Yet another AAX signing post (Apple Developer Certificate on Windows)

obolig

I have successfully code-signed an AAX on MacOS with a "Apple Development" certificate. This process was... fun? Now it's on to signing the Windows build. I exported my "Apple Development" certificate as a .p12 and moved it over to my windows and imported to certmgr. The thumbprint was used as the input for --signid. I am now getting the following error:

Cannot sign the binary because it has been signed and the original signed data cannot be removed.

I see no signs of a signature when looking at the properties of the file. When I examine the file in the command prompt, I receive signtools errors stating:

This file format cannot be verified because it is not recognized.

Do any of you know what could be going on? I see many people stating one can sign AAX plugins on windows with Apple Developer certificates, but I think this issue is potentially related to me not using a certificate issued by a CA.

gorangrooves

@obolig hmmm you are not accidentally trying to sign AAX plugins you built on Mac and already signed?

I use a certificate issued by Certigo and installed on my Win system, then use the PACE wraptool script to sign them all at once. I am not sure about the Apple certificate.
FYI, here is what a command line looks like for me:

wraptool sign --verbose --account mypaceaccount --wcguid UNIQUE-PLUGIN-CODE-9388-005056928F3B --signid mythumbprintid1275fc952fc459b19129 --password myilokpassword --in "I:\path\to\myplugin\myplugin.aaxplugin" --out "I:\path\to\myplugin\myplugin.aaxplugin" --autoinstall on --extrasigningoptions "digest_sha256"

Swap the relevant bits in the script above to match yours.

If you are signing more than a single plugin and using a single script, you only need to include your iLok password for the first plugin.

obolig

@gorangrooves I really appreciate the help. I actually tried this after finding your posts helping others with a similar issue as mine. I tried it again just to make sure and got the same error falsely determining that it was already signed.

To answer your question, this is an .aaxplugin that I have built on my windows computer, so NOT the same one that I successfully signed to function in Pro Tools on Mac.

I have noticed something quite odd since making the original post. My .aaxplugin is 464MB. Significantly larger than the VST3 that is 35MB. I believe this might be related to changing the configuration type in VS from HISE's default dynamic (.dll) to static (.lib). I believe this might be the case because I am able to make the VST3 equally bloated by making the same change to its Configuration type.

I hope this additional information helps to solve this mystery.

Dan Korneff

@obolig said in Yet another AAX signing post (Apple Developer Certificate on Windows):

I see many people stating one can sign AAX plugins on windows with Apple Developer certificates

I've never gotten that to work on my end. I have a EV dongle from Sectigo that works well.

orange

@obolig said in Yet another AAX signing post (Apple Developer Certificate on Windows):

I have noticed something quite odd since making the original post. My .aaxplugin is 464MB. Significantly larger than the VST3 that is 35MB. I believe this might be related to changing the configuration type in VS from HISE's default dynamic (.dll) to static (.lib). I believe this might be the case because I am able to make the VST3 equally bloated by making the same change to its Configuration type.

It might be related to this, Normally AAX file size is almost close to VST3.

Have you contacted the support team? support@paceap.com
They usually respond in a short time.

Regarding the self signed certificate: After creating the certificate with this setting in macOS, if you export it by specifying a password in p12 format, it will work for AAX signing on Windows. (Windows 10 / VS2017 / EDEN TOOLS 5.3.1 / AAX SDK 2.3.1) I haven't checked VS2022 and latest AAX SDK but I think it should work there too.

gorangrooves

@obolig The fact that your aaxplugin is that size is a clear indication that it was not compiled right to begin with. Don’t change any default export settings for aax plugin.

When compiling the aax library SDK, change the runtime of the C++ configuration to MT. See this post

With the correctly compiled aax library SDK, compile the plugin and it should come out right, around 30MB or less.

Then proceed with the signing. Try the Apple one, but if you get errors again, you’ll likely need a different certificate.

obolig

@gorangrooves This was exactly the issue. You are incredible. I know you posted a similar image as this in the post you linked, but I'm posting a screenshot here for anyone else that had a similar issue.

When building the AAX SDK (in my case 2.6.0), you must change the runtime library to Multi-threaded. If you don't do this, the VS project will not work. My previous solution to this problem resulted in a bloated file that could not be signed.

This change to the SDK allowed HISE to export both an AAX and VST3 with no alterations to the built VS projects. I then ran the single line of code previously recommended by @gorangrooves

I then created an executable that a friend used to install both the VST3 and AAX. They were able to load it into Pro Tools! I am officially one of the unicorns that has confirmed that a Windows-built AAX CAN be signed using an Apple Developer Certificate. Of course I did still have to go through the process of communicating with AVID and PACE to obtain the required tools and credentials for signing AAX plugins. Thank you everyone!

gorangrooves

@obolig That's great, man! I am also happy to hear that the Apple certificate works as well. That is very good to know for future reference. Thanks for sharing that info.