Solved How to sign Qt application for MacOS
-
We have an application that is build with CMake and we have automated build system that builds the packages for us, for different OS, including MacOS.
Recently, our users on MacOS started seeing "cannot open because the developer cannot be verified". Our understanding is that the application needs to be signed and for that we need an Apple Developer Account, is that correct? We don't intend to distribute the application via AppStore, just via HomeBrew and dmg download.
Does anyone know how to sign a MacOS application on TravisCI?
Is there any support for OpenSource non profit applications from Apple?
-
On new macs, notarization is required. You can do it using
macdeployqt
(but with new Qt like 5.15): https://doc.qt.io/qt-5/macos-deployment.html#the-mac-deployment-toolThat means you need the developer account, yes.
Users can still enable "untrusted" apps in system settings, and open your unsigned app this way.
Does anyone know how to sign a MacOS application on TravisCI?
You can use
macdeployqt
from the command line, so also within Travis. -
On new macs, notarization is required. You can do it using
macdeployqt
(but with new Qt like 5.15): https://doc.qt.io/qt-5/macos-deployment.html#the-mac-deployment-toolThat means you need the developer account, yes.
Users can still enable "untrusted" apps in system settings, and open your unsigned app this way.
Does anyone know how to sign a MacOS application on TravisCI?
You can use
macdeployqt
from the command line, so also within Travis. -
Thanks for the feedback. Fortunately we already use macdeployqt for packaging on TravisCI. I'll give it a try.
-
@sierdzio One question though. If I understand correctly I can sign the package with -codesign, but what is the parameter for it? Whats the identity that the documentation refers to?
-
@dporobic said in How to sign Qt application for MacOS:
@sierdzio One question though. If I understand correctly I can sign the package with -codesign, but what is the parameter for it?
Your developer identity, taken from Apple Developer page. It's usually something like
"Developer ID Application: Name Surname (ABC123AABB)"
(it's a string). -
@sierdzio Created the developer account and tried to use my Identity (the string that I see on the Apple Developer Account page) like this:
macdeployqt packageDir/ksnip.app -codesign=${APPLE_IDENTITY}
but I get following error:
ERROR: Codesign signing error: ERROR: "error: The specified item could not be found in the keychain.\n"
-
Ah right, the key needs to be registered on the device which is doing the build. That can be a challenge on TravisCI... I don't know how to do it, sorry. Please search around.
-
Just in case someone runs into this issue, here is explained how you can import a certificate on a headless CI: https://www.update.rocks/blog/osx-signing-with-travis/