cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
0
Upvote

CEP Extension with Node.js not allowed to run on After Effects 2020 by Apple MacOS

Adonis W.
Community Beginner ,
Sep 02, 2021 Sep 02, 2021

We have a CEP extension with Node.JS enabled (uses CEP 6.0). The node server requires some modules which are compilled C++ addons. Following is the process I have been using to get Apple GateKeeper to allow the extension to run:

1) Invididually sign each of the (compiled C++ addons) modules with my Apple Developer ID (Application)

2) Sign the final product with my Adobe Certificate using ZXPSignCmd tool

3) Convert the package into a ZIP file and get it notarized by Apple

 

The procedure has been working fine until After Effects 2020. Now Afer Effects is throwing the error: "code signature in (path-to-compiled-module) not valid for use in process using Library Validation: mapping process and mapped file (non-platform) have different Team IDs"

 

The server is not allowed to run when these modules are present.

 

Is this because After Effects 2020 has been signed by Adobe as a hardeened runtime without the com.apple.security.cs.disable-library-validation entitlement?

 

Is there any way to get around this? Am I missing something? 

TOPICS
CEP , SDKs , ZXPSign
860
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 7 Replies 7
latest latest Jump to latest reply
erinferinferinf Adobe Employee
Adobe Employee ,
Sep 04, 2021 Sep 04, 2021

Hi there!


I'll ask around, but I think once you sign the ZXP you can't continue to make changes like step 6. I would think you need to notorize, then sign. David Barranca has some posts about notorization... I can't find the link at the moment (on an airplane).

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adonis W.
Community Beginner ,
Sep 05, 2021 Sep 05, 2021
In Response To erinferinferinf

Thank you so much for your response. Please do try to direct the question to the relevant personal. I did read David Barranca's notes (https://www.davidebarranca.com/2019/04/notarizing-installers-for-macos-catalina/). It was helpful, but he's refering to packagers and installers (.pkg and .dmg). 

 

By sign, if you meant "signing code with Apple certificate", nortorization fails if the code has not been signed. If you meant "signing with Adobe certificate (creation of the ZRP package)", once you notroize it, Apple Gatekeeper will not tolerate any changes to the zip file (like the addition of signatures) after notorizing it. 

 

What really put me into the above path was this thread on the Apple Devloper Forum (https://developer.apple.com/forums/thread/124336?answerId=388618022#388618022). Please see the response by "eskimo" (an Apple Employee) on that thread.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
erinferinferinf Adobe Employee
Adobe Employee ,
Sep 07, 2021 Sep 07, 2021
In Response To Adonis W.

Hi! 

 

Sorry, I meant "signing with ZXPSign". Similar to Apple's process, once you sign your ZXP, changes to the package will invalidate the signature.

 

I'd suggest: 

 

1) Invididually sign each of the (compiled C++ addons) modules with my Apple Developer ID (Application)

2) Convert the package into a ZIP file and get it notarized by Apple

3) Sign the final product with my Adobe Certificate using ZXPSignCmd tool

 

🤔 But now that I look at it, that would also invalidate the Apple notorization, wouldn't it? That's more or less what I think the folks in the Apple thread were suggesting.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
erinferinferinf Adobe Employee
Adobe Employee ,
Sep 08, 2021 Sep 08, 2021
In Response To Adonis W.

Wait, why are you still using CEP 6? Have you tried updating to CEP 11?

 

There was a big change in node.js context around CEP 8 or so.... for AE 2020 you need CEP 9.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adonis W.
Community Beginner ,
Sep 08, 2021 Sep 08, 2021
In Response To erinferinferinf

Thank you for helping out on this. The CEP version was also my first guess. So tried changing that to CEP 9, but it still does not work. I didn't try CEP 11, ...because AE 2020 uses CEP 9, but I guess I can try that as well.

With regard to what you told about signing, yes, your observation is correct. The signature list added by the ZXPSignCmd tool invalidates the notorization. 

The method I outlined initially (at the start of the question) was working perfectly (both AE and Apple GateKeeper were happy) until AE 2020. Now it gives the "different Team IDs" error. Here a thread found on Apple Developer forum on when this error occcurs:
https://developer.apple.com/forums/thread/129977

 

For our scenario, the "hardened runtime" is AE, right? Should the entitlement be added there?

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
mahmoud36694452u3yd
New Here ,
May 12, 2024 May 12, 2024

Hi, did you fix this issue? I've been stuck for a month on this.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
ErinF Adobe Employee
Adobe Employee ,
Jul 23, 2024 Jul 23, 2024
LATEST
In Response To mahmoud36694452u3yd

Another person reached out to me about something similar just now, so I'll give the same answer:

 

The ZXP sign tool can really only handle self-signing at the moment, since encryption standards changed but the tool hasn't been updated. You almost certainly can't sign it with your Apple Certificate.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
API & SDK Documentation
CEP 11 Cookbook
Open in a new window
Photoshop Extensibility
Premiere Pro C++ SDK
Open in a new window
Photoshop C++ SDK
Open in a new window
InDesign Extensibility
Open in a new window
Scripting Documentation
After Effects Scripting
Open in a new window
Illustrator Scripting
Premiere Pro Scripting
Open in a new window
InDesign Scripting
Open in a new window
Photoshop Scripting
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices