Apple Developer signature SHOULD also work in Windows, yes/no?

DSP, Plugin and Host development discussion.
Post Reply New Topic
RELATED
PRODUCTS

Post

I have signed all of my plugins with a production/distribution cert from my Apple Developer account. They all show as signed in both Mac OS and Windows - but in Windows it says, "The certificate in the signature cannot be verified" - which makes it look (or maybe in fact is) invalid.

I am new to the whole digital signing process but I THOUGHT Apple Certs were also supposed to work in Windows?

I signed all my Mac OS builds during compile via Xcode. All my Windows builds were signed after build using DigiCert. Is DigiCert the problem - or something else?
Last edited by Fender19 on Tue Oct 08, 2019 12:02 am, edited 2 times in total.

Post

BTW - I’m using Pace to sign all my AAX plugins and that is where I read that Apple certs also apply on Windows - but maybe that’s only for Pace purposes?

Any insight here appreciated!

Post

I use my Apple cert for Windows, but they recommend that you get a separate Windows cert. in the text upon signing.
The only problem I had was having to re-export the p12 file from the Mac, because the old one went out of date.
But that's all pretty obvious to be fair... :)

Post

Pace wrapping doesn't care much about the certificate used for signing, in fact you can even sign your binaries with a self-signed certificate and it will work on ProTools.

I think Apple certificates are not valid on Windows because Apple is not a recognized certification authority for Microsoft, so you should get another certificate for Windows from DigiCert, Comodo/Sectigo, etc.
I'd suggest you an Extended Validation (EV) certificate which costs a bit more and requires more paper-work but it will immediately get rid of the SmartScreen alert when you launch the installer or standalone app.

Post

quikquak wrote: Tue Oct 08, 2019 2:19 pm But that's all pretty obvious to be fair... :)
Well no, it's not that obvious. I assumed that the ".p12" file - which is easily exported and read by both Mac OS and Windows - meant that the cert itself was cross-platform. But I guess it's not?

So, is signing with the Apple Developer ID cert doing any good on Windows?

Post

Sorry, I meant the out of date thing was simple.
Signing works with AAX, yes. But it doesn't stop windows from warning potential customers from your downloads though, I'm getting a separate Windows signing cert soon, I've heard Comodo are good re-sellers of them.
Discussion about it on the Juce forum ...
https://forum.juce.com/t/solved-do-you- ... dows/25942

I found the whole process a massive pain to be honest, and I had to email Ed at Pace many many times with my misunderstandings about the process, I think they've done it so many times that the it's second nature to them, and I found their information a little lacking in specific details - to me anyhow( :roll: )
Why the hell there's not a simple GUI to handle it all, I don't know. Programmers hey, always going back to DOS/BASH ! :hihi:
*edit*
I've heard the Windows certs don't go out of date, so if you stop paying for it, your previously signed programs are still valid. Which is much nicer than Apple's way.

Post

quikquak wrote: Tue Oct 08, 2019 6:45 pm Sorry, I meant the out of date thing was simple.
Signing works with AAX, yes. But it doesn't stop windows from warning potential customers from your downloads though, I'm getting a separate Windows signing cert soon, I've heard Comodo are good re-sellers of them.
Discussion about it on the Juce forum ...
https://forum.juce.com/t/solved-do-you- ... dows/25942

I found the whole process a massive pain to be honest, and I had to email Ed at Pace many many times with my misunderstandings about the process, I think they've done it so many times that the it's second nature to them, and I found their information a little lacking in specific details - to me anyhow( :roll: )
Why the hell there's not a simple GUI to handle it all, I don't know. Programmers hey, always going back to DOS/BASH ! :hihi:
Thank you for the clarification and info - and I agree 100% about Pace. It took me long time and a lot of reading and re-reading of their instructions to figure it all out. Being new to signing in general made it that much harder for me - and working cross-platform to boot. And yes, I also asked why there was not a simple GUI interface for it - like DigiCert has - or even like their on-line "Eden" tool you use to generate the certs.
quikquak wrote: Tue Oct 08, 2019 6:45 pm I've heard the Windows certs don't go out of date, so if you stop paying for it, your previously signed programs are still valid. Which is much nicer than Apple's way.
According to the Apple Developer info if you "time stamp" your signatures the Apple cert apps will continue to work even after the expiration date. We'll see...

Post

Interesting, thanks. How do I time stamp something like that?

Post

quikquak wrote: Tue Oct 08, 2019 8:21 pm Interesting, thanks. How do I time stamp something like that?
Time stamping discussed about midway down this page:
https://developer.apple.com/documentati ... guage=objc

Post

That’s great, hope it works for the day I give up on Mac dev. Not anytime soon, of course! 😀

Post Reply

Return to “DSP and Plugin Development”