Maybe it's a signature that isn't supported by 10.10 and therefore fails, while 10.9 might not check it at all?audiothing wrote: ↑Sat Dec 19, 2020 12:16 am Codesigned plugins on Big Sur seem to work fine on 10.9, but fail to load on 10.10, which doesn't make much sense. Runinng auvaltool on 10.10, I get this error:However, the same exact version of auvaltool on 10.9 (!) returns AU VALIDATION SUCCEEDED.Code: Select all
code signature invalid for '/Library/Audio/Plug-Ins/Components/Wires.component/Contents/MacOS/Wires' FATAL ERROR: OpenAComponent: result: -50,0xFFFFFFCE
macOS SDK version for M1
- KVRAF
- 7890 posts since 12 Feb, 2006 from Helsinki, Finland
- KVRAF
- 1873 posts since 13 Apr, 2011 from EU
I guess so. It works on 10.13 though. I'll try to check if 10.11 and 10.12 are safe as well.
- KVRAF
- 7890 posts since 12 Feb, 2006 from Helsinki, Finland
Maybe it's related to https://stackoverflow.com/questions/418 ... n-a-shared and the codesign tool in Big Sur no longer uses SHA-1 even for 10.9 targets? The verbose flags (assuming it still has those) should apparently tell you what hashes it's storing..
- KVRist
- 91 posts since 24 Dec, 2015 from Bristol, UK
Off the top of my head I suspect you need to apply an SHA-1 signature and then an SHA-256 signature over the top of that to make it work on 10.9 and then 10.10+.audiothing wrote: ↑Sat Dec 19, 2020 12:16 amCodesigned plugins on Big Sur seem to work fine on 10.9, but fail to load on 10.10, which doesn't make much sense.
Please report back if you get it working, I'm keen to not get stuck on Catalina due to this, I've managed to work through every other build problem Apple have throw at me!
- KVRAF
- 1873 posts since 13 Apr, 2011 from EU
mystran wrote: ↑Sat Dec 19, 2020 4:16 am Maybe it's related to https://stackoverflow.com/questions/418 ... n-a-shared and the codesign tool in Big Sur no longer uses SHA-1 even for 10.9 targets? The verbose flags (assuming it still has those) should apparently tell you what hashes it's storing..
Yes, that's it. Verifying the signatures between Mojave and Big Sur, the codesign on Big Sur (silicon at least) doesn't add sha1, while Mojave adds both sha1 and sha256.keithwood wrote: ↑Sat Dec 19, 2020 11:13 am Off the top of my head I suspect you need to apply an SHA-1 signature and then an SHA-256 signature over the top of that to make it work on 10.9 and then 10.10+.
Please report back if you get it working, I'm keen to not get stuck on Catalina due to this, I've managed to work through every other build problem Apple have throw at me!
10.9 seems to ignore the signature, so auvaltool validates the plugin
10.10 can't read sha256, so validation fails
10.11 seems to be ok, but I need to verify it properly
Now, how can we make codesign add sha1 on Big Sur (silicon)? For producsign (which has the same "issue") we used xar following the instruction in that juce thread that I linked earlier. Is there an alternative to codesign that we can use?
- KVRist
- 91 posts since 24 Dec, 2015 from Bristol, UK
On Windows I do two passes against each binary (only included sign info):audiothing wrote: ↑Sat Dec 19, 2020 11:39 am Yes, that's it. Verifying the signatures between Mojave and Big Sur, the codesign on Big Sur (silicon at least) doesn't add sha1, while Mojave adds both sha1 and sha256.
10.9 seems to ignore the signature, so auvaltool validates the plugin
10.10 can't read sha256, so validation fails
10.11 seems to be ok, but I need to verify it properly
Now, how can we make codesign add sha1 on Big Sur (silicon)? For producsign (which has the same "issue") we used xar following the instruction in that juce thread that I linked earlier. Is there an alternative to codesign that we can use?
Code: Select all
signtool sign /sha1 [etc]
signtool sign /td sha256 /fd sha256 /sha1 [etc]
- KVRAF
- 7890 posts since 12 Feb, 2006 from Helsinki, Finland
No idea, but it seems that Apple has generally dropped support for SHA1 with Big Sur (and can't really blame them, since SHA1 is known to be somewhat broken). It could very well be the case that SHA1 just isn't supported by the new codesign at all anymore.audiothing wrote: ↑Sat Dec 19, 2020 11:39 am Now, how can we make codesign add sha1 on Big Sur (silicon)? For producsign (which has the same "issue") we used xar following the instruction in that juce thread that I linked earlier. Is there an alternative to codesign that we can use?
- KVRAF
- 1873 posts since 13 Apr, 2011 from EU
Yeah, both codesign and productsign don't support it anymore. So, I'm trying to figure out if there's any alternative to codesign like xar for productsign.
If not, I see only three solutions:
1) having a Mac with Catalina (or even Big Sur but on Intel, it seems to be working...) for building everything
2) splitting the build process between a Silicon and an Intel mac (just for signing)
3) having 2 separate installers (as suggested by Apple here)
I feel like the third option, while it might be the easiest to do, it will create unnecessary amount of support tickets due to the "wrong installer".
If not, I see only three solutions:
1) having a Mac with Catalina (or even Big Sur but on Intel, it seems to be working...) for building everything
2) splitting the build process between a Silicon and an Intel mac (just for signing)
3) having 2 separate installers (as suggested by Apple here)
I feel like the third option, while it might be the easiest to do, it will create unnecessary amount of support tickets due to the "wrong installer".
- KVRAF
- 1873 posts since 13 Apr, 2011 from EU
Ok, today I noticed that the AAXs on Big Sur are still signed with both sha1 and sha256, so I tried to code sign using wraptool all plugins (AU, VST, VST3, AAX).
And...it works!
All formats have sha1 and sha256 signatures made on Big Sur, notarization also works. I've tested a full build on 11.1, 10.14, 10.10, 10.9, and they all work!
Now, I'm not sure if it's a good idea to use wraptool for all plugins, since it also needs to connect to PACE servers everytime (not sure if they like that).
The only other codesign tool I could find is this: https://github.com/zhlynn/zsign
But I can't find a way to compile it. I'm getting these errors, despite pointing g++ to the right paths:
openssl.cpp:5:10: fatal error: 'openssl/pem.h' file not found
common/common.cpp:6:10: fatal error: 'openssl/sha.h' file not found
And...it works!
All formats have sha1 and sha256 signatures made on Big Sur, notarization also works. I've tested a full build on 11.1, 10.14, 10.10, 10.9, and they all work!
Now, I'm not sure if it's a good idea to use wraptool for all plugins, since it also needs to connect to PACE servers everytime (not sure if they like that).
The only other codesign tool I could find is this: https://github.com/zhlynn/zsign
But I can't find a way to compile it. I'm getting these errors, despite pointing g++ to the right paths:
openssl.cpp:5:10: fatal error: 'openssl/pem.h' file not found
common/common.cpp:6:10: fatal error: 'openssl/sha.h' file not found
- KVRist
- 444 posts since 11 May, 2016 from Serbia
Codesign actually works and it has sha1 on older systems last time I checked, but productsign is the issue. I will check if the latest Big Sur fixed that since they have attached bug log to this issue.
Website: https://youlean.co/
- KVRAF
- 1873 posts since 13 Apr, 2011 from EU
Not here. I have been trying to codesign with all options possible, on Big Sur 11.0 and 11.1, on a MacBook Pro 13" M1. No matter what I do, I only get sha256.
I've installed Big Sur on an external drive, booted on an Intel MacBook, and now codesign correctly applies sha1 and sha256. So, it seems to be an issue only on Silicon Macs.
How are you signing your plugins?
- KVRist
- 444 posts since 11 May, 2016 from Serbia
Ah, yes, I am signing on an Intel mac here.
Just checked Big Sur 11.2 beta and productsign still has an issue. I am guessing this will never be solved, so some workaround needs to be done.
Just checked Big Sur 11.2 beta and productsign still has an issue. I am guessing this will never be solved, so some workaround needs to be done.
Website: https://youlean.co/
- KVRAF
- 1873 posts since 13 Apr, 2011 from EU
For productsign, there is a workaround: https://forum.juce.com/t/upgraded-to-bi ... r/42812/10
I've tested it multiple times, and it works.
If we can't find an alternative to codesign, building everything on Silicon and supporting 10.9 won't be possible.
- KVRAF
- Topic Starter
- 1748 posts since 2 Jul, 2018
SHA1 is not longer safe and deprecated since years. You should not longer use it for security.
I don't think I'll use the above this script for signing our software. Seems to be pretty dangerous that something goes wrong. In the worst case Apple could blacklist the certificate, because of 'hacking'.
Looks like we'll have to move the minimum system requirements to MacOS 10.11 or higher.
I don't think I'll use the above this script for signing our software. Seems to be pretty dangerous that something goes wrong. In the worst case Apple could blacklist the certificate, because of 'hacking'.
Looks like we'll have to move the minimum system requirements to MacOS 10.11 or higher.
- KVRAF
- 1873 posts since 13 Apr, 2011 from EU
Nothing dangerous about that script, you can productsign and codesign with sha1 and sha256 automatically on Mojave for example. Same if you use wraptool for binaries, it automatically adds sha1 and sha256.Markus Krause wrote: ↑Mon Dec 21, 2020 11:44 am SHA1 is not longer safe and deprecated since years. You should not longer use it for security.
I don't think I'll use the above this script for signing our software. Seems to be pretty dangerous that something goes wrong. In the worst case Apple could blacklist the certificate, because of 'hacking'.
Looks like we'll have to move the minimum system requirements to MacOS 10.11 or higher.
Apple can't just blacklist a certificate if you are using Mojave or wraptool
But yeah, if we stick to productsign and codesign, and switch to a Silicon mac to build everything, the minimum system requirement will be macOS 10.12 (afaik).
I think that, for now, I'll move my build machine to Catalina, which seems to be enough to run Xcode 12 and support from 10.7 to 11.1. I'll do some tests today.
When it's time to switch the build machine to Silicon, the safest option would be to create two installers: new (10.12 to 11.x) and legacy (10.7 to 10.11).