macOS SDK version for M1

[mystran]

Codesigned plugins on Big Sur seem to work fine on 10.9, but fail to load on 10.10, which doesn't make much sense. Runinng auvaltool on 10.10, I get this error:

Code: Select all

code signature invalid for '/Library/Audio/Plug-Ins/Components/Wires.component/Contents/MacOS/Wires'
FATAL ERROR: OpenAComponent: result: -50,0xFFFFFFCE

However, the same exact version of auvaltool on 10.9 (!) returns AU VALIDATION SUCCEEDED.

Maybe it's a signature that isn't supported by 10.10 and therefore fails, while 10.9 might not check it at all?

[audiothing]

Maybe it's a signature that isn't supported by 10.10 and therefore fails, while 10.9 might not check it at all?

I guess so. It works on 10.13 though. I'll try to check if 10.11 and 10.12 are safe as well.

[mystran]

Maybe it's related to https://stackoverflow.com/questions/418 ... n-a-shared and the codesign tool in Big Sur no longer uses SHA-1 even for 10.9 targets? The verbose flags (assuming it still has those) should apparently tell you what hashes it's storing..

[keithwood]

Codesigned plugins on Big Sur seem to work fine on 10.9, but fail to load on 10.10, which doesn't make much sense.

Off the top of my head I suspect you need to apply an SHA-1 signature and then an SHA-256 signature over the top of that to make it work on 10.9 and then 10.10+.

Please report back if you get it working, I'm keen to not get stuck on Catalina due to this, I've managed to work through every other build problem Apple have throw at me!

[audiothing]

Maybe it's related to https://stackoverflow.com/questions/418 ... n-a-shared and the codesign tool in Big Sur no longer uses SHA-1 even for 10.9 targets? The verbose flags (assuming it still has those) should apparently tell you what hashes it's storing..

Off the top of my head I suspect you need to apply an SHA-1 signature and then an SHA-256 signature over the top of that to make it work on 10.9 and then 10.10+.

Please report back if you get it working, I'm keen to not get stuck on Catalina due to this, I've managed to work through every other build problem Apple have throw at me!

Yes, that's it. Verifying the signatures between Mojave and Big Sur, the codesign on Big Sur (silicon at least) doesn't add sha1, while Mojave adds both sha1 and sha256.

10.9 seems to ignore the signature, so auvaltool validates the plugin
10.10 can't read sha256, so validation fails
10.11 seems to be ok, but I need to verify it properly

Now, how can we make codesign add sha1 on Big Sur (silicon)? For producsign (which has the same "issue") we used xar following the instruction in that juce thread that I linked earlier. Is there an alternative to codesign that we can use?

[keithwood]

Yes, that's it. Verifying the signatures between Mojave and Big Sur, the codesign on Big Sur (silicon at least) doesn't add sha1, while Mojave adds both sha1 and sha256.

10.9 seems to ignore the signature, so auvaltool validates the plugin
10.10 can't read sha256, so validation fails
10.11 seems to be ok, but I need to verify it properly

Now, how can we make codesign add sha1 on Big Sur (silicon)? For producsign (which has the same "issue") we used xar following the instruction in that juce thread that I linked earlier. Is there an alternative to codesign that we can use?

On Windows I do two passes against each binary (only included sign info):

Code: Select all

signtool sign /sha1 [etc] 
signtool sign /td sha256 /fd sha256 /sha1 [etc]

I would hope there's maybe a tool other than productsign which could so similar on macOS.

[mystran]

Now, how can we make codesign add sha1 on Big Sur (silicon)? For producsign (which has the same "issue") we used xar following the instruction in that juce thread that I linked earlier. Is there an alternative to codesign that we can use?

No idea, but it seems that Apple has generally dropped support for SHA1 with Big Sur (and can't really blame them, since SHA1 is known to be somewhat broken). It could very well be the case that SHA1 just isn't supported by the new codesign at all anymore.

[audiothing]

Yeah, both codesign and productsign don't support it anymore. So, I'm trying to figure out if there's any alternative to codesign like xar for productsign.
If not, I see only three solutions:
1) having a Mac with Catalina (or even Big Sur but on Intel, it seems to be working...) for building everything
2) splitting the build process between a Silicon and an Intel mac (just for signing)
3) having 2 separate installers (as suggested by Apple here)

I feel like the third option, while it might be the easiest to do, it will create unnecessary amount of support tickets due to the "wrong installer".

[audiothing]

Ok, today I noticed that the AAXs on Big Sur are still signed with both sha1 and sha256, so I tried to code sign using wraptool all plugins (AU, VST, VST3, AAX).
And...it works!
All formats have sha1 and sha256 signatures made on Big Sur, notarization also works. I've tested a full build on 11.1, 10.14, 10.10, 10.9, and they all work!

Now, I'm not sure if it's a good idea to use wraptool for all plugins, since it also needs to connect to PACE servers everytime (not sure if they like that).

The only other codesign tool I could find is this: https://github.com/zhlynn/zsign
But I can't find a way to compile it. I'm getting these errors, despite pointing g++ to the right paths:
openssl.cpp:5:10: fatal error: 'openssl/pem.h' file not found
common/common.cpp:6:10: fatal error: 'openssl/sha.h' file not found

[Youlean]

Codesign actually works and it has sha1 on older systems last time I checked, but productsign is the issue. I will check if the latest Big Sur fixed that since they have attached bug log to this issue.

[audiothing]

Codesign actually works and it has sha1 on older systems last time I checked, but productsign is the issue. I will check if the latest Big Sur fixed that since they have attached bug log to this issue.

Not here. I have been trying to codesign with all options possible, on Big Sur 11.0 and 11.1, on a MacBook Pro 13" M1. No matter what I do, I only get sha256.

I've installed Big Sur on an external drive, booted on an Intel MacBook, and now codesign correctly applies sha1 and sha256. So, it seems to be an issue only on Silicon Macs.

How are you signing your plugins?

[Youlean]

Ah, yes, I am signing on an Intel mac here.
Just checked Big Sur 11.2 beta and productsign still has an issue. I am guessing this will never be solved, so some workaround needs to be done.

[audiothing]

Ah, yes, I am signing on an Intel mac here.
Just checked Big Sur 11.2 beta and productsign still has an issue. I am guessing this will never be solved, so some workaround needs to be done.

For productsign, there is a workaround: https://forum.juce.com/t/upgraded-to-bi ... r/42812/10
I've tested it multiple times, and it works.

If we can't find an alternative to codesign, building everything on Silicon and supporting 10.9 won't be possible.

[Markus Krause]

SHA1 is not longer safe and deprecated since years. You should not longer use it for security.

I don't think I'll use the above this script for signing our software. Seems to be pretty dangerous that something goes wrong. In the worst case Apple could blacklist the certificate, because of 'hacking'.

Looks like we'll have to move the minimum system requirements to MacOS 10.11 or higher.

[audiothing]

SHA1 is not longer safe and deprecated since years. You should not longer use it for security.

I don't think I'll use the above this script for signing our software. Seems to be pretty dangerous that something goes wrong. In the worst case Apple could blacklist the certificate, because of 'hacking'.

Looks like we'll have to move the minimum system requirements to MacOS 10.11 or higher.

Nothing dangerous about that script, you can productsign and codesign with sha1 and sha256 automatically on Mojave for example. Same if you use wraptool for binaries, it automatically adds sha1 and sha256.
Apple can't just blacklist a certificate if you are using Mojave or wraptool

But yeah, if we stick to productsign and codesign, and switch to a Silicon mac to build everything, the minimum system requirement will be macOS 10.12 (afaik).

I think that, for now, I'll move my build machine to Catalina, which seems to be enough to run Xcode 12 and support from 10.7 to 11.1. I'll do some tests today.
When it's time to switch the build machine to Silicon, the safest option would be to create two installers: new (10.12 to 11.x) and legacy (10.7 to 10.11).