"sandboxSafe" and macOS host AU2 - Hardened Runtime - “Disable Library Validation”

Hi folks!

I’ve got problems running these free to download plug-ins on macOS (BigSur, FWIW):

https://www.michaelnorris.info/software/soundmagic-spectral
… looks like they were built with Juce.

They validate OK from Logic, and e.g.:

auvaltool -t aufx MNor SuFB -de -strict_SP

… passes!

Calling in Juce… we get internal strings as follows:
“An OS error occurred during initialisation of the plug-in (-3000)”
“An OS error occurred during initialisation of the plug-in (-1)”
NB: -3000 is for a couple of the plug-ins, -1 for most of the others.

FWIW, -3000 is invalidComponentID
https://developer.apple.com/documentation/coreservices/1559940-anonymous/invalidcomponentid?language=objc

The following code is what fails:

AudioComponentInstance audioUnit;
auto err = AudioComponentInstanceNew(auComponent, &audioUnit);
callbackBlock->completion (err != noErr ? nullptr : audioUnit, err);

Has anybody got any suggestions?!

Pete

Well, that is just plain weird. These plug-ins open OK from the AudioPluginHost demo app, but not from mine. Good grief! Pete

What I’ve learned so far:

• the audio plug-in host demo works fine (scans all AUv3 and the SoundMagic plug-ins)
• my app fails to load the sound magic plugins (scan fails, as outlined above - but finds the AUv3 plug-ins); NB all my code does is create an instance of juce::PluginDirectoryScanner, and works directly through this… so this is really weird.
• if I replace my custom scanner code with an instance of juce::PluginListComponent, on which I call the scanFor method… the plug-ins also fail to scan; but, additionally, this doesn’t pick-up on AUv3 plugins!
• I’ve verified that the SoundMagic plug-ins are all signed; and that re-signing with my own cert makes zero difference
• makes no difference if I sign the Audio Plug-in Host demo app

Pete

If I enable App Sandbox for the Audio Plug-in host, then it all continues to work.

EXCEPT: it now fails to load the plug-in that I re-signed.

Failed to create, errorMessage=An OS error occurred during initialisation of the plug-in (-3000)

So: it looks like the failures I’ve been seeing, are probably failing due to a combination of the way the plug-ins are signed, and my app being a sandboxed app. In that, the differences in behaviour are due to the sandbox settings interacting with plug-in code signing.

Pete

I found the solution! I hope my app will pass App Store validation after this change!

I had to go to here:
Signing & Capabilities

App Sandbox
Hardened runtime:
… and check the box “Disable Library Validation”

Hoping this helps some future developers!

Pete

@reuk I now know why I see -3000

That is because sandboxSafe is not set in the problem plug-in’s .plist file …!

Pete

See also I can't scan for new or updated VST3 plug-ins - #10 by peteatjuce

To be clear: we’re a hardened runtime, running in a sandbox, just like all app store apps (Logic is an EXCEPTION where they seem to make their own rules ) … and the macOS Security System prevents our app from loading such plug-ins.

How to find them, using macOS Terminal:

$ cd /Library/Audio/Plug-Ins/Components
$ find . -name "*.plist" | xargs -- grep -ic sandboxSafe | grep ":0"
./MNSuperFilterBank.component/Contents/Info.plist:0
./AppleAES3Audio.component/Contents/version.plist:0
./LABS.component/Contents/Info.plist:0
./MNSpectralShuffle.component/Contents/Info.plist:0

Yes folks, even one of Apple’s own plug-ins falls foul of this!

Anybody reading this on macOS: please try the above little script.

If you see any plug-ins where you see the above reported, I’d suggest you ask the vendor if they might update their plug-ins to work with App Store apps!

Pete

Suggested boiler-plate when contacting - as I’ve already been asked this!

Dear xxx. Please refer to (link) which has allowed me to find that some of your plug-ins cannot load in App Store apps. due to not being marked as “sandboxSafe”. (list what you find here) Can you please verify this, and let me know when you might push-out an update? Best wishes, (your name)

What sort of resource usage does your host allow?

In Apple Docs - Audio Components and the App Sandbox it states:
“If an Audio Component does not meet the requirements to be Sandbox Safe, it must declare to the system the system resources that it requires access to.”

and

"The system will compare the resource usage information provided by the Audio Component with what the host process’s sandbox allows.

If the Audio Component’s resource usage is completely allowed by the sandbox, the Audio Component is considered Sandbox Safe for that process.

Such an Audio Component will automatically have the flag, kAudioComponentFlag_SandboxSafe set on it and it will always be allowed to be loaded into that host process."

By default JUCE plugins have both:

<key>resourceUsage</key>
<dict>
	<key>network.client</key>
	<true/>
	<key>temporary-exception.files.all.read-write</key>
	<true/>
</dict>

Here

Presumably your Host doesn’t allow that resource usage. Maybe that is worth trying as an interim solution to allow JUCE plugins to be loaded?

Hi @andyjtb !

To be clear, we’re running an app as host.

The plug-ins that aren’t loading are those 3rd party plug-ins (not created with Juce AFAIK), where they’ve not set “sandboxSafe”!

Hoping that clarifies things!

Pete

Yes, this is what I mean. Apple’s documentation suggests that the plugins will be marked as sandbox safe automatically, if the host (your app) sandbox allows the resources required by the plugins.

Since all JUCE plugins, by default, require network.client and temporary-exception.files.all.read-write, ensuring that your sandbox provides those will ensure that all JUCE plugins can be opened by default, without requiring the plugins to change

Hi @andyjtb

Sure. The thing to bear in mind is our app is from the App Store, so has to run with very strict sandbox / hardened runtime restrictions - we don’t have much scope for carve-outs

Pete

Hi JUCE team!

I decided to come back to this.

I’ve now found (and fixed) a bug in juce_AudioUnitPluginFormat.mm

In the code:

static void createAudioUnit (VersionedAudioComponent versionedComponent, AudioUnitCreationCallback callback)
{
    if (versionedComponent.isAUv3)
    {
        AudioComponentInstantiate (versionedComponent.audioComponent,
                                   kAudioComponentInstantiation_LoadOutOfProcess,
                                   ^(AudioComponentInstance audioUnit, OSStatus err)
                                   {
                                       callback (audioUnit, err);
                                   });

        return;
    }

    AudioComponentInstance audioUnit;
    auto err = AudioComponentInstanceNew (versionedComponent.audioComponent, &audioUnit);
    callback (err != noErr ? nullptr : audioUnit, err);
}

I found that this didn’t work for some plug-ins (e.g. LABS), in which case the call to AudioComponentInstanceNew failed, returning -3000.

The fix? I changed to call AudioComponentInstantiate for all plug-in types - not specifically where “isAUv3” is set … and the plug-ins now all load.

I hope this helps somebody!

Best wishes,

Pete