zip the dmg for the server.
The following steps worked in Catalina:

- Sign AAX with "Developer ID Application: XXX" and --dsigharden
- Sign other plugs with: codesign --timestamp --deep -s "Developer ID Application: XXX" -f XXX.component/vst/vst3
I did this separately of XCode, but could be done with XCode.
- Create dmg: hdiutil create -volname XXX -srcfolder ./XXX-Plugs -ov -format UDZO ./XXX.dmg
- Sign dmg: codesign -s "Developer ID Application: XXX" ./XXX.dmg
- Notarize: xcrun altool --notarize-app -primary-bundle-id "xxx" --username "xxx" --password "xxx" --asc-provider "xxx" --file ./XXX.dmg
- Staple dmg: xcrun stapler staple ./XXX.dmg
- Apply the quarantine flag to dmg: xattr -w com.apple.quarantine ./XXX.dmg
- Launch dmg, install AAX in Pro Tools - launches successfully

Check:
spctl -a -vv -t install /XX/XX/XX.aaxplugin
/XX/XX/XX.aaxplugin: accepted
source=Notarized Developer ID
origin=Developer ID Application: XXX

Thank you VERY much for this - I will give it a go!

Couple of questions about "dmg":
1) shouldn't the dmg be signed with an "Installer" cert? You are using the "Application" cert for all steps?
2) double clicking the dmg will install all of the plugins in the package, right? What is controlling WHERE they get installed and what if a user only wants AAX installed, for example?

[gnjp]

See https://forums.developer.apple.com/thread/125145
Also, the correct way to verify dmg: spctl -a -t open --context context:primary-signature -v ./XX.dmg
./XX.dmg: accepted
source=Notarized Developer ID

[gnjp]

A dmg is just a disk container like a mounted zip, it will just open up nothing is run like an installer.
Functionality is identical to distributing a zip, user has to drag and drop plugins to the correct folder.

[Fender19]

A dmg is just a disk container like a mounted zip, it will just open up nothing is run like an installer.
Functionality is identical to distributing a zip, user has to drag and drop plugins to the correct folder.

Ah, thank you. I was confused thinking ".pkg". (I don't spend much time on Mac )

[Fender19]

Try using a dmg instead of a zip, you retain the same functionality, plus you can staple the dmg instead of the plugins. You can zip the dmg for the server.
The following steps worked in Catalina:

- Sign AAX with "Developer ID Application: XXX" and --dsigharden
- Sign other plugs with: codesign --timestamp --deep -s "Developer ID Application: XXX" -f XXX.component/vst/vst3
I did this separately of XCode, but could be done with XCode.
- Create dmg: hdiutil create -volname XXX -srcfolder ./XXX-Plugs -ov -format UDZO ./XXX.dmg
- Sign dmg: codesign -s "Developer ID Application: XXX" ./XXX.dmg
- Notarize: xcrun altool --notarize-app -primary-bundle-id "xxx" --username "xxx" --password "xxx" --asc-provider "xxx" --file ./XXX.dmg
- Staple dmg: xcrun stapler staple ./XXX.dmg
- Apply the quarantine flag to dmg: xattr -w com.apple.quarantine ./XXX.dmg
- Launch dmg, install AAX in Pro Tools - launches successfully

Check:
spctl -a -t open --context context:primary-signature -v /XX/XX/XX.aaxplugin
/XX/XX/XX.aaxplugin: accepted
source=Notarized Developer ID
origin=Developer ID Application: XXX

YES! IT WORKS! Thank you gnjp! "DMG" was the key.

So - apparently Pace signatures and notarization via "zip" process do not get along. That means at least two things are broken: 1) the Pace command line options for wrap tool (which uses a zip process to submit the plugin for notarization) and 2) the Apple notarization system itself which can return FALSE "Ready for Distribution" status when in fact an executable in the package has an Unnotarized ID and will be rejected by Catalina.

I don't know where to begin with the bug reports. It is frustrating that the people running the show (Pace and Apple) don't seem to know these things.

BTW - I did not use the "--dsigharden" option in the Pace signing command, nor did I use Hardened Runtime option in Xcode and it worked regardless. Seems these are other broken/don't do anything functions as well - or maybe not required for plugins (but maybe for installers, IDK).

[quikquak]

The 'hardened runtime’ thing may be phased in as necessary by Apple at some point.
Isn't it a good idea anyway?
https://developer.apple.com/documentati ... ed_runtime

[Fender19]

The 'hardened runtime thing may be phased in as necessary by Apple at some point.
Isn't it a good idea anyway?
https://developer.apple.com/documentati ... ed_runtime

Could be but I'm afraid to mess with anything else right now! All I know is that I didn't need it TODAY. Will add it in to see if it breaks anything, JIC.