AAX sign broken on Mac

Hi guys,

I’m getting some reports from mac users saying that the AAX is not loading in their Pro Tools session saying my plug-in is not a valid.
This is due to code signing, but I’m signing it and it works for the majority of people… that’s what confuses me.

I believe it has to do with the installer, I’m using Packages, but I don’t get why it only fails on some people. Does anyone experienced something like this?

This can happen if any of the files in the bundle get touched in any way. I recommend that you add a pre-installation script that deletes the existing plugin or you may find the installation of the new version is actually ‘merged’ with the old version, which the PACE signature won’t like. Given what you have said I think this is most likely what has happened.

1 Like

there is a link inside the bundle, which has to be exactly like the original. This can be destroyed through copying/zipping. Maybe it has todo with a switch between HFS/APFS filesystem.

+1. I ran into this as well and it’s been really painful. The issue comes from changes in codesigning on OS X and the way the OS X installer works. In the olden days only binaries would get signed, but now it’s the entire package. Since that change happened the contents of a bundle must not change after signing or loading will fail. At the same time the OS X installer merges folders when installing and thus does not overwrite bundles which are folders, but merges the files contained.

Now if you happen to rename or remove a file in a new version of a signed bundle or have some crap files happen to somehow end up in the bundle, the old data will still stick around and invalidate the new signature.

Signing has changed around OS X 10.11 and the installer… it has always worked like this, but with binary-only signing it wasn’t as harmful.

The only solution is to add a cleanup-script before the install that deletes an existing installation completely. Apple could have prevented this mess by easily allowing the installer to overwrite folders.

Figuring out what happened took forever because for me it also happened just for a few people depending on their version history.

I also use packages. I made a very simple script that is executed “Pre-installation” on my AAX packages target:

#!/bin/sh
rm -rf "/Library/Application Support/Avid/Audio/Plug-Ins/plugin.aaxplugin"
exit 0
3 Likes

If you’re distributing in a zipped DMG, then you also have to make sure you sign the disk image… I use DropDMG to do that…

https://c-command.com/dropdmg/help/signing

Rail

1 Like

Thank you so much, I’ll try this!

I found that signing as “Mac Developer” was incorrect and I had to use “Developer ID Application” instead. Otherwise anything downloaded was deemed corrupted by Apple.

1 Like

I can confirm that this has fixed the issue.
Thank you so much for sharing @pflugshaupt

1 Like