AAX plugin and package builder in Mac

Hi,

I have a very odd problem. I already build and signed my AAX plugin. It works fine in Pro Tools Ultimate. Now I want to add it in the installer package in Mac. Unsigned Package gets created with no problem but I cannot notarize it. I have the below error when I check.

"issues": [
{
"severity": "error",
"code": null,
"path": "MyApplication.pkg/MyApp.pkg Contents/Payload/Library/Application Support/Avid/Audio/Plug-Ins/MyPlugin.aaxplugin/Contents/MacOS/MyApplication",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MyApplication.pkg/MyApp.pkg Contents/Payload/Library/Application Support/Avid/Audio/Plug-Ins/MyPlugin.aaxplugin/Contents/MacOS/MyApplication",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MyApplication.pkg/MyApp.pkg Contents/Payload/Library/Application Support/Avid/Audio/Plug-Ins/MyPlugin.aaxplugin/Contents/__Pace_Eden.bundle/Contents/MacOS/__Pace_Eden",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MyApplication.pkg/MyApp.pkg Contents/Payload/Library/Application Support/Avid/Audio/Plug-Ins/MyPlugin.aaxplugin/Contents/__Pace_Eden.bundle/Contents/MacOS/__Pace_Eden",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MyApplication.pkg/MyApp.pkg Contents/Payload/Library/Application Support/Avid/Audio/Plug-Ins/MyPlugin.aaxplugin/Contents/__Pace_Eden.bundle/Contents/MacOS/__Pace_Eden",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": null,
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "MyApplication.pkg/MyApp.pkg Contents/Payload/Library/Application Support/Avid/Audio/Plug-Ins/MyPlugin.aaxplugin/Contents/__Pace_Eden.bundle/Contents/MacOS/__Pace_Eden",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "arm64"
}
]

Any idea how I can add the AAX plugin into packages installer?
Thank you

AAX plugin must be signed with PACE’s wraptool and not via codesign. Furthermore, you need a valid Develope ID certificate from your Apple Dev account and you cannot use a self-signed certificate.

Thank you @lcapozzi
We already done the signing part. Using Pace’s Wraptool and all of that. It works fine. The AAX plugin works as expected in Pro Tools Ultimate and also in other machines. So signing part is good.

We just want to package our AAX plugin with AU and VST3 ones into a package build installer. There is no issue with AU and VST3 to package them. Only AAX has problem with the error mentioned above. Any idea?

That’s strange, since the error message in the log you posted is basically telling you that you are signing with an invalid certificate.

I wrote an entire “build robot” that builds and then package the plugin using the pkgbuild command.
I copy all the plugin files in dedicated subfolders in my plugin redist root folder (so we’ll have subfolders named vst2, vst3, au, aax). I’ll show you what I basically do. This is a very stripped down version of the actual code. The real one also accounts for our pre/post install scripts, the plugin presets and so on.

The steps are (for each plugin format)

pkgbuild --analyze --root "./aax/" "' + trimmedName + '_AAX.plist"

pkgbuild --root "./aax/" --component-plist "./' + trimmedName + '_AAX.plist" --scripts "./scripts/aax/" --identifier "com.mycompany.' + trimmedName + '.pkg.AAX" --version ' + pgVersion + ' --install-location "/Library/Application Support/Avid/Audio/Plug-Ins/MyCompany" "' + trimmedName + '_AAX.pkg"

the final step is

productbuild --distribution "./Distribution.xml" --package-path "./" --resources "./Resources" --sign ' + instIDCert + ' "MyCompany ' + pgName + ' v' + pgVersion + '.pkg"

I hope this could help you

Thank you for sharing your steps with me @lcapozzi
The problem is finally solved.
I had to check the status of each signature and compare. What happened is that I had a certificate to sign my AAX with PACE and apparently that is already acceptable by Pro Tools but not by Mac to be used in the package builder.
So I used the same Developer Id Application certificate that I signed my AU and VST3 to sign the AAX plugin. What I mean is that when I used the wraptool I used the Developer Id Application certificate for the signid flag.
After that I had no issue packaging it and notarization went through successfully.
If you do not want to package the AAX plugin then any certificate from Keychain Access is good enough to be used in wraptool.
Now I have to solve the problem of the build pipeline and engaging the iLOk as part of it.
Thanks again.

1 Like