Ah, code signing. Bane of modern software development!
I’m really struggling to figure out how to distribute a VST3 using Xcode. In this case, the software is a DAW/looper which works standalone and as a VST3, and I’m intending to distribute the app with the VST3 contained within the app bundle, linked to a shared framework that also resides within the app’s bundle, and symlinked from the user’s Library/Audio/Plug-Ins/VST3 folder on first run of the standalone version.
This is all working just peachy in a development environment, with code signing in place, but I’m hitting a wall trying to export the damn thing, from Xcode’s Organiser.
“Archive” is working just fine, and drops the built product in Archives. But trying to use “Distribute App” to export using “Developer ID” is throwing up an error: The operation couldn’t be completed. (DVTFoundation.DVTCodeSignerError error 0.). Looking in the logs reveals the culprit:
codesign output: .../TestApp.app/Contents/PlugIns/helloworld.vst3: replacing existing signature .../TestApp.app/Contents/PlugIns/helloworld.vst3: code object is not signed at all In subcomponent: /private.../TestApp.app/Contents/PlugIns/helloworld.vst3/Contents/moduleinfo.json
I’ve created this test build environment using the VST3 examples:
- I created an Xcode build setup using the provided VST3 Project Generator
- I opened the “vstsdk.xcodeproj” project in Xcode, then created a new target, an app called “TestApp” (FYI I had to modify the “Code Signing Entitlements” build setting as the project root was set to the VST SDK folder).
- I added the “helloworld” sample as a build dependency in “Build Phases”
- I added a new Copy Files phase, targeted at the “PlugIns” folder, and added “helloworld.vst3”
Then, I built using “Archive”, which completed and opened the Archives window. Clicked “Distribute App”, then selected “Developer ID”, and “Export”, and that’s where the error appears.
It seems that the re-signing which Xcode does on export is totally oblivious to the moduleinfo.json file that lives in the top directory of the VST, and it just doesn’t know what to do with it, even if it is already code-signed. I think files in the “Resources” folder of a bundle are automatically signed as expected, but anything that lies outside that (and perhaps a few other specific folders) cause the whole process to fall in a heap.
Unfortunately, it seems that one must jump through this hoop if one wants to make use of Apple’s notarisation service (and I’m pretty sure I’m going to need that).
So: Any hints, here? Anyone else come up against this? Is that moduleinfo.json strictly necessary? Can it be moved to the Resources folder instead? Any other solutions I’ve missed?