Hi, I’m trying to fight my way through the codesign-notarization jungle for the first time. I try to sign the VST3 and Component folders before putting them in the installer like so, but they appear to be signed already.
$ codesign -s MY_CERT_IDENTIFIER PATH_TO_VST3 --timestamp
PATH_TO_VST3: is already signed
When I try to check the signature of said folder the signature seems invalid:
$ codesign --verify --verbose PATH_TO_VST3
bundle format unrecognized, invalid, or unsuitable
In the build logs for my plugin I will find the following after linkage, which indicates some signing is done in the build process:
PATH_TO_VST3: code has no resources but signature indicates they must be present
-- Replacing invalid signature with ad-hoc signature
So my best guess is that some ad-hoc code signing duties are performed already? How could I disable this? Maybe some extra flag in the CMakeLists.txt
?