Participating Frequently

Question

CEP Extension with Node.js not allowed to run on After Effects 2020 by Apple MacOS

Forum|Forum|4 years ago
September 2, 2021
2 replies
1195 views

We have a CEP extension with Node.JS enabled (uses CEP 6.0). The node server requires some modules which are compilled C++ addons. Following is the process I have been using to get Apple GateKeeper to allow the extension to run:

1) Invididually sign each of the (compiled C++ addons) modules with my Apple Developer ID (Application)

2) Sign the final product with my Adobe Certificate using ZXPSignCmd tool

3) Convert the package into a ZIP file and get it notarized by Apple

The procedure has been working fine until After Effects 2020. Now Afer Effects is throwing the error: "code signature in (path-to-compiled-module) not valid for use in process using Library Validation: mapping process and mapped file (non-platform) have different Team IDs"

The server is not allowed to run when these modules are present.

Is this because After Effects 2020 has been signed by Adobe as a hardeened runtime without the com.apple.security.cs.disable-library-validation entitlement?

Is there any way to get around this? Am I missing something?

This topic has been closed for replies.

M

mahmoud36694452u3yd

Participant

Hi, did you fix this issue? I've been stuck for a month on this.

ErinF

Adobe Employee

Another person reached out to me about something similar just now, so I'll give the same answer:

The ZXP sign tool can really only handle self-signing at the moment, since encryption standards changed but the tool hasn't been updated. You almost certainly can't sign it with your Apple Certificate.

I'd recommend reaching out to wwds@adobe.com, since I can't help much with the notorization part.

erinferinferinf

Community Manager

Hi there!

I'll ask around, but I think once you sign the ZXP you can't continue to make changes like step 6. I would think you need to notorize, then sign. David Barranca has some posts about notorization... I can't find the link at the moment (on an airplane).

Adonis W.Author

Participating Frequently

Thank you so much for your response. Please do try to direct the question to the relevant personal. I did read David Barranca's notes (https://www.davidebarranca.com/2019/04/notarizing-installers-for-macos-catalina/). It was helpful, but he's refering to packagers and installers (.pkg and .dmg).

By sign, if you meant "signing code with Apple certificate", nortorization fails if the code has not been signed. If you meant "signing with Adobe certificate (creation of the ZRP package)", once you notroize it, Apple Gatekeeper will not tolerate any changes to the zip file (like the addition of signatures) after notorizing it.

What really put me into the above path was this thread on the Apple Devloper Forum (https://developer.apple.com/forums/thread/124336?answerId=388618022#388618022). Please see the response by "eskimo" (an Apple Employee) on that thread.

erinferinferinf

Community Manager

Hi!

Sorry, I meant "signing with ZXPSign". Similar to Apple's process, once you sign your ZXP, changes to the package will invalidate the signature.

I'd suggest:

1) Invididually sign each of the (compiled C++ addons) modules with my Apple Developer ID (Application)

2) Convert the package into a ZIP file and get it notarized by Apple

3) Sign the final product with my Adobe Certificate using ZXPSignCmd tool

🤔 🤔 But now that I look at it, that would also invalidate the Apple notorization, wouldn't it? That's more or less what I think the folks in the Apple thread were suggesting.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded