How we incorporate PACE’s cloud signing tools into our build pipeline for Free Suite

Unlike our previous free plugin offerings, Free Suite is additionally available as AAX plugins, and this is made possible by the AAX Cloud Signing Tools and support provided to us by PACE.

Creating AAX plugins is a slightly more involved process compared to VST and AU formats. One of the obstacles is that AAX plugins need to be digitally code signed in a specific way with Avid developer credentials and metadata in order to be accepted and loadable in Pro Tools. Doing so has until recently required the use of a physical USB iLok plugged into the build machine to authorise the code signing process, which is problematic for continuous integration build pipelines, particularly if the pipeline build instance is on a remote machine or using a ‘cloud’ build service such as CircleCI, which we currently use for Free Suite.

Continuous Integration in the cloud for plugin development

We decided recently to switch from a manual and local build process to a continuous integration and continuous deployment (‘CI/CD’) system, which allows for automated rapid builds and deployments of our plugins in a consistent and transparent way; this is particularly useful during our Free Suite alpha period where there are frequent updates and features being added for testing. In our use case, instead of investing in dedicated Windows and MacOS servers to host our build infrastructure, we decided it made more sense to use a ‘cloud’ CI approach, whereby virtual instances of our MacOS or Windows setups could be rapidly deployed and scaled as needed only when a build of our plugins is running. We chose CircleCI as our cloud based CI tool as it was a cost effective solution that offered GitLab integration, and can instantly create Windows and MacOS build instances in parallel for rapid builds across our targeted systems and formats. The build pipeline can be configured by a simple YAML script that allows you to split the process into various stages or ‘jobs’ which helps for faster fault detection and isolation, and we configured the pipeline to trigger whenever a commit is made to the Free Suite master branch.

PACE’s solution for AAX deployment for Cloud CI/CD Pipelines

As we wanted to include AAX plugins as part of our mission for Free Suite to be widely supported on all platforms, we reached out to PACE to see if they were willing to assist us in this task and help us incorporate AAX signing into our cloud CI pipeline. PACE graciously offered to help support us and provided us with access to the tools we needed to make this possible. Fortunately PACE offers an alternative solution for AAX signing using their ‘AAX Cloud Signing Tools’ service. While producers may have used iLok cloud via the iLok license manager application GUI, developers may not be aware that PACE also offers a method to open a cloud session fully headless via the command line.

The way we incorporate the cloud tools into our pipeline is relatively straightforward. The first thing we need to do is prepare the build machine instance by installing iLok License Manager on it, this can be done headless on the command line as follows.

Mac:

curl -0 https://installers.ilok.com/iloklicensemanager/LicenseSupportInstallerMac.zip --output $zipName
unzip $zipName
hdiutil attach LicenseSupportInstallerMac*.dmg
mountedVol=$(ls /Volumes | grep License)
pkg="/Volumes/$mountedVol/License Support.pkg"
sudo installer -pkg "$pkg" -target LocalSystem

Windows:

Windows is slightly more complex; installing iLok License Manager first requires a one time generation of an installer ‘response file’, which can subsequently be used in future build jobs for headless installation by passing the response file as a parameter to the installer with the -s option; this requires one time remote desktop access to the machine in order to launch the installer gui and generate the file. CircleCI provides a guide on how to generate this response file and use it for headless installation, which can be found here.

Once the install is complete, build your plugin(s) as usual, including the AAX plugins. With the built plugins ready, next comes the actual code signing step. The signing requires a separate utility, ‘wraptool’, which is part of the Eden package that AAX developers will have access to. Unlike the iLok License Manager, the wraptool binary appears to be fully portable with no additional dependencies. Our pipeline pulls a package which includes the wraptool binary, response file mentioned above for windows and the a cert used for code signing from our own host. With everything now prepared, the actual AAX signing stage works as follows.

Mac:

iloktool cloud --open --account $ilokuksername --password $ilokpassword -v # Open an iLok cloud session
./wraptool sign --verbose --account $ilokuksername -p $ilokpassword --wcguid $wcguid --signid $signid --dsigharden --dsig1-compat off --in "path/to/plugin.aaxplugin" --allowsigningservice # Sign the plugin
iloktool cloud --close -v # Close the iLok cloud session

Windows (powershell):

.\iloktool.exe cloud --open --account $env:ilokuksername --password $env:ilokpassword -v # Open an iLok cloud session
.\wraptool.exe sign --verbose --account $env:ilokuksername -p $env:ilokpassword --keyfile $keyfile --keypassword $env:cert_pass --wcguid $env:wcguid --in "path\to\plugin.aaxplugin" --allowsigningservice # Sign the plugin
.\iloktool.exe cloud --close # Close the iLok cloud session

As you can see, it’s very simple to start and stop a cloud session using iloktool. Additionally, you only need to append --allowsigningservice to your wraptool command to enable it to work with an ilok cloud session.

With these simple steps, AAX plugins are now always automatically signed in our pipeline builds, which saves us a lot of headaches. We are grateful to PACE for their support ensuring each Free Suite plugin can be provided in AAX format.

Please note: as of Eden version 5.6.3 and iLokTools version 5.7.1, these are the command line options we found necessary. However, these may change in future updates – we recommend you consult the documentation for the most up to date workflows and commands for your pipeline.

To try out the Free Suite Alpha, visit our discord at: https://discord.gg/CfYArSdFjK