KVR Audio

audiothing · Post by **audiothing** » Thu Jan 16, 2020 9:31 pm

Fender19 wrote: ↑Thu Jan 16, 2020 6:17 pm I have waded my way through this process and it is working but the "bookkeeping" is really something else. Adding that extra layer of signing (notarization) now requires 3 layers for AAX plugins - code sign + Pace sign + notarize. Get one wrong - or forget a step - or use the wrong password or ID - and the whole thing doesn't work! Many of you clever folk probably have this automated but for now I'm doing it all manually.

Now, something I don't understand is how exactly does all of this prevent malicious software? Hackers are hackers - can't they could just force sign a malicious app and notarize with a bogus account? How is any of this nightmare preventing that?

"Pace sign" is the same as code signing, just done with Pace tool and can be done with a custom certificate. When you re-sign something you are actually removing the previous signature and applying the new one.
So you don't need to sign the AAX twice, just do it with the Pace tool.

It's not too difficult to automate all these steps. Check the notarization script posted in this thread (now in OP). If you don't want anything fancy, just copy all your commands in a .sh (for mac) or .bat (for win) and run that instead of re-typing them every time.

Fender19 · Post by **Fender19** » Fri Jan 17, 2020 12:04 am

audiothing wrote: ↑Thu Jan 16, 2020 9:31 pm "Pace sign" is the same as code signing, just done with Pace tool and can be done with a custom certificate. When you re-sign something you are actually removing the previous signature and applying the new one.
So you don't need to sign the AAX twice, just do it with the Pace tool.

Yes, the Pace tool replaces the codesign signature but it requires the codesign signature as a prerequisite - so you have to sign with the Application ID cert first, then Pace, then notarize. I am doing the initial codesigning step in Xcode so that is one less command line task, but still many details.

audiothing wrote: ↑Thu Jan 16, 2020 9:31 pm It's not too difficult to automate all these steps. Check the notarization script posted in this thread (now in OP). If you don't want anything fancy, just copy all your commands in a .sh (for mac) or .bat (for win) and run that instead of re-typing them every time.

I am using some templates but have not evolved to "sh/bat" automation yet. Would be smart no doubt! Thank you for pointing it out.

audiothing · Post by **audiothing** » Fri Jan 17, 2020 9:56 am

Fender19 wrote: ↑Fri Jan 17, 2020 12:04 amYes, the Pace tool replaces the codesign signature but it requires the codesign signature as a prerequisite - so you have to sign with the Application ID cert first, then Pace, then notarize.

Prerequisite? We don't do it and, so far

, never had issues with notarization or actual usage.

Fender19 · Post by **Fender19** » Fri Jan 17, 2020 6:00 pm

audiothing wrote: ↑Fri Jan 17, 2020 9:56 am
Fender19 wrote: ↑Fri Jan 17, 2020 12:04 amYes, the Pace tool replaces the codesign signature but it requires the codesign signature as a prerequisite - so you have to sign with the Application ID cert first, then Pace, then notarize.
Prerequisite? We don't do it and, so far , never had issues with notarization or actual usage.

Probably because you have signing set up in your Xcode build settings. When I first started with Pace I was signing manually using command line. Wraptool would return “no digital signature” and fail if I forgot to sign first.

In Windows, wraptool picks up the cert ID as one of the command-line options - so pre-signing is not required.

audiothing · Post by **audiothing** » Sat Jan 18, 2020 12:43 am

Fender19 wrote: ↑Fri Jan 17, 2020 6:00 pmProbably because you have signing set up in your Xcode build settings. When I first started with Pace I was signing manually using command line. Wraptool would return “no digital signature” and fail if I forgot to sign first.

In Windows, wraptool picks up the cert ID as one of the command-line options - so pre-signing is not required.

No, we don't have any signing set in our Xcode build settings. We just sign the AAX with Pace tool and a custom certificate (that we also use on Windows) in our build script.

quikquak · Post by **quikquak** » Sat Jan 18, 2020 8:13 am

Xcode has been able to code-sign for a couple of years now, and it’s easy to set up, and forget.

audiothing · Post by **audiothing** » Sat Jan 18, 2020 9:56 am

If I check the signatures on the compiled plugins I get this

Code: Select all

code object is not signed at all

so no, Xcode is not signing them. I'm just passing --signid with the name of the certificate to wraptool and that's it

xhunaudio · Post by **xhunaudio** » Sat Jan 18, 2020 10:10 am

(...)

Fender19 · Post by **Fender19** » Sat Jan 18, 2020 4:27 pm

audiothing wrote: ↑Sat Jan 18, 2020 9:56 am If I check the signatures on the compiled plugins I get this
Code: Select all
code object is not signed at all
so no, Xcode is not signing them. I'm just passing --signid with the name of the certificate to wraptool and that's it

Not sure how that is getting past Gatekeeper. Are you only releasing AAX or are you using Pace with other formats as well?

audiothing · Post by **audiothing** » Sat Jan 18, 2020 4:33 pm

Fender19 wrote: ↑Sat Jan 18, 2020 4:27 pmNot sure how that is getting past Gatekeeper. Are you only releasing AAX or are you using Pace with other formats as well?

Sorry, maybe I wasn't clear. I am signing the plugins before distributing with codesign -s (just not in Xcode), but only AU, VST2 and VST3. For AAX I only use wraptool from Pace. I never had to sign the AAX twice, and never got a "no digital signature" error.

AnalogObsession · Post by **AnalogObsession** » Mon Jan 27, 2020 1:48 pm

Hi again,

Should we sign each plugins (au, vst2, vst3) before making .pkg? Or, just signing .pkg is enough?

Thanks.

quikquak · Post by **quikquak** » Mon Jan 27, 2020 1:57 pm

Use Xcode to sign the plugs. Package makers also have a sign procedure, make sure you have the latest version of ‘Packages.’
The .pkg file is the bit people download and you have to notarise them, so it passes Apple’s virus scanner.
Note code signing and notarising are two different things. I don’t know why you have to code sign as well, as you can’t Notarise without being a paid up dev anyway. I guess what gets checked, depends on which OS people are using,
[Apple laughs and shouts “kerching!”

]

AnalogObsession · Post by **AnalogObsession** » Mon Jan 27, 2020 2:43 pm

quikquak wrote: ↑Mon Jan 27, 2020 1:57 pm Use Xcode to sign the plugs. Package makers also have a sign procedure, make sure you have the latest version of ‘Packages.’
The .pkg file is the bit people download and you have to notarise them, so it passes Apple’s virus scanner.
Note code signing and notarising are two different things. I don’t know why you have to code sign as well, as you can’t Notarise without being a paid up dev anyway. I guess what gets checked, depends on which OS people are using,
[Apple laughs and shouts “kerching!” ]

Thanks for reply!

Sorry for my bad... I meant "notarization".

So, i can sign with Xcode while build and then i can notarize...

But again, should i have to notarize each plugins before making pkg files? Or notarizing pkg file enough?

discoDSP · Post by **discoDSP** » Mon Jan 27, 2020 3:29 pm

Notarizing the PKG should be enough, AFAIK because Apple notarization service also scans any file on such container.

Code signing AU/VST/VST3/APP is required (latest one with Hardened Runtime if you're loading 3rd party stuff. ie.- hosts). Can be done with XCode easily.

AnalogObsession · Post by **AnalogObsession** » Mon Jan 27, 2020 8:23 pm

discoDSP wrote: ↑Mon Jan 27, 2020 3:29 pm Notarizing the PKG should be enough, AFAIK because Apple notarization service also scans any file on such container.

Code signing AU/VST/VST3/APP is required (latest one with Hardened Runtime if you're loading 3rd party stuff. ie.- hosts). Can be done with XCode easily.

Thank for reply. Now, it's clear!

The last question about "Create a specific altool password".

We should create a single password for all plugins or more than one passwords for each plugins?

Thanks.

HOWTO macOS notarization (plugins, app, pkg installers)