Code Signing
BeatConnect automatically signs all plugin builds using industry-standard certificates. Your plugins will be trusted by operating systems without security warnings.
Why Code Signing Matters
Without Code Signing
macOS:
"MyPlugin.vst3" cannot be opened because the developer cannot be verified.
[Move to Trash] [Cancel]
Windows:
Windows protected your PC
Microsoft Defender SmartScreen prevented an unrecognized app from starting.
Running this app might put your PC at risk.
[Don't run] [Run anyway]
With Code Signing
macOS: Plugin opens without warnings (Gatekeeper approved)
Windows: Plugin installs cleanly (Authenticode verified)
What BeatConnect Provides
| Platform | Signing Type | Verification |
|---|---|---|
| macOS | Developer ID + Notarization | Apple Gatekeeper |
| Windows | Authenticode (EV Certificate) | Microsoft SmartScreen |
Included Automatically
- ✅ Code signing for all builds
- ✅ Apple notarization (macOS)
- ✅ Timestamp embedding (long-term validity)
- ✅ Certificate rotation (we handle renewals)
No Extra Cost
Code signing is included in the Developer tier. You don’t need:
- ❌ Apple Developer Account ($99/year)
- ❌ Windows code signing certificate ($200-500/year)
- ❌ Notarization workflow setup
- ❌ Certificate management
macOS Code Signing
Developer ID Certificate
All macOS builds are signed with our Developer ID Application certificate:
Certificate: Developer ID Application: BeatConnect Inc. (XXXXXXXXXX)
Team ID: XXXXXXXXXX
Signed: 2025-01-15 10:30:00 UTC
Notarization
After signing, plugins are submitted to Apple for notarization:
[Signing] Signing MyPlugin.vst3...
[Signing] ✓ Code signature verified
[Notarization] Uploading to Apple...
[Notarization] Waiting for Apple response...
[Notarization] ✓ Notarization successful
[Notarization] Stapling ticket to bundle...
[Notarization] ✓ Ticket stapled
What is Notarization?
Apple’s notarization service:
- Scans your plugin for malware
- Verifies the code signature
- Issues a “ticket” confirming approval
- Ticket is “stapled” to your plugin bundle
Result: Gatekeeper trusts your plugin immediately.
Hardened Runtime
All macOS builds use Hardened Runtime with these entitlements:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "...">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
</dict>
</plist>These are required for:
- JIT compilation (if used)
- Loading audio plugin hosts
- Dynamic DSP code
Windows Code Signing
Authenticode Certificate
Windows builds are signed with our EV (Extended Validation) certificate:
Signer: BeatConnect Inc.
Certificate: Authenticode Code Signing
Timestamp: RFC 3161 (long-term validity)
Algorithm: SHA-256
SmartScreen Reputation
EV certificates have immediate SmartScreen reputation:
- Standard certificates: Need downloads to build reputation
- EV certificates: Trusted immediately (what we use)
Verification
Check Windows signature:
# PowerShell
Get-AuthenticodeSignature "MyPlugin.vst3"
# Expected output:
# SignerCertificate: CN=BeatConnect Inc., O=BeatConnect Inc., ...
# Status: Valid
# StatusMessage: Signature verified.Signature Verification
macOS
# Verify code signature
codesign -vvv --deep --strict MyPlugin.vst3
# Check notarization
spctl -a -vvv -t install MyPlugin.vst3
# View certificate details
codesign -dvvv MyPlugin.vst3Expected output:
MyPlugin.vst3: valid on disk
MyPlugin.vst3: satisfies its Designated Requirement
source=Notarized Developer ID
Windows
# PowerShell signature check
Get-AuthenticodeSignature .\MyPlugin.vst3\Contents\x86_64-win\MyPlugin.vst3
# Or use signtool (Windows SDK)
signtool verify /pa /v MyPlugin.vst3Edge Cases
Unsigned Dependencies
If your plugin loads unsigned libraries:
Problem:
codesign: invalid signature (code or signature have been modified)
Solution: All loaded code must be signed. Either:
- Sign dependencies yourself (before BeatConnect build)
- Include source code to be compiled together
- Use only signed/notarized third-party libraries
Custom Entitlements
Need additional entitlements? Contact us with your requirements:
- Audio input access
- Network access
- File system access
- Hardware access
Timestamp Validity
Signatures include a timestamp, so they remain valid even after certificate expiration:
Timestamp: 2025-01-15 10:30:00 UTC
Signature valid: Indefinitely (timestamped)
Troubleshooting
”Developer cannot be verified” (macOS)
Cause: Plugin wasn’t notarized or user downloaded via non-standard method.
Fix for users:
# Remove quarantine attribute
xattr -d com.apple.quarantine MyPlugin.vst3Fix for developers: Ensure download is from BeatConnect or official channels.
”Windows protected your PC” (Windows)
Cause: SmartScreen doesn’t recognize the file.
Possible causes:
- Download corrupted during transfer
- File modified after signing
- Rare: SmartScreen database delay
Verify signature:
Get-AuthenticodeSignature .\MyPlugin.vst3If signature is valid, it’s a SmartScreen delay (usually resolves in hours).
”Signature invalid” After Modification
Cause: Any change to the signed bundle invalidates the signature.
What breaks signatures:
- Editing files inside the bundle
- Renaming the bundle
- Changing permissions
- Some antivirus software
Solution: Re-download the original signed artifact.
Notarization Timeout
Cause: Apple’s servers are slow (rare).
Symptoms:
[Notarization] Waiting for Apple response...
[Notarization] Still waiting... (attempt 5/10)
Resolution: Usually completes within 15 minutes. If longer, build is automatically retried.
Security Best Practices
For Distribution
- Use HTTPS for all download links
- Provide checksums so users can verify downloads
- Don’t modify signed bundles after download
- Use official channels (BeatConnect, your website)
For Users
- Download from official sources
- Verify signatures if concerned
- Don’t use “unsigned” workarounds for legitimate plugins
Checksums
Every build includes SHA256 checksums:
checksums.txt
------------
a1b2c3d4e5f6... MyPlugin.vst3 (macOS)
f6e5d4c3b2a1... MyPlugin.component
1a2b3c4d5e6f... MyPlugin.vst3 (Windows)
Verify downloads:
# macOS/Linux
shasum -a 256 -c checksums.txt
# Windows PowerShell
Get-FileHash MyPlugin.vst3 -Algorithm SHA256Custom Certificates (Enterprise)
Need to use your own certificates? Enterprise plans support:
- Your Apple Developer ID
- Your Windows EV certificate
- Custom entitlements
- Private labeling
Contact sales for enterprise options.