How to 'notarize' Qt application on MacOS?

AndyBrice · wrote on 15 Nov 2018, 20:22

I am trying to get my Mac application 'notarized' on Mac. I followed the steps recommended on various sites:

https://cycling74.com/forums/apple-notarizing-for-mojave-10-14-and-beyond
https://www.mbsplugins.de/archive/2018-11-02/Notarize_apps_for_MacOS
https://forum.xojo.com/50655-how-to-codesign-and-notarise-your-app-for-macos-10-14-and-highe
https://forum.xojo.com/49408-10-14-hardened-runtime-and-app-notarization/11
https://stackoverflow.com/questions/53112078/how-to-upload-dmg-file-for-notarization-in-xcode

But got the message:

"The executable does not have the hardened runtime enabled"

I can only find instructions on how to enable hardened runtime using XCode. Any ideas on how to use it when building with QtCreator? Googling has not turned up much.

SGaist · wrote on 15 Nov 2018, 20:41

Hi,

AFAIK, it's not yet supported and would likely rather be part of macdeployqt, I'd recommend checking the bug report system to see if there's anything related. If not, you should consider opening a feature request providing your findings.

AndyBrice · wrote on 15 Nov 2018, 20:44

According to:

https://github.com/sparkle-project/Sparkle/issues/1266

It might just be a case of adding:

-o runtime

To my codesign arguments. In which case it might be a bit out of scope for macdeployqt.

AndyBrice · wrote on 15 Nov 2018, 21:08

Also notarization is (weirdly) an asynchronous multi-step process.

if I get it working I will write it up and post a link here.

SGaist · 15 Nov 2018, 21:52

It's still something for macdeployqt as you can do the code signing through it.

AndyBrice · S SGaist 15 Nov 2018, 21:35

I didn't know that macdeployqt supported codesign. You learn something new every day!

There is a request to support hardened runtimes in Qt:
https://bugreports.qt.io/projects/QTBUG/issues/QTBUG-71291?filter=allissues

SGaist · wrote on 15 Nov 2018, 21:54

You should add the links you provided here to the report, they have some useful information.

AndyBrice · wrote on 16 Nov 2018, 12:31

I did get it working. Adding "-o runtime" to codesign was the key. I will write it up into a blog post and link here and in the bug report.

AndyBrice · 12 Aug 2020, 13:43

I wrote it up the whole process here:

https://successfulsoftware.net/2018/11/16/how-to-notarize-your-software-on-macos/

--
Andy Brice
https://www.hyperplan.com
https://www.perfecttableplan.com
https://www.successfulsoftware.net

Juan Garcia · 12 Aug 2020, 16:15

@AndyBrice thanks for the post, it helps a lot. Is there any way to automatize the process? I'm including notarizing process in my CI/CD and it is being a pain ...

PSI_lbc · 12 Aug 2020, 13:47

Does anyone have any thoughts on how the notariztion would work if your app bundle contains a helper app (.exe) that the app bundle .exe launches?

Example: The app bundle is named MyApp. In the /MacOS folder inside the app bundle is MyApp.exe. The helper app that gets launched as a Qt process is in the same folder and is named MyHelper.exe.

Does the helper app get notarized first or does it need to notarized at all?

Martin Delille - Lylo · 12 Aug 2020, 16:11

@AndyBrice I followed your article and I thank you for that!

I'm developping an application that access the microphone but unfortunately since I added the -o runtime option to the codesigning process I don't have recording capabilities anymore (the pop up asking for microphone acces doesn't show up). Any idea how this option could affect the access to the device capabilities?

Martin Delille - Lylo · 8 Dec 2020, 16:15

This post is deleted!

Martin Delille - Lylo · 8 Dec 2020, 16:13

@Martin-Delille-Lylo Ok I found the solution to my problem: I needed to add the proper entitlement when codesigning: https://developer.apple.com/library/archive/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/EnablingAppSandbox.html

codesign --deep --force –verify --verbose \
         --sign “Developer ID Application: Phonations” \
         --options runtime \
         --entitlements myentitlements.plist \
         myApp.app

Martin Delille - Lylo · 17 Dec 2020, 17:29

@Juan-Garcia The full process is totally automatic on my side. What do you lack in @AndyBrice article? Maybe this script https://github.com/create-dmg/create-dmg ?

dporobic · 21 Dec 2020, 19:59

@Martin-Delille-Lylo Would be nice if you could provide an example of your automated process. I'm trying to make this work on TravisCI.

dporobic · 21 Dec 2020, 22:07

@Martin-Delille-Lylo how did you manage to staple the result to the dmg file? When my script gets to the staple part the notarization is not finished on the Apple side. Is there way to query the status?

dporobic · wrote on 21 Dec 2020, 22:07

Ok, got it fully automated running on Travis CI with the script below, might need some cleaning up but it seems to be working.

```
macdeployqt ksnip.app -dmg -sign-for-notarization="${APPLE_DEV_IDENTITY}"
mv ksnip.dmg ksnip-${VERSION}.dmg

echo "--> Start Notarization process"
response=$(xcrun altool -t osx -f ksnip-${VERSION}.dmg --primary-bundle-id org.ksnip.ksnip --notarize-app -u ${APPLE_DEV_USER} -p ${APPLE_DEV_PASS})
requestUUID=$(echo "${response}" | tr ' ' '\n' | tail -1)

while true; do
  echo "--> Checking notarization status"

  statusCheckResponse=$(xcrun altool --notarization-info ${requestUUID} -u ${APPLE_DEV_USER} -p ${APPLE_DEV_PASS})

  isSuccess=$(echo "${statusCheckResponse}" | grep "success")
  isFailure=$(echo "${statusCheckResponse}" | grep "invalid")

  if [[ "${isSuccess}" != "" ]]; then
      echo "Notarization done!"
      xcrun stapler staple -v ksnip-${VERSION}.dmg
      echo "Stapler done!"
      break
  fi
  if [[ "${isFailure}" != "" ]]; then
      echo "Notarization failed"
      return 1
  fi
  echo "Notarization not finished yet, sleep 2m then check again..."
  sleep 120
done
```

Useful links:
https://successfulsoftware.net/2018/11/16/how-to-notarize-your-software-on-macos/
https://www.logcg.com/en/archives/3222.html
https://www.update.rocks/blog/osx-signing-with-travis/