Code signing AAX with Apple cert on Windows?

Hi, I remember reading on here somewhere that I can PACE sign my Windows AAX plug-ins with an Apple certificate. Is that true, and how do I do it? Thanks.

Also, is it a real hassle, and not worth it and that I should go straight to Comodo and get a bloody certificate for Windows now?.. :slight_smile:

Dave.

One comment made in a thread I asked about using Apple certs to sign Windows installers (you can’t was the consensus) was “if the plugin developer is not making the effort to sign their installers, what kind of message does that send about their attention to detail in code/security/etc.”
Of course you might not be using an installer, but if you are then I tend to agree that it’s a pretty valid point, so buy the cert and you’ll get 2 birds with 1 ($80/yr) stone :wink:
fwiw apparently the reverse is true : you can use a Comodo cert to sign AAX under macOS

Thanks. I already have a mac cert. I just wondered how I make a keyfile ‘.p12’ file out of it and a keyfile password.

Find the cert in your Keychain access and choose “Export” from the right click menu…

2 Likes

Thanks Dan, is that the ‘intaller ID’, the “developer ID cert authority”, the “Developer ID: My name”, or the “Apple Worldwide Developer Relations Certification Authority”

I have no idea, but it sounds like it should be the latter?

I don’t know. My assumption would be, it shouldn’t matter, as long as it validates against a root CA, which should be the case for all of them, but I don’t know.
The most sensible would be “Developer ID” IMHO, but I guess you will have to try them one by one…

I find it odd that people are just supposed to know this stuff. Oh well, I’ll just try one, thanks…

Said it before in this context, many parties on the table:

  • OS functionality
  • Avid as host developer
  • Pace for copy protection

So you have to talk to all of them… sure, the NDA doesn’t help really…

All that certificate signing stuff is really opaque, I found it massively confusing, and hardly any decent advice to be found with search.

Yes, it seems I’ve done everything now apart from sign the plug so I can actually use it! I’m not using the full wrapper.

Sergio from Pace just keeps saying ‘Read the Getting Started’ but that doesn’t really help it seems.

If it is of any help, on macOS I’m signing the AAX plug-in with the “Developer ID Application: $name” certificate.

2 Likes

Thanks, that’s a big help. I feel a bit isolated with this cert stuff.

OK I finally got the Mac version signed - phew. The only thing I can say is, don’t have multiple and identicle certs on you Mac - easily done when they update the legal stuff, and you download it, it doesn’t delete the old one. Then Apple gives an ‘ambiguous’ error, which doesn’t make immediate sense.

Yeah, I’ve been bitten by something similar and I discovered something interesting that may be helpful for others:

if you issue the following command to a Terminal:

security find-identity -v

It will output a list with the names of the found identities along with their IDs, for example:

1) 070832C9721D3F296D7DDFFD4AEC0534215E3234 "Developer ID Installer: YourCompanyName"
2) AF9152CCF431BD9CA31CB92CD6846D94B90BDD51 "Developer ID Application: YourCompanyName"

Now, in the place where the name of the identity would go, you can use its ID instead.

That means the -s command line argument for codesign, or and also the
(read the rest of the sentence only if you are under NDA with AVID for AAX development)
--signid argument of wraptool.

In my case, this ambiguity with the name was causing an obscure problem which led to the following error message, which I am copying here to help others finding it in search results:

wraptool Error: pace::eden::thrift::exception::PaceThriftExceptionWire: BinaryDsigException::CodesignToolError, 14, Error signing the specified binary., XcodeUtils.cpp, line 851, function: void pace::doCodesignCommand(const boost::filesystem::path &, const std::string &, const std::string &, const bool, const bool, const bool, const std::string *), 
Apple's codesign tool failed with result code 1: ""
5 Likes

Where would that go on the windows end?
I’m just needing to this for testing purposes for windows AAX while my legit cert gets setup.

Hey I just found out how to use the apple cert on windows (for anyone whos interested).
BTW: this wont give you a blue trusted developer thingy but it works for signing.

in the keychain access on your mac you can export your certificate as p12 file. Follow this tutorial here if you want to know more about signing in general: How to code sign and notarize macOS audio plugins in CI · Melatonin
it also explains how to get a certificate.

right click on your cert in the keychain access and click information.
scroll all the way down to thumbprint. copy it. thats what you need for the --signid.

on windows run: certmgr in the console.
the cert manager opens
->import certificate
->choose your cert

now you should be good to go.

6 Likes

I tried this and it seems to work, although I see this message. It does not seem to cause a problem loading the plugin in Pro Tools on Windows.

Warning! The executable has been signed successfully. But the certificate (key file) used for the signing doesn’t have a trusted root in the system.

It may be impossible for Windows OS to verify the signed executable. It is a good idea to use a Windows-compatible code signing certificate.