Old 07-31-2020, 02:02 PM   #1
superblonde.org
Human being with feelings
 
Join Date: Jul 2019
Posts: 873
Default Catalina Rants from "possible solutions" thread

The solution is to have developers digitally-sign their plugins.
superblonde.org is offline   Reply With Quote
Old 08-01-2020, 09:41 AM   #2
superblonde.org
Human being with feelings
 
Join Date: Jul 2019
Posts: 873
Default

A bit off topic but it is not a hardship to sign code. It is part of the build system and happens automatically when pressing the same "Build" button as before. Yes it takes extra steps for the developer to setup the first time, but it's no more difficult than, for example, updating the web page of a plugin to tell everyone there's an update. It will also take a few extra steps to setup the ARM build system the first time for the new ARM mac's, also no big deal. The code signing improves security and reliability. Developers simply need to run some commands to create a key, etc. Users will see that a plugin is signed and will be more likely to download and install the plugin. The requirement will happen to Microsoft plugins too eventually in the future, just as usual Apple is ahead of Microsoft.

About Code Signing
https://developer.apple.com/library/...roduction.html

Once the developer has created a signature then it only takes one command to sign a plugin:
Code:
codesign -s <identity> <code-path>
That's only needed if it's done manually, as normally it is made to be automatic, inside the regular single-button-click "Build" step.

Everything for a developer is a "hardship". Dealing with hardship is a way of life as a developer.. always new technology, always new changes, to roll with the cycle of upgrade improvements, that's why we are not still running Amiga's today.
superblonde.org is offline   Reply With Quote
Old 08-01-2020, 10:43 AM   #3
pipelineaudio
Mortal
 
pipelineaudio's Avatar
 
Join Date: Jan 2006
Location: Wickenburg, Arizona
Posts: 13,710
Default

Quote:
Originally Posted by superblonde.org View Post
A bit off topic but it is not a hardship to sign code. It is part of the build system and happens automatically when pressing the same "Build" button as before. Yes it takes extra steps for the developer to setup the first time, but it's no more difficult than, for example, updating the web page of a plugin to tell everyone there's an update. It will also take a few extra steps to setup the ARM build system the first time for the new ARM mac's, also no big deal. The code signing improves security and reliability. Developers simply need to run some commands to create a key, etc. Users will see that a plugin is signed and will be more likely to download and install the plugin. The requirement will happen to Microsoft plugins too eventually in the future, just as usual Apple is ahead of Microsoft.

About Code Signing
https://developer.apple.com/library/...roduction.html

Once the developer has created a signature then it only takes one command to sign a plugin:
Code:
codesign -s <identity> <code-path>
That's only needed if it's done manually, as normally it is made to be automatic, inside the regular single-button-click "Build" step.

Everything for a developer is a "hardship". Dealing with hardship is a way of life as a developer.. always new technology, always new changes, to roll with the cycle of upgrade improvements, that's why we are not still running Amiga's today.
This doesn't work. Try it. Grab a juce build, build a test plug and try it. You have to pay the extortion
pipelineaudio is offline   Reply With Quote
Old 08-01-2020, 11:25 AM   #4
superblonde.org
Human being with feelings
 
Join Date: Jul 2019
Posts: 873
Default

So, your complaint is something unrelated to technical issues. It is very easy for a developer to create a signed plugin and it takes no effort once set up, it is not a hardship for developers.

Perhaps your real complaint should be: why can't small developers, or significant contributors in general, easily receive financial compensation of at least a few hundred dollars per year from their efforts to create, build and distribute free plugins.
superblonde.org is offline   Reply With Quote
Old 08-01-2020, 11:34 AM   #5
pipelineaudio
Mortal
 
pipelineaudio's Avatar
 
Join Date: Jan 2006
Location: Wickenburg, Arizona
Posts: 13,710
Default

Quote:
Originally Posted by superblonde.org View Post
So, your complaint is something unrelated to technical issues.
No, it is a technical issue

Quote:
It is very easy for a developer to create a signed plugin and it takes no effort once set up, it is not a hardship for developers.
Yes it is, and its quite expensive to do so, and quite a barrier for those making free plugins

Quote:
Perhaps your real complaint should be: why can't small developers, or significant contributors in general, easily receive financial compensation of at least a few hundred dollars per year from their efforts to create, build and distribute free plugins.
Perhaps it could also be that, but my chief complain is the artificial gate recently put in front of a previously working system
pipelineaudio is offline   Reply With Quote
Old 08-01-2020, 01:54 PM   #6
superblonde.org
Human being with feelings
 
Join Date: Jul 2019
Posts: 873
Default

This is definitely off topic now, or maybe not, but anyways.

A $100/year developer license is not "expensive" and only needs to be done by 1 person in a larger organization. By comparison, keeping a personal website to allow downloading a plugin costs more than that per year. By comparison, the average small club concert attendee spends close to or much more than $100 per single night for the average music night out (ticket + transport + parking + drinks).

Again the real complaint should be: why can't small independent developers easily receive financial rewards for their contributions to the plugin community which surpasses any minor development cost. The answer: Because there is no marketplace which allows users to buy their goods and/or the developers themselves are not participating in a marketplace. A Plugin repository which provides a code-signed installer for a large variety of plugins is a marketplace. Solution: independent developers should contribute their libraries to a plugin repository which bundles, certifies and installs them for users. Also known as: create a marketplace. The solution is not: Place arbitrary library binaries on ad hoc blogs all across the internet for users to download & install unsafely as machine administrator without any reliability or accountability checks on the library. It is not an artificial gate, the prior user method of copying an unaccoutable DLL into an operating system is a massive hole, it is a bug, which apparently now has been patched. Microsoft itself wanted to eliminate DLL's entirely from the user's control way back in early NT, especially because their system always corrupts a user's collection of DLL's as part of its normal operation. Microsoft did not do that back then because they did not have the technology or infrastructure to provide it. Apple has the technology and infrastructure, so they finally patched the hole.

Last edited by superblonde.org; 08-01-2020 at 02:01 PM.
superblonde.org is offline   Reply With Quote
Old 08-01-2020, 02:39 PM   #7
Win Conway
Human being with feelings
 
Join Date: Dec 2010
Posts: 3,677
Default

Only a die hard mac user could ever suggest that a plugin developer making FREE plugins should pay money to do so, on top of the countless hours they put in to making the FREE plugin.
(And yes I use macs and Windows before anybody tries to act superior)
__________________
Reaper scripters, that is all !!!!!!!!!!!!!!!!
Win Conway is offline   Reply With Quote
Old 08-01-2020, 02:57 PM   #8
superblonde.org
Human being with feelings
 
Join Date: Jul 2019
Posts: 873
Default

If you are referring to my suggested solution then I suggest re-reading the paragraph a few times. Yes, really re-read it. What I suggested is that plugin developers should contribute their plugins to a package repository of plugins which has a code-signed installer.

Three musician developers walk into a bar. The first says, "Gimmie a cigarette, I'mma smoke on the patio first." (Cost per 1 pack: $7, goes through 3 packs a week.) The second says, "Hold up lemme finish my Starbucks before going in." (Cost per latte: $7, goes through 5 lattes a week.) The third says, "It's cool I'll get the first pitcher." (Cost per pitcher: $7, goes through 3 pitchers per week.) The Bartender says: "We don't allow developers in here, they're not willing to pay $33 cover charge each for an entire decade of admittance." All three look at each other and say: "This place should be free! I'm not spending $33 to be here for a decade! I contribute to this place's atmosphere!" The bartender says: "Read the sign, you can earn back more than that if you take tips from the audience." All three look at each other and say: "We're not taking tips! We give away our contributions free and we ain't paying nothin!" The bartender nods to the bouncer who throws them out.

This is why I said it is no longer a technical issue. It is a psychology problem.
superblonde.org is offline   Reply With Quote
Old 08-01-2020, 07:22 PM   #9
pipelineaudio
Mortal
 
pipelineaudio's Avatar
 
Join Date: Jan 2006
Location: Wickenburg, Arizona
Posts: 13,710
Default

Quote:
Originally Posted by Win Conway View Post
Only a die hard mac user could ever suggest that a plugin developer making FREE plugins should pay money to do so, on top of the countless hours they put in to making the FREE plugin.
(And yes I use macs and Windows before anybody tries to act superior)
Thank you! ^&**(*&** horrible to force someone who has given so goddamn much to the community to pay for the privilege of helping others
pipelineaudio is offline   Reply With Quote
Old 08-04-2020, 01:58 PM   #10
pipelineaudio
Mortal
 
pipelineaudio's Avatar
 
Join Date: Jan 2006
Location: Wickenburg, Arizona
Posts: 13,710
Default

Glenn Fricker did a video where some of our plugs are used today and holy hell the catalina users are having install issues.

Its not as simple as people make it out to be "just codesign it" They's singed, and its not a simple process, its 99 dollars for entry but in order to actually do anything sensible with it its more like 500 per year

And it still doesn't work.

Sadly these same installers were working even on catalina not so long ago.

What a nightmare

Here's codesigned for around 500 dollars per year. Worked even in catalina a few months ago:


Last edited by pipelineaudio; 08-04-2020 at 02:06 PM.
pipelineaudio is offline   Reply With Quote
Old 08-14-2020, 08:44 AM   #11
sstillwell
Human being with feelings
 
Join Date: Jul 2006
Location: Cowtown
Posts: 1,557
Default

Quote:
Originally Posted by pipelineaudio View Post
Its not as simple as people make it out to be "just codesign it" They's singed, and its not a simple process, its 99 dollars for entry but in order to actually do anything sensible with it its more like 500 per year

And it still doesn't work.
That's just plain wrong - I'm not sure why you're spending $500 on a different certificate for macOS or why you think it's somehow "better" than your developer certificates from Apple. For Catalina and above you have to NOTARIZE your software, which is in addition to signing it. This requires Xcode 10 or above. Notarization involves uploading the software to Apple's servers, where they scan it. The software then gets a ticket that gets digitally stapled to it saying it's safe. Any modification of the file after that renders the stapled ticket invalid, so you only do it at the end of the process. It's a multi-step process, since you have to upload and then wait for them to be done with the scan (typically only a minute or two) and THEN staple the results after Apple says the scan is done.
__________________
https://www.stillwellaudio.com/
sstillwell is offline   Reply With Quote
Old 08-24-2020, 12:53 PM   #12
superblonde.org
Human being with feelings
 
Join Date: Jul 2019
Posts: 873
Default

Quote:
Originally Posted by superblonde.org View Post

According to the developer documentation which I had already posted the link to above, it is possible for any developer to set up a Code Authority, and that would seem to mean that other developers could submit libraries to be signed under that code authority. Translation: only One developer is needed to write an Installer, and all plugins by other developers could send their libraries to that developer, who bundles them as signed, to be installed by that Installer.

Which is exactly what users want: an installer which manages their plugins safely. Users do not want to download binary library files from random web pages or blogs then manually copy these binaries into some administrative level directory on their operating system.
superblonde.org is offline   Reply With Quote
Old 08-25-2020, 01:36 PM   #13
cyrano
Human being with feelings
 
cyrano's Avatar
 
Join Date: Jun 2011
Location: Belgium
Posts: 4,929
Default

Ignorance is still bliss, I see.

Certs are free, or very cheap. Yet a lot of people seem to think they're better if they're expensive. Sigh.

I don't mind. Just keep shopping with the likes of Symantec, who charge heftily.

Just don't keep whining about Apple making it expensive. 99$ a year should be peanuts for any developer.

Security never has visible, obvious advantages for the end-user. You will never know if it stopped anything. If you don't like that, keep on using Windows. It seems it's no longer possible to switch off MS Defender. Something MS should've done years ago...
__________________
“It has become appallingly obvious that our technology has exceeded our humanity” Albert Einstein
cyrano is offline   Reply With Quote
Old 08-25-2020, 11:01 PM   #14
pipelineaudio
Mortal
 
pipelineaudio's Avatar
 
Join Date: Jan 2006
Location: Wickenburg, Arizona
Posts: 13,710
Default

Have you tried to get certification in the last year?

There's theory and there's reality.
pipelineaudio is offline   Reply With Quote
Old 08-26-2020, 03:22 AM   #15
cyrano
Human being with feelings
 
cyrano's Avatar
 
Join Date: Jun 2011
Location: Belgium
Posts: 4,929
Default

I do that on a weekly basis, at least...

Yes, there have been slowdowns, especially in the last few months. Not related to the cert procedure itself, but to Apple's services being down, or hard to reach. Apple doesn't communicate about these. These seldomly last longer that a few hours.

Nothing to get upset about.

I can't understand how anyone who calls himself a dev, can pay 500$ for something as cheap as a cert and then go whining about it in public. I tend not to brag about goofs.

Apple is also a big machine. Every now and then, someone gets mangled by the cogwheels. Apple tried to force Wordpress to allow "in-app purchases", recently, fi. The reversed course and apologised.

Also, someone was fired from Apple for helping a friend:

https://lowendmac.com/2020/dear-appl...nger-required/

And Apple even sues a small company in Canada for having a pear as a logo.

That's Apple Legal going over the top. They have to defend their trademark, but I could see no reason to sue a snackbar in Luxembourg for being called "Der Apfel". And now they repeat it with the pear. What's next, bananas?

Also, narrowing down corporate rules to sheer fascism, as in the case of Ted Hodges, isn't a good idea. It leaves a very bad taste in the mouth of even the baddest Apple fanboy.

Apple is wasting time with being a bunch of pencil-pushers. A sign of the grocer who's at the top?
__________________
“It has become appallingly obvious that our technology has exceeded our humanity” Albert Einstein
cyrano is offline   Reply With Quote
Old 08-26-2020, 06:31 AM   #16
karbomusic
Human being with feelings
 
karbomusic's Avatar
 
Join Date: May 2009
Posts: 26,738
Default

Quote:
Originally Posted by cyrano View Post
Certs are free, or very cheap. Yet a lot of people seem to think they're better if they're expensive. Sigh.
Out of curiosity, where do you get cheap code-signing certs? To be clear with the EKU containing OID:1.3.6.1.5.5.7.3.3

Outside the Apple shenanigans you guys are dealing with, code signing cert != web cert. There's a risk/responsibility factor here where the code cert is not just signing, it's guaranteeing the signer is who the say they are which is a bigger deal than securing a website with SSL (because you are installing bits on end-user machines).

This is why a non-authoritative "signing farm" probably isn't going to fly because the signer is going to have to be responsible for every single developer who want's their app signed, being who they say the are - that kind of ruins what code signing prevents FWIW - because a malicious user could just have the farm sign their malicious plugin. Not to mention none can share the same subject name = different cert per.
__________________
Music is what feelings sound like.

Last edited by karbomusic; 08-26-2020 at 06:41 AM.
karbomusic is offline   Reply With Quote
Old 08-26-2020, 11:10 AM   #17
pipelineaudio
Mortal
 
pipelineaudio's Avatar
 
Join Date: Jan 2006
Location: Wickenburg, Arizona
Posts: 13,710
Default

Quote:
Originally Posted by cyrano View Post
I do that on a weekly basis, at least...

Yes, there have been slowdowns, especially in the last few months. Not related to the cert procedure itself, but to Apple's services being down, or hard to reach. Apple doesn't communicate about these. These seldomly last longer that a few hours.

Nothing to get upset about.

I can't understand how anyone who calls himself a dev, can pay 500$ for something as cheap as a cert and then go whining about it in public. I tend not to brag about goofs.
There are so many strawmen here I don't know where to begin. This thread was started because it is very very very hard for newcomers to install free plugins on Catalina

If you have a solution to that, please add it
pipelineaudio is offline   Reply With Quote
Old 08-26-2020, 04:04 PM   #18
cyrano
Human being with feelings
 
cyrano's Avatar
 
Join Date: Jun 2011
Location: Belgium
Posts: 4,929
Default

Quote:
Originally Posted by karbomusic View Post
Out of curiosity, where do you get cheap code-signing certs? To be clear with the EKU containing OID:1.3.6.1.5.5.7.3.3
ssl.com. Around 100$/year I think. Cheaper if you buy for ten years, of course. But the point was Apple. These are free, you only pay a 99$/year dev account. That used to be 1000$ a year. I'm sure some others are cheaper.

The funny thing is, you can even do it with a free dev account. But Apple has made that very well hidden.

My dev account (that I stopped paying more than a decade ago), is still valid. Don't know if that's an anomaly, or if Apple just doesn't care.

Quote:
Outside the Apple shenanigans you guys are dealing with, code signing cert != web cert. There's a risk/responsibility factor here where the code cert is not just signing, it's guaranteeing the signer is who the say they are which is a bigger deal than securing a website with SSL (because you are installing bits on end-user machines).

This is why a non-authoritative "signing farm" probably isn't going to fly because the signer is going to have to be responsible for every single developer who want's their app signed, being who they say the are - that kind of ruins what code signing prevents FWIW - because a malicious user could just have the farm sign their malicious plugin. Not to mention none can share the same subject name = different cert per.
That's the argument I always hear. I'm not saying it's false.

But for most web certs, Let's encrypt (free) is enough. It matters for results on Google to use https. Lots of people are paying their host for a certificate. Sometimes a lot. Now, if I would need a cert for something like ebay...

But that's not what this was about. This is about the signing of a plugin for Apple's latest OS. Which is done by Apple, if you have an Apple dev account.

And yes, I agree that it doesn't gain much security for the user. It does however, provide an important element in the Apple eco-system: the ability for Apple to pull the plug on any software that runs on MacOS. Wether that's a good thing is up to you to decide. You know I'm not having any of it. Now only if Ubuntu Studio would behave

EDIT: For those interested in code signing, read what happened to WinRAR very recently:

https://www.rarlab.com/revoked591.html
__________________
“It has become appallingly obvious that our technology has exceeded our humanity” Albert Einstein

Last edited by cyrano; 08-26-2020 at 04:38 PM.
cyrano is offline   Reply With Quote
Old 08-26-2020, 04:55 PM   #19
karbomusic
Human being with feelings
 
karbomusic's Avatar
 
Join Date: May 2009
Posts: 26,738
Default

Quote:
Originally Posted by cyrano View Post
ssl.com. Around 100$/year I think. Cheaper if you buy for ten years, of course. But the point was Apple. These are free, you only pay a 99$/year dev account.
Makes sense, I expected 100'ish as minimum.

A developer who creates free software, is not being shafted by the system per se, they are being shafted by bad apples. OK I could have really intended that pun but didn't. So in order to help keep things secure, they'll probably eat ~100 bucks to sign their code without it being a conspiracy.

If there were ever a time to do the right thing, by signing code to help ensure the buyer is actually running the exact seller's code, and the seller is who they say they are... It would be by now and I don't know how this verification could be both free and maintain the end-to-end integrity it is suppose to provide. That's precisely what ties this to this thread regardless of who is providing the integrity.

Now that that's out of the way, I'll let you guys get back to the Apple specific portion.

Maybe pipe's thing is more about, not being able to easily manually bypass it when you are an educated consumer - aka shouldn't be so gdam hard? I'd be onboard with that.
__________________
Music is what feelings sound like.

Last edited by karbomusic; 08-26-2020 at 05:04 PM.
karbomusic is offline   Reply With Quote
Old 08-27-2020, 11:36 AM   #20
cyrano
Human being with feelings
 
cyrano's Avatar
 
Join Date: Jun 2011
Location: Belgium
Posts: 4,929
Default

These changes have been known for many years. A lot of devs, especially audio devs, prefer to act as if nothing ever changes. I know audio interface manufacturers (that get their drivers from 3rd parties) that don't even have a Mac with the latest MacOS beta.

Hey, you can't switch off MS Defender lately.

Apple is on a clear path. That has been very visible. Either stick your head in the sand, or get out. It's not as if Apple is gonna change course, is it?

Apple is making it very hard for open source devs. MS is infiltrating open source. Our whining about it, won't make a bit of difference. Commercial devs will swallow the pill. And those are the devs users might care about. The average user doesn't do audio. They care about Adobe, Apple, MS and a few others, like FB. The largest part of Apple's earnings comes from iOS and services anyways.

And that's where a battle will take place. Epic, publishers and a few others are suing Apple for the appstore. Maybe the judge can change a thing or two?
__________________
“It has become appallingly obvious that our technology has exceeded our humanity” Albert Einstein
cyrano is offline   Reply With Quote
Old 08-27-2020, 11:42 AM   #21
cyrano
Human being with feelings
 
cyrano's Avatar
 
Join Date: Jun 2011
Location: Belgium
Posts: 4,929
Default

Quote:
Originally Posted by pipelineaudio View Post
A lot of it are concerning the tons and tons of free tutorials that people poured their long hard labor into, where you can no longer follow them as a new user.
That's true for any update. What I really hate, is OS makers moving stuff for no good reason. MS seems to do that even more. Hec, even Linux isn't behind, since systemd.

Quote:
How about we just accept that for the purposes of this thread, there are a lot of people who have trouble installing plugins that used to work just fine, and still work fine on windows, in Catalina.
It's not just plugins. Drivers and apps too. Even stuff like protocols...

Quote:
That is the worldview I'm operating from here. Hopefully people can keep posting workarounds, and hopefully, there are some workarounds that even a newer user can try.

Barring that, I have another thread about free plugins that DO work in catalina
There is a workaround. That's what superblonde posted...
__________________
“It has become appallingly obvious that our technology has exceeded our humanity” Albert Einstein
cyrano is offline   Reply With Quote
Old 08-27-2020, 11:44 AM   #22
pipelineaudio
Mortal
 
pipelineaudio's Avatar
 
Join Date: Jan 2006
Location: Wickenburg, Arizona
Posts: 13,710
Default Catalina Rants from "possible solutions" thread

I'm moving things that aren't solutions from the Possible Solutions for installing Plugins on Catalina thread that aren't actually Possible Solutions for installing Plugins on Catalina
pipelineaudio is offline   Reply With Quote
Old 08-28-2020, 08:43 AM   #23
superblonde.org
Human being with feelings
 
Join Date: Jul 2019
Posts: 873
Default

Developers are often self-centered especially when it comes to Apple. Making products is about the user, it is not about giving the developer an easy ride. Apple has always innovated to move broken methods into the trashcan. They did it with 3.5" disk, with CDROM, with the headphone jack, with user-replaceable laptop batteries, the list goes on and on... and on and on... in every case, it is painful for the developers, and in many cases adds a chunk of cost to the developer. For any hardware device with Lightning, it requires a costly hardware chip for security, that's $$$ to the cost to manufacture.

In every case, Apple does this with the intent of assisting the user not the developer.

Since every developer has to follow the same design guidelines, it means the entire market adjusts, including if there is added costs, it means everyone pays. (Unlike MS where the 'inside' developers would always have first-mover advantages)

The end result is the user wins over the long term, the developers have to adapt to the new technology. It is the job of a developer to develop.
superblonde.org is offline   Reply With Quote
Old 08-28-2020, 08:59 AM   #24
superblonde.org
Human being with feelings
 
Join Date: Jul 2019
Posts: 873
Default

I only got into VSTi this year. It is a total mess. I can't believe developers have produced products like this. Kontakt is a piece of UI garbage. Somehow I'm supposed to use a plugin as a file navigator ? To locate libraries and wav files on my system, not only manually, but in their ugly tiny-font "whoa i wanna-b el1te l00king" ?

And I have to know the goober-six-year-old names of all these plugins so I can go find them on the random interwebs, install the installers, but first have to jump through 3 email hoops to get on emailing lists or shopping carts? Then install something which doesn't do anything except download other components but only if I remember the serial number from their obscure email and then puts them in a system folder who knows where? So that when I upgrade my machine in a year, I have to do it all over again? And I can't even figure out if I'm supposed to install an installer, or use the installer to install a VST, or use the installer as a VST ?

Then when I add the VST thing to my track, I again have to navigate through a bunch of menus to load what I want, but only if I remember the immature-six-year-old's el1t3-speak name for their ridiculous instrument, like "FuzzBall Asteroid Orbiting Jupiter Sprinkled With Chia" ? All in a tiny font which is dark grey on a darker-grey background??

The fancy synth takes extra load time because it has fancy animation of a glowing vacuum tube? What is this nonsense? I'm not playing a video game I'm writing a score!

The entire audio developer camp should be nuked and regrown from scratch, with legitimate software engineers. There should be one app store for audio plugins-samples-things, which has one installer. And this app store is called Apple's App Store. The UI's should be consistent, should use system dialogs and stop trying to be "uber cool".
superblonde.org is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -7. The time now is 01:00 PM.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2020, vBulletin Solutions Inc.