How to 'notarize' Qt application on MacOS?
-
Hi,
AFAIK, it's not yet supported and would likely rather be part of
macdeployqt, I'd recommend checking the bug report system to see if there's anything related. If not, you should consider opening a feature request providing your findings. -
According to:
https://github.com/sparkle-project/Sparkle/issues/1266
It might just be a case of adding:
-o runtime
To my codesign arguments. In which case it might be a bit out of scope for macdeployqt.
-
It's still something for
macdeployqtas you can do the code signing through it.Interested in AI ? www.idiap.ch
Please read the Qt Code of Conduct - https://forum.qt.io/topic/113070/qt-code-of-conduct -
I didn't know that macdeployqt supported codesign. You learn something new every day!
There is a request to support hardened runtimes in Qt:
https://bugreports.qt.io/projects/QTBUG/issues/QTBUG-71291?filter=allissues -
You should add the links you provided here to the report, they have some useful information.
-
I wrote it up the whole process here:
https://successfulsoftware.net/2018/11/16/how-to-notarize-your-software-on-macos/
--
Andy Brice
https://www.hyperplan.com
https://www.perfecttableplan.com
https://www.successfulsoftware.net -
@AndyBrice thanks for the post, it helps a lot. Is there any way to automatize the process? I'm including notarizing process in my CI/CD and it is being a pain ...
-
Does anyone have any thoughts on how the notariztion would work if your app bundle contains a helper app (.exe) that the app bundle .exe launches?
Example: The app bundle is named MyApp. In the /MacOS folder inside the app bundle is MyApp.exe. The helper app that gets launched as a Qt process is in the same folder and is named MyHelper.exe.
Does the helper app get notarized first or does it need to notarized at all?
-
I wrote it up the whole process here:
https://successfulsoftware.net/2018/11/16/how-to-notarize-your-software-on-macos/
--
Andy Brice
https://www.hyperplan.com
https://www.perfecttableplan.com
https://www.successfulsoftware.net@AndyBrice I followed your article and I thank you for that!
I'm developping an application that access the microphone but unfortunately since I added the -o runtime option to the codesigning process I don't have recording capabilities anymore (the pop up asking for microphone acces doesn't show up). Any idea how this option could affect the access to the device capabilities?
-
Does anyone have any thoughts on how the notariztion would work if your app bundle contains a helper app (.exe) that the app bundle .exe launches?
Example: The app bundle is named MyApp. In the /MacOS folder inside the app bundle is MyApp.exe. The helper app that gets launched as a Qt process is in the same folder and is named MyHelper.exe.
Does the helper app get notarized first or does it need to notarized at all?
This post is deleted! -
@AndyBrice I followed your article and I thank you for that!
I'm developping an application that access the microphone but unfortunately since I added the -o runtime option to the codesigning process I don't have recording capabilities anymore (the pop up asking for microphone acces doesn't show up). Any idea how this option could affect the access to the device capabilities?
@Martin-Delille-Lylo Ok I found the solution to my problem: I needed to add the proper entitlement when codesigning: https://developer.apple.com/library/archive/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/EnablingAppSandbox.html
codesign --deep --force –verify --verbose \ --sign “Developer ID Application: Phonations” \ --options runtime \ --entitlements myentitlements.plist \ myApp.app -
@AndyBrice thanks for the post, it helps a lot. Is there any way to automatize the process? I'm including notarizing process in my CI/CD and it is being a pain ...
@Juan-Garcia The full process is totally automatic on my side. What do you lack in @AndyBrice article? Maybe this script https://github.com/create-dmg/create-dmg ?
-
@Juan-Garcia The full process is totally automatic on my side. What do you lack in @AndyBrice article? Maybe this script https://github.com/create-dmg/create-dmg ?
@Martin-Delille-Lylo Would be nice if you could provide an example of your automated process. I'm trying to make this work on TravisCI.
-
@Martin-Delille-Lylo Would be nice if you could provide an example of your automated process. I'm trying to make this work on TravisCI.
@Martin-Delille-Lylo how did you manage to staple the result to the dmg file? When my script gets to the staple part the notarization is not finished on the Apple side. Is there way to query the status?
-
@Martin-Delille-Lylo how did you manage to staple the result to the dmg file? When my script gets to the staple part the notarization is not finished on the Apple side. Is there way to query the status?
Ok, got it fully automated running on Travis CI with the script below, might need some cleaning up but it seems to be working.
``` macdeployqt ksnip.app -dmg -sign-for-notarization="${APPLE_DEV_IDENTITY}" mv ksnip.dmg ksnip-${VERSION}.dmg echo "--> Start Notarization process" response=$(xcrun altool -t osx -f ksnip-${VERSION}.dmg --primary-bundle-id org.ksnip.ksnip --notarize-app -u ${APPLE_DEV_USER} -p ${APPLE_DEV_PASS}) requestUUID=$(echo "${response}" | tr ' ' '\n' | tail -1) while true; do echo "--> Checking notarization status" statusCheckResponse=$(xcrun altool --notarization-info ${requestUUID} -u ${APPLE_DEV_USER} -p ${APPLE_DEV_PASS}) isSuccess=$(echo "${statusCheckResponse}" | grep "success") isFailure=$(echo "${statusCheckResponse}" | grep "invalid") if [[ "${isSuccess}" != "" ]]; then echo "Notarization done!" xcrun stapler staple -v ksnip-${VERSION}.dmg echo "Stapler done!" break fi if [[ "${isFailure}" != "" ]]; then echo "Notarization failed" return 1 fi echo "Notarization not finished yet, sleep 2m then check again..." sleep 120 done ```Useful links:
https://successfulsoftware.net/2018/11/16/how-to-notarize-your-software-on-macos/
https://www.logcg.com/en/archives/3222.html
https://www.update.rocks/blog/osx-signing-with-travis/
