AU requires flagging as sandboxSAFE in the plist

[UMCorps]

Bug Description:

Current version of the AU does not pass validation for hosts downloaded from the Mac App Store (ie hardened runtime sandboxed apps). It is not an issue for hosts such as Logic

Description of the discovery of this problem and its solution is in this thread

https://forum.juce.com/t/sandboxsafe-and-macos-host-au2-hardened-runtime-disable-library-validation/47281/5

Computer Information (please complete the following information):

• OS: [Mac OS 11.6.1]
• Host: [Wotja 22 Pro. https://intermorphic.com/blog/posts/211214-Wotja-22-Will-Be-Here-Soon.html]

[baconpaul]

When you say current version, do you mean 1.9 or XT?
XT we sign with mac credentials and the hardened runtime.

[baconpaul]

Also: Are you the author of wotja? How can our team get an NFR to test?
Thanks

[sseyod]

@baconpaul just go to the contact page on https://intermorphic.com ... best, Pete

[UMCorps]

Apologies. I'm using....

Surge Synthesizer
System: macOS 64-bit AU on Apple M1 (Apple Silicon)
Build Info: Built on 2021-04-21 at 11:26:22, using pipeline host 'Mac-1619004058536.local' with 'AppleClang-12.0.0.12000032'
Version: 1.9.0.91069f8

sseyod (Pete) above is the dev

[baconpaul]

Great right so that version isn't signed. It will never work.

Can you try the version from here: https://surge-synthesizer.github.io/nightly_XT which both asks for the permissions it needs in the plist and is signed and hardened?

[baconpaul]

I also dropped in a note for an NFR in the event it doesn't work.

[UMCorps]

the nightly XT didn't pass either

[baconpaul]

huh well that is a major bummer

[baconpaul]

Wow of the hundreds of plugins I have, about 6 of them are sandboxSafe keyed. But one of them is pianoteq which is a juce plugin so must be doable somehow.

[baconpaul]

Huh ok a note to self there is a property in juce cmake IS_AU_SANDBOX_SAFE
I wonder if setting it will make us lose our filesystem access though
can you compile surge from source @UMCorps?

[UMCorps]

I'm afraid I struggle with things like that

Best would be to talk to Pete directly. He will probably know if there are implications for filesystem access

[baconpaul]

ok. i'm trying to figure out how to test this without running our full pipeline.
will wait for my NFR of the daw to come through and give it a try over the holidays.

[baconpaul]

OK so I found the JUCE CMake flag that sets this to true and I toggled it in 559a5e5

Before i merged I checked the plugin still loaded in reaper and logic and also that i could sign it. But it's not 100% clear to me that our automated signing pipeline will be problem free. Should be but we have to try and see.

This means that the next nightly (in about an hour from this message) will either

1: not exist and give an error in our pipeline or
2: Have this set to true

If it's the second then I'll download the installer, install it, and see if it still loads fine logic. But if one of you are around in a couple of hours and try the next nightly, that would be great too.

[baconpaul]

The modified nightly is now availble. Feedback appreciated.

[UMCorps]

It didn't pass.

Worked ok in Logic which I used to check I had the right plug-in registered.

[baconpaul]

OK! Two quick questions

1: Can you let me know the version you see in logic on the about screen? and
2: Does the file /Library/Audio/Plug-Ins/Components/Surge XT.component/Contents/Info.plist contain the sandbox line item on your system?

[UMCorps]

Logic says.....

Version: Surge XT 0.99.nightly.559a5e5
Build: 2021-12-16 @ 14:47:38 on 'Mac-1639665628078.local/pipeline' with 'AppleClang-12.0.0.12000032' using JUCE 6.1.2
System: macOS 64-bit AU on Apple M1
Host: Apple Logic @ 48.0 kHz

plist has the sandbox line item

[baconpaul]

Hmm
So we have sandboxSafe true in the plist, so technically i guess we resolved the problem you raised :)
but since it didn't work: do we know what the actual spec the tool needs is?

[sseyod]

Hi Paul, sorry - been out all day on family stuff! I’ve just sent you an invite for Wotja 22 Pro via Test Flight - should work fine for you on Monterey! Best wishes, Pete

[sseyod]

Hi!

Just got the latest build from you - many thanks. Running through Xcode:

Surge XT Effects:

DEBUG:WJX_PluginHost_Scanner - pluginBeingScanned=(Surge XT Effects)!
Printing description of errorString.text.data:
(juce::CharPointer_UTF8::CharType *) data = 0x0000600000b0edd0 "An OS error occurred during initialisation of the plug-in (-3000)"

But - the good news is I can load Surge XT

Best wishes,

Pete

[sseyod]

@baconpaul Hi Paul, see the above - hoping that helps and matches what you expect! Best, Pete

[baconpaul]

Oh duh i turned the sandbox on for the synth but not the effects. That's an easy fix and I can merge it in right now so the next nightly will have it.

But do you know why the nightly would work for you but not for @UMCorps ? I'm not sure how to even debug that.

I grabbed the test flight version. Seems every plugin on my system failed to scan since none of them have sandbox on! (Except for Other Desert Cities)

[sseyod]

Hi @baconpaul top stuff :)

It is kind of funny really ... if you look here ... https://forum.juce.com/t/sandboxsafe-and-macos-host-au2-hardened-runtime-disable-library-validation/47281/12
... there is no reason that I can think of why AUV2 developers don't do what you've just done!

Try running this:

$ cd /Library/Audio/Plug-Ins/Components
$ find . -name "*.plist" | xargs -- grep -ic sandboxSafe | grep ":0"

e.g.:
./MNSuperFilterBank.component/Contents/Info.plist:0
./AppleAES3Audio.component/Contents/version.plist:0
./LABS.component/Contents/Info.plist:0
./MNSpectralShuffle.component/Contents/Info.plist:0

Even some of Apple's own units aren't built properly :-D

Pete

[sseyod]

"But do you know why the nightly would work for you but not for @UMCorps ? I'm not sure how to even debug that."

I think Mark was in a real hurry - he'll check again tomorrow - and hopefully you've have installed Wotja 22 Pro anyhow by then via Test Flight.

Best wishes, Pete

[baconpaul]

Honestly, I think they mostly don't know.
Anyway should be a new nightly in an hour or two with the FX unit turned on also.

[UMCorps]

But do you know why the nightly would work for you but not for @UMCorps ? I'm not sure how to even debug that.

I was rushing so relied on the test report as screenshotted. I’ll double check in the app properly tomorrow. If it working for Pete it should work here, regardless of what the test result reports.

[baconpaul]

OK! Well before you test re-grab the nightly (which should be up in about 30 minutes) since I will have turned on this flag for both plugins not just one :)

If it works for you tomorrow we can close this issue.

Thanks!

[UMCorps]

OK. Have now installed the nightly and checked what's what.

1. Surge XT. Passes and runs perfectly in Wotja host

2. XT FX. Does not pass in Wotja. Works fine in Logic

Have checked the plist for XT FX. The sandboxSafe flag is present.

Version: Surge XT 0.99.nightly.b1fa936
Build: 2021-12-16 @ 18:51:38 on 'Mac-1639680057125.local/pipeline' with 'AppleClang-12.0.0.12000032' using JUCE 6.1.2
System: macOS 64-bit AU on Apple M1
Sample Rate: 48.0 kHz

[baconpaul]

Hmm. I wonder if there is some thing where you have to try twice in the tool? There's nothing I ddi for FX that I didn't do for the synth?

[UMCorps]

I did a reboot and rescan. After which XT FX passed and is now available for use in Wotja.

So I think that's case closed!

Thanks for all your help. Really appreciated.

It's great to have such a fantastic synth working properly in this environment.

[baconpaul]

Great!

I let a few other audio devs know about it too. May help.

The nightly is pretty stable, but we will have a numbered production release in January sometime which will include this.

Enjoy making music with surge!

[baconpaul]

(Oh and for the sort of music it seems you might make with Wotja, note that the Surge FX banks effect "Nimbus" is a software implementation of the mutable instruments granular effect, "Clouds").

[UMCorps]

Yeah, worked that out. We already have Braids included in the internal soft synth. Plaits in Surge is a nice alternative