I was initially very supportive of the AAX signing requirement. Maintaining a chain of trust through Avid and Pace for plugin binaries would have been a great way to make Pro Tools a secure platform right down to the plug-in’s signature, assuming Pro Tools wasn’t compromised (and I think we can assume Avid would make a more secure job of copy protection than individual devs rolling their own schemes in general). It is trivial to get a regular code signing cert for a hacker so I’m generally not in favour of OS signing as a security mechanism, but I doubt many hackers would get certs through Pace and it would be very easy to get them revoked meaning anybody that wants to stay current with Pro Tools couldn’t generally use cracked plugins.
So, yes an annoying a hoop to get through, but a big win for the small dev. It could have been a real business win for Avid too, if cracks never appeared for the AAX plugins then some devs that didn’t want the hassle of going deep into copy protection might choose to only support AAX. If Pro Tools was the place to get unique boutique plugins it could have been a nice little USP for the platform.
While Avid maintained the policy of disallowing AAX plugins that could load unsigned binaries it all made sense to me. It didn’t take long for that policy to change though. I guess they got a lot of pressure from a few devs that found this to be extremely hostile to their interests as they couldn’t implement genuinely useful plugins that loaded other plugins.
At this point in time I think the code signing should be dropped as a mandatory requirement. What is the benefit? I don’t see one at all in practice. People that want cracked plugins to load in Pro Tools will just follow the path of least resistance, which is loading cracked VSTs in a low cost legit AAX plugin that can load VSTs.
This is coming from a fairly strong proponent of using the entire iLok system for copy protection, I like the idea of strong copy protection in principle whatever the effect is on sales (up or down), and I use the full suite of Pace tools so I am not bothered by this signing requirement as the signing comes as part of my standard iLok workflow anyway. So I’m not just expressing some generic anti-Pace or anti-Avid or pro-freedom sentiment here. I’m simply saying for smaller devs it feels like a totally missed opportunity and I don’t see why they should have to jump through this hoop anymore if it doesn’t benefit them.