[SOLVED] Plugins automatically signed incorrectly during build on MacOS?

Hi, I’m trying to fight my way through the codesign-notarization jungle for the first time. I try to sign the VST3 and Component folders before putting them in the installer like so, but they appear to be signed already.

$ codesign -s MY_CERT_IDENTIFIER PATH_TO_VST3 --timestamp

PATH_TO_VST3: is already signed

When I try to check the signature of said folder the signature seems invalid:

$ codesign --verify --verbose PATH_TO_VST3

bundle format unrecognized, invalid, or unsuitable

In the build logs for my plugin I will find the following after linkage, which indicates some signing is done in the build process:

PATH_TO_VST3: code has no resources but signature indicates they must be present
-- Replacing invalid signature with ad-hoc signature

So my best guess is that some ad-hoc code signing duties are performed already? How could I disable this? Maybe some extra flag in the CMakeLists.txt?

Exactly, the ad-hoc code signing will be performed automatically, even though it does not serve any real purpose (that I know of).
I think that the best bet is to just add the --force flag to the codesigning command, to replace the existing ad-hoc signature, e.g.
codesign --force --timestamp --verbose --sign <sign-id> <file>


Hi Vallant :smile:

Yep, using the --force flag overrides the previous signature. Thanks for the input!