2

I have a cross-platform application written in Qt (5.9.6), running on Win, Mac and Ubuntu.

On mac, an application is built using Qt tools only (without Xcode).

The application has a 3rd-party library ffpmeg. We do not compile it, we use a prebuilt from https://ffmpeg.org/download.html#build-mac.

At the initial stage, the application is supposed to be distributed through the Developer-ID-signed dmg-image (otherwise Gatekepeer is giving a message of untrusted developer).

The dmg-image is built via hdutil (not via the macdeployqt util).

I tried to sign the .app file and dmg-image with certificates from the Apple Developer Program, in particular:

  • macOS -> Production -> Developer ID Sign versions of your Mac application, Mac kernel extension and Mac Installer Package for distribution outside of the Mac App Store -> Developer ID Installer This certificate is used to sign your app's Installer Package for distribution outside of the Mac App Store
  • macOS -> Production -> Developer ID Sign versions of your Mac application, Mac kernel extension and Mac Installer Package for distribution outside of the Mac App Store -> Developer ID Application This certificate is used to code sign your app for distribution outside of the Mac App Store.

(As I understand it - these are the certificates for our case - distribution outside the AppStore)

All certificates are correctly installed in the system and visible in the "Keychain".

Application signing through codesign manually.

If i try to sign the Application.app file directly, then codesign responds "code object is not signed at all". The application is not considered signed.

Then, after few hours googling, i found out that i need to sign all .framework, .dylib-files and plugins inside the dmg.

Then i became sign all files, until codesign on the app stops giving an error. Like this:

...
$ codesign -s 9509FE0B2EBCC89D9047541AC762418395FCB40E Application.app
Application.app/: code object is not signed at all
# error, go next

$ codesign -s 9509FE0B2EBCC89D9047541AC762418395FCB40E Application.app/Contents/Frameworks/libavcodec.58.dylib
# ffmpeg is also shuld be signed - otherwise macOS give a not-at-all-error
...

$ codesign -s 9509FE0B2EBCC89D9047541AC762418395FCB40E Application.app/Contents/Frameworks/QtCore.framework
# Qt also sign
...

$ codesign -s 9509FE0B2EBCC89D9047541AC762418395FCB40E Application.app
# Ok, dmg is successfully signed.

Codesign stops swearing on a not fully signed package.

Then run Application.app on our machine - everything is ok. Then run on another Mac - the result when opening the Application.app file:

"The Application.app program is corrupted and cannot be opened. Move the program to the basket."

It refuses to launch even through the "hack" for untrusted applications (via Command-button).

But - an incompletely signed application on another Mac runs fine (but swears at an untrusted developer).

So, my question is:

How to sign Qt-application .app and dmg with 3rd-party libraries (ffmpeg)?

Thanks!

Alienpenguin
  • 967
  • 1
  • 9
  • 28
Alexey Matal
  • 86
  • 7

1 Answers1

0

The application cannot run because it violated some restriction of codesign. You need to sign with entitlements option to disable those restrictions.

Here's a sample entitlements.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.cs.disable-executable-page-protection</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
        <true/>
        <key>com.apple.security.cs.allow-dyld-environment-variables</key>
        <true/>
</dict>
</plist>

macOS notarization error: "The signature algorithm used is too weak"

laocius
  • 772
  • 1
  • 8
  • 21