Code signing AAX with Apple cert on Windows?


#1

Hi, I remember reading on here somewhere that I can PACE sign my Windows AAX plug-ins with an Apple certificate. Is that true, and how do I do it? Thanks.

Also, is it a real hassle, and not worth it and that I should go straight to Comodo and get a bloody certificate for Windows now?.. :slight_smile:

Dave.


#2

One comment made in a thread I asked about using Apple certs to sign Windows installers (you can’t was the consensus) was “if the plugin developer is not making the effort to sign their installers, what kind of message does that send about their attention to detail in code/security/etc.”
Of course you might not be using an installer, but if you are then I tend to agree that it’s a pretty valid point, so buy the cert and you’ll get 2 birds with 1 ($80/yr) stone :wink:
fwiw apparently the reverse is true : you can use a Comodo cert to sign AAX under macOS


#3

Thanks. I already have a mac cert. I just wondered how I make a keyfile ‘.p12’ file out of it and a keyfile password.


#4

Find the cert in your Keychain access and choose “Export” from the right click menu…


#5

Thanks Dan, is that the ‘intaller ID’, the “developer ID cert authority”, the “Developer ID: My name”, or the “Apple Worldwide Developer Relations Certification Authority”

I have no idea, but it sounds like it should be the latter?


#6

I don’t know. My assumption would be, it shouldn’t matter, as long as it validates against a root CA, which should be the case for all of them, but I don’t know.
The most sensible would be “Developer ID” IMHO, but I guess you will have to try them one by one…


#7

I find it odd that people are just supposed to know this stuff. Oh well, I’ll just try one, thanks…


#8

Said it before in this context, many parties on the table:

  • OS functionality
  • Avid as host developer
  • Pace for copy protection

So you have to talk to all of them… sure, the NDA doesn’t help really…


#9

All that certificate signing stuff is really opaque, I found it massively confusing, and hardly any decent advice to be found with search.


#10

Yes, it seems I’ve done everything now apart from sign the plug so I can actually use it! I’m not using the full wrapper.


#11

Sergio from Pace just keeps saying ‘Read the Getting Started’ but that doesn’t really help it seems.


#12

If it is of any help, on macOS I’m signing the AAX plug-in with the “Developer ID Application: $name” certificate.


#13

Thanks, that’s a big help. I feel a bit isolated with this cert stuff.


#14

OK I finally got the Mac version signed - phew. The only thing I can say is, don’t have multiple and identicle certs on you Mac - easily done when they update the legal stuff, and you download it, it doesn’t delete the old one. Then Apple gives an ‘ambiguous’ error, which doesn’t make immediate sense.


#15

Yeah, I’ve been bitten by something similar and I discovered something interesting that may be helpful for others:

if you issue the following command to a Terminal:

security find-identity -v

It will output a list with the names of the found identities along with their IDs, for example:

1) 070832C9721D3F296D7DDFFD4AEC0534215E3234 "Developer ID Installer: YourCompanyName"
2) AF9152CCF431BD9CA31CB92CD6846D94B90BDD51 "Developer ID Application: YourCompanyName"

Now, in the place where the name of the identity would go, you can use its ID instead.

That means the -s command line argument for codesign, or and also the
(read the rest of the sentence only if you are under NDA with AVID for AAX development)
--signid argument of wraptool.

In my case, this ambiguity with the name was causing an obscure problem which led to the following error message, which I am copying here to help others finding it in search results:

wraptool Error: pace::eden::thrift::exception::PaceThriftExceptionWire: BinaryDsigException::CodesignToolError, 14, Error signing the specified binary., XcodeUtils.cpp, line 851, function: void pace::doCodesignCommand(const boost::filesystem::path &, const std::string &, const std::string &, const bool, const bool, const bool, const std::string *), 
Apple's codesign tool failed with result code 1: ""