Best method for signing AAX on Windows?
-
I know that information on AAX is quite sparse and the general wisdom is to ask their support but as a Mac user trying to use wrap tool on Windows I have a very general question that I'm wondering if anyone here can help answer.
Can anyone tell me what they are using for their signid? I know there are several options. I have tried both a self signed keyfile and SHA-2.
All of them end up in a cryptic error of ...
wraptool Error: apache::thrift::TApplicationException: TException: The specified output option should be the same as input option.This was very easy to do on Mac as I just used my Team ID and it worked right away. Not sure what the Windows equivalent for this should be. Especially since notarization is not mandatory there.
I've already reached out to Avid / PACE for some guidance but thought I would post here in case anyone further down this road could point out the best way to do this.
Happy if anyone wants to send a DM and not discuss this publicly too.
-
I don't think anyone is code-signing on Windows.
Libre Wave - Freedom respecting instruments and effects
My Patreon - HISE tutorials
YouTube Channel - Public HISE tutorials -
@d-healey Yes, I think you're very likely right regarding VST3.
I probably should have clarified that this is for the required AAX signing.
Without doing this you can't load AAX plugins in Pro Tools on Windows.
-
@d-healey Wrong.
@optimistic Lucky for you. I cracked all of this yesterday.Your sign ID is going to be the thumbprint of your digital certificate. You need a digital certificate issued by an authoritative digital certificate issuer. I got mine from Sectigo. Comodo is the one that actually issues it. That certificate is used in conjunction with the PACE signing tools. The thumbprint is going to be 40-symbol long. Follow the directions in the PACE guide.
It is easiest to store your certificate in the Windows Certificate Manager, where it will be referenced from using this thumbprint. You will be able to see the thumbprint by inspecting the certificate.The error above is easy to fix. You should use the same file path for in and for out. So, specify the absolute file path with the file in it and its extension, such as:
"D:\AUDIO TEMPORARY\HISE PROJECTS\Hise VST- Handy Drums- Jazz Standard\Packaging\win32\Handy Drums- Jazz Standard.aaxplugin"So, basically, whatever the file path you specify, just copy it again and it will work.
The first AAX plugin you sign with PACE, you will also need to provide the password for your iLok account. Subsequent signing will not require a password. For the password, you will append:
--password mysecretpasswordshhhYour Windows command should look like this:
wraptool sign --verbose --account peterjack --wcguid H8RD3840-6202-11ED-A61D-005056920FF7 --signid 8dnf74kmh1cf30f013c61275fc952fc459b19129 --in "D:\AUDIO TEMPORARY\HISE PROJECTS\Hise VST- Handy Drums- Jazz Standard\Packaging\win32\Handy Drums- Jazz Standard.aaxplugin" --out "D:\AUDIO TEMPORARY\HISE PROJECTS\Hise VST- Handy Drums- Jazz Standard\Packaging\win32\Handy Drums- Jazz Standard.aaxplugin" --autoinstall on --extrasigningoptions "digest_sha256"In the command line above, you can see what needs to be in quotation marks and what is written as is.
I'll break down the line.
wraptool sign --verbose It calls the PACE signing tool and instructs it to sign the plugin.
--account peterjack This is the name of your iLok account you are using for signing.
--wcguid H8RD3840-6202-11ED-A61D-005056920FF7 This is the value you will get from your PACE CENTRAL account for each of your wrapped products, that you have previously set up.
--signid 8dnf74kmh1cf30f013c61275fc952fc459b19129 As explained above, this is your digital certificate thumbprint.
--in "D:\AUDIO TEMPORARY\HISE PROJECTS\Hise VST- Handy Drums- Jazz Standard\Packaging\win32\Handy Drums- Jazz Standard.aaxplugin" The exact path to the AAX plugin you are signing.
--out "D:\AUDIO TEMPORARY\HISE PROJECTS\Hise VST- Handy Drums- Jazz Standard\Packaging\win32\Handy Drums- Jazz Standard.aaxplugin" The path to the same file, which will be replaced with the signed version of it.
--autoinstall on Not sure what this is, but it works.
--extrasigningoptions "digest_sha256" Dual signing, to be future-proof with the new signature type that Microsoft likes.
--password whateveryouriLokpasswordis As explained above, you will only need to use this once.Save your commands in the text file, so you can just copy+paste in the future.
-
@gorangrooves Thanks for the detailed help on this one as well!
Just replied on my other codesigning thread and you definitely helped make this all far clearer than it was 48 hours ago!
