Code signing AAX with Apple cert on Windows?

Hi, I remember reading on here somewhere that I can PACE sign my Windows AAX plug-ins with an Apple certificate. Is that true, and how do I do it? Thanks.

Also, is it a real hassle, and not worth it and that I should go straight to Comodo and get a bloody certificate for Windows now?.. :slight_smile:

Dave.

One comment made in a thread I asked about using Apple certs to sign Windows installers (you canā€™t was the consensus) was ā€œif the plugin developer is not making the effort to sign their installers, what kind of message does that send about their attention to detail in code/security/etc.ā€
Of course you might not be using an installer, but if you are then I tend to agree that itā€™s a pretty valid point, so buy the cert and youā€™ll get 2 birds with 1 ($80/yr) stone :wink:
fwiw apparently the reverse is true : you can use a Comodo cert to sign AAX under macOS

Thanks. I already have a mac cert. I just wondered how I make a keyfile ā€˜.p12ā€™ file out of it and a keyfile password.

Find the cert in your Keychain access and choose ā€œExportā€ from the right click menuā€¦

2 Likes

Thanks Dan, is that the ā€˜intaller IDā€™, the ā€œdeveloper ID cert authorityā€, the ā€œDeveloper ID: My nameā€, or the ā€œApple Worldwide Developer Relations Certification Authorityā€

I have no idea, but it sounds like it should be the latter?

I donā€™t know. My assumption would be, it shouldnā€™t matter, as long as it validates against a root CA, which should be the case for all of them, but I donā€™t know.
The most sensible would be ā€œDeveloper IDā€ IMHO, but I guess you will have to try them one by oneā€¦

I find it odd that people are just supposed to know this stuff. Oh well, Iā€™ll just try one, thanksā€¦

Said it before in this context, many parties on the table:

  • OS functionality
  • Avid as host developer
  • Pace for copy protection

So you have to talk to all of themā€¦ sure, the NDA doesnā€™t help reallyā€¦

All that certificate signing stuff is really opaque, I found it massively confusing, and hardly any decent advice to be found with search.

Yes, it seems Iā€™ve done everything now apart from sign the plug so I can actually use it! Iā€™m not using the full wrapper.

Sergio from Pace just keeps saying ā€˜Read the Getting Startedā€™ but that doesnā€™t really help it seems.

If it is of any help, on macOS Iā€™m signing the AAX plug-in with the ā€œDeveloper ID Application: $nameā€ certificate.

1 Like

Thanks, thatā€™s a big help. I feel a bit isolated with this cert stuff.

OK I finally got the Mac version signed - phew. The only thing I can say is, donā€™t have multiple and identicle certs on you Mac - easily done when they update the legal stuff, and you download it, it doesnā€™t delete the old one. Then Apple gives an ā€˜ambiguousā€™ error, which doesnā€™t make immediate sense.

Yeah, Iā€™ve been bitten by something similar and I discovered something interesting that may be helpful for others:

if you issue the following command to a Terminal:

security find-identity -v

It will output a list with the names of the found identities along with their IDs, for example:

1) 070832C9721D3F296D7DDFFD4AEC0534215E3234 "Developer ID Installer: YourCompanyName"
2) AF9152CCF431BD9CA31CB92CD6846D94B90BDD51 "Developer ID Application: YourCompanyName"

Now, in the place where the name of the identity would go, you can use its ID instead.

That means the -s command line argument for codesign, or and also the
(read the rest of the sentence only if you are under NDA with AVID for AAX development)
--signid argument of wraptool.

In my case, this ambiguity with the name was causing an obscure problem which led to the following error message, which I am copying here to help others finding it in search results:

wraptool Error: pace::eden::thrift::exception::PaceThriftExceptionWire: BinaryDsigException::CodesignToolError, 14, Error signing the specified binary., XcodeUtils.cpp, line 851, function: void pace::doCodesignCommand(const boost::filesystem::path &, const std::string &, const std::string &, const bool, const bool, const bool, const std::string *), 
Apple's codesign tool failed with result code 1: ""
5 Likes

Where would that go on the windows end?
Iā€™m just needing to this for testing purposes for windows AAX while my legit cert gets setup.

Hey I just found out how to use the apple cert on windows (for anyone whos interested).
BTW: this wont give you a blue trusted developer thingy but it works for signing.

in the keychain access on your mac you can export your certificate as p12 file. Follow this tutorial here if you want to know more about signing in general: How to code sign and notarize macOS audio plugins in CI Ā· Melatonin
it also explains how to get a certificate.

right click on your cert in the keychain access and click information.
scroll all the way down to thumbprint. copy it. thats what you need for the --signid.

on windows run: certmgr in the console.
the cert manager opens
->import certificate
->choose your cert

now you should be good to go.

4 Likes