How to 'notarize' Qt application on MacOS?
-
wrote on 15 Nov 2018, 20:22 last edited by
I am trying to get my Mac application 'notarized' on Mac. I followed the steps recommended on various sites:
https://cycling74.com/forums/apple-notarizing-for-mojave-10-14-and-beyond
https://www.mbsplugins.de/archive/2018-11-02/Notarize_apps_for_MacOS
https://forum.xojo.com/50655-how-to-codesign-and-notarise-your-app-for-macos-10-14-and-highe
https://forum.xojo.com/49408-10-14-hardened-runtime-and-app-notarization/11
https://stackoverflow.com/questions/53112078/how-to-upload-dmg-file-for-notarization-in-xcodeBut got the message:
"The executable does not have the hardened runtime enabled"
I can only find instructions on how to enable hardened runtime using XCode. Any ideas on how to use it when building with QtCreator? Googling has not turned up much.
-
Hi,
AFAIK, it's not yet supported and would likely rather be part of
macdeployqt
, I'd recommend checking the bug report system to see if there's anything related. If not, you should consider opening a feature request providing your findings. -
wrote on 15 Nov 2018, 20:44 last edited by AndyBrice
According to:
https://github.com/sparkle-project/Sparkle/issues/1266
It might just be a case of adding:
-o runtime
To my codesign arguments. In which case it might be a bit out of scope for macdeployqt.
-
wrote on 15 Nov 2018, 21:08 last edited by
Also notarization is (weirdly) an asynchronous multi-step process.
if I get it working I will write it up and post a link here.
-
It's still something for
macdeployqt
as you can do the code signing through it. -
wrote on 15 Nov 2018, 21:52 last edited by
I didn't know that macdeployqt supported codesign. You learn something new every day!
There is a request to support hardened runtimes in Qt:
https://bugreports.qt.io/projects/QTBUG/issues/QTBUG-71291?filter=allissues -
You should add the links you provided here to the report, they have some useful information.
-
wrote on 16 Nov 2018, 12:31 last edited by
I did get it working. Adding "-o runtime" to codesign was the key. I will write it up into a blog post and link here and in the bug report.
-
wrote on 16 Nov 2018, 15:51 last edited by
I wrote it up the whole process here:
https://successfulsoftware.net/2018/11/16/how-to-notarize-your-software-on-macos/
--
Andy Brice
https://www.hyperplan.com
https://www.perfecttableplan.com
https://www.successfulsoftware.net -
wrote on 14 Jan 2020, 10:22 last edited by
@AndyBrice thanks for the post, it helps a lot. Is there any way to automatize the process? I'm including notarizing process in my CI/CD and it is being a pain ...
-
wrote on 21 Jan 2020, 23:07 last edited by
Does anyone have any thoughts on how the notariztion would work if your app bundle contains a helper app (.exe) that the app bundle .exe launches?
Example: The app bundle is named MyApp. In the /MacOS folder inside the app bundle is MyApp.exe. The helper app that gets launched as a Qt process is in the same folder and is named MyHelper.exe.
Does the helper app get notarized first or does it need to notarized at all?
-
I wrote it up the whole process here:
https://successfulsoftware.net/2018/11/16/how-to-notarize-your-software-on-macos/
--
Andy Brice
https://www.hyperplan.com
https://www.perfecttableplan.com
https://www.successfulsoftware.netwrote on 12 Aug 2020, 13:43 last edited by@AndyBrice I followed your article and I thank you for that!
I'm developping an application that access the microphone but unfortunately since I added the -o runtime option to the codesigning process I don't have recording capabilities anymore (the pop up asking for microphone acces doesn't show up). Any idea how this option could affect the access to the device capabilities?
-
Does anyone have any thoughts on how the notariztion would work if your app bundle contains a helper app (.exe) that the app bundle .exe launches?
Example: The app bundle is named MyApp. In the /MacOS folder inside the app bundle is MyApp.exe. The helper app that gets launched as a Qt process is in the same folder and is named MyHelper.exe.
Does the helper app get notarized first or does it need to notarized at all?
wrote on 12 Aug 2020, 13:47 last edited by Martin Delille - Lylo 8 Dec 2020, 16:15This post is deleted! -
@AndyBrice I followed your article and I thank you for that!
I'm developping an application that access the microphone but unfortunately since I added the -o runtime option to the codesigning process I don't have recording capabilities anymore (the pop up asking for microphone acces doesn't show up). Any idea how this option could affect the access to the device capabilities?
wrote on 12 Aug 2020, 16:11 last edited by Martin Delille - Lylo 8 Dec 2020, 16:13@Martin-Delille-Lylo Ok I found the solution to my problem: I needed to add the proper entitlement when codesigning: https://developer.apple.com/library/archive/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/EnablingAppSandbox.html
codesign --deep --force –verify --verbose \ --sign “Developer ID Application: Phonations” \ --options runtime \ --entitlements myentitlements.plist \ myApp.app
-
@AndyBrice thanks for the post, it helps a lot. Is there any way to automatize the process? I'm including notarizing process in my CI/CD and it is being a pain ...
wrote on 12 Aug 2020, 16:15 last edited by@Juan-Garcia The full process is totally automatic on my side. What do you lack in @AndyBrice article? Maybe this script https://github.com/create-dmg/create-dmg ?
-
@Juan-Garcia The full process is totally automatic on my side. What do you lack in @AndyBrice article? Maybe this script https://github.com/create-dmg/create-dmg ?
wrote on 17 Dec 2020, 17:29 last edited by@Martin-Delille-Lylo Would be nice if you could provide an example of your automated process. I'm trying to make this work on TravisCI.
-
@Martin-Delille-Lylo Would be nice if you could provide an example of your automated process. I'm trying to make this work on TravisCI.
wrote on 21 Dec 2020, 19:59 last edited by@Martin-Delille-Lylo how did you manage to staple the result to the dmg file? When my script gets to the staple part the notarization is not finished on the Apple side. Is there way to query the status?
-
@Martin-Delille-Lylo how did you manage to staple the result to the dmg file? When my script gets to the staple part the notarization is not finished on the Apple side. Is there way to query the status?
wrote on 21 Dec 2020, 22:07 last edited byOk, got it fully automated running on Travis CI with the script below, might need some cleaning up but it seems to be working.
``` macdeployqt ksnip.app -dmg -sign-for-notarization="${APPLE_DEV_IDENTITY}" mv ksnip.dmg ksnip-${VERSION}.dmg echo "--> Start Notarization process" response=$(xcrun altool -t osx -f ksnip-${VERSION}.dmg --primary-bundle-id org.ksnip.ksnip --notarize-app -u ${APPLE_DEV_USER} -p ${APPLE_DEV_PASS}) requestUUID=$(echo "${response}" | tr ' ' '\n' | tail -1) while true; do echo "--> Checking notarization status" statusCheckResponse=$(xcrun altool --notarization-info ${requestUUID} -u ${APPLE_DEV_USER} -p ${APPLE_DEV_PASS}) isSuccess=$(echo "${statusCheckResponse}" | grep "success") isFailure=$(echo "${statusCheckResponse}" | grep "invalid") if [[ "${isSuccess}" != "" ]]; then echo "Notarization done!" xcrun stapler staple -v ksnip-${VERSION}.dmg echo "Stapler done!" break fi if [[ "${isFailure}" != "" ]]; then echo "Notarization failed" return 1 fi echo "Notarization not finished yet, sleep 2m then check again..." sleep 120 done ```
Useful links:
https://successfulsoftware.net/2018/11/16/how-to-notarize-your-software-on-macos/
https://www.logcg.com/en/archives/3222.html
https://www.update.rocks/blog/osx-signing-with-travis/