Codesign with Qt 5.14.2 under MacOS 10.15
-
Hello,
I am having a hard time to sign by Qt application. I have an Apple developer account and I created a Developer ID Application. Running under Qt Creator, when I first build the app, everything works fine under Release mode. However I need to macdeployqt in order to execute without QT Creator environment.../../Qt/5.14.2/clang_64/bin/macdeployqt "INOGENIControlApp.app/"As soon as a I do codesign, like the command below.
codesign -s "Developer ID Application: Laboratoires Dextera Inc., Les (7U299JN48Q)" --force --options=runtime "INOGENIControlApp.app" --entitlements ../InogeniControlApp/deploy/mac/entitlements.plist --deepI need to --options=runtime in order to notarize the app. The app will then not open and I get no significant debug log. Sometimes the crash report will report CODESIGING error 0x1.
Here is my entitlements.plist
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.inherit</key> <true/> <key>com.apple.security.files.user-selected.read-write</key> <true/> <key>com.apple.security.cs.allow-jit</key> <true/> <key>com.apple.security.cs.allow-unsigned-executable-memory</key> <true/> <key>com.apple.security.cs.allow-dyld-environment-variables</key> <true/> <key>com.apple.security.cs.disable-library-validation</key> <true/> <key>com.apple.security.cs.disable-executable-page-protection</key> <true/> <key>com.apple.security.device.camera</key> <true/> <key>com.apple.security.device.microphone</key> <true/> <key>com.apple.security.device.audio-input</key> <true/> <key>com.apple.security.device.usb</key> <true/> <key>com.apple.security.get-task-allow</key> <false/> <key>com.apple.developer.team-identifier</key> <string>XXXXX</string> <key>com.apple.application-identifier</key> <string>XXXXX.com.dexteralabs.InogeniControlApp</string> <key>keychain-access-groups</key> <array> <string>XXXXX.com.dexteralabs.InogeniControlApp</string> </array> </dict> </plist>Do you have any idea to codesign my app?
Thanks,
Jerome -
I had to patch
macdeployqtto do codesigning with notarization enabled. But that was for a DMG package, so it probably does not apply to your case.But still, you should run
macdeployqtwith codesign!../../Qt/5.14.2/clang_64/bin/macdeployqt "INOGENIControlApp.app/" -codesign="Developer ID Application: Laboratoires Dextera Inc., Les (7U299JN48Q)"This will sign not only the APP but also all the frameworks and files inside.
-
If I use the macdeployqt with -codesign option on the "player" example, if I try to notarize the app, I get the following error:
{ "logFormatVersion": 1, "jobId": "2e7f41df-e171-4973-a7c0-eb700e48724e", "status": "Invalid", "statusSummary": "Archive contains critical validation errors", "statusCode": 4000, "archiveFilename": "player.zip", "uploadDate": "2020-05-11T19:03:27Z", "sha256": "530034e4ae6f1edc512410087ddccd8e6c03b3d700ac36f94bcb590404da854d", "ticketContents": null, "issues": [ { "severity": "error", "code": null, "path": "player.zip/player.app/Contents/MacOS/player", "message": "The executable does not have the hardened runtime enabled.", "docUrl": null, "architecture": "x86_64" } ] }I really need the --option runtime of codesign in order to notarize successfuly. How can I enable this through macdeployqt?
-
OK, then you need to patch
macdeployqt, too. I haven't pushed the patch to Qt yet (no time, sorry :( ), but it's really a very simple thing:In
macdeployqt/shared/shared.cpp, functionvoid codesignFile(const QString &identity, const QString &filePath), add the following line to codesign args:<< "-o" << "runtime"So full function now looks like this (might be a bit different, depending on which Qt version you're using):
void codesignFile(const QString &identity, const QString &filePath) { if (!runCodesign) return; LogNormal() << "codesign" << filePath; QProcess codesign; codesign.start("codesign", QStringList() << "--preserve-metadata=identifier,entitlements" << "--force" << "-o" << "runtime" << "--strict" << "-s" << identity << filePath); codesign.waitForFinished(-1); QByteArray err = codesign.readAllStandardError(); if (codesign.exitCode() > 0) { LogError() << "Codesign signing error:"; LogError() << err; } else if (!err.isEmpty()) { LogDebug() << err; } }Compile, then use that macdeployqt to deploy your app, with codesign. It should work, it does for me.
-
I tried the following patch but it did not solve my problem. Here is the log:
{ "logFormatVersion": 1, "jobId": "914ed841-7775-48cf-b170-22abff37f19f", "status": "Invalid", "statusSummary": "Archive contains critical validation errors", "statusCode": 4000, "archiveFilename": "INOGENI_Control_App.dmg", "uploadDate": "2020-05-12T18:01:41Z", "sha256": "64d7e8243d103501308d0212767cc6bec9e66c5d33d7d1d726bb9a359fe5f18b", "ticketContents": null, "issues": [ { "severity": "error", "code": null, "path": "INOGENI_Control_App.dmg/INOGENI Control App.app/Contents/Frameworks/libcyusb.dylib", "message": "The binary is not signed.", "docUrl": null, "architecture": "x86_64" }, { "severity": "error", "code": null, "path": "INOGENI_Control_App.dmg/INOGENI Control App.app/Contents/Frameworks/libcyusb.dylib", "message": "The signature does not include a secure timestamp.", "docUrl": null, "architecture": "x86_64" }, { "severity": "error", "code": null, "path": "INOGENI_Control_App.dmg/INOGENI Control App.app/Contents/MacOS/INOGENIControlApp", "message": "The binary is not signed.", "docUrl": null, "architecture": "x86_64" }, { "severity": "error", "code": null, "path": "INOGENI_Control_App.dmg/INOGENI Control App.app/Contents/MacOS/INOGENIControlApp", "message": "The signature does not include a secure timestamp.", "docUrl": null, "architecture": "x86_64" }, { "severity": "error", "code": null, "path": "INOGENI_Control_App.dmg/INOGENI Control App.app/Contents/MacOS/INOGENIControlApp", "message": "The executable does not have the hardened runtime enabled.", "docUrl": null, "architecture": "x86_64" } ] }Tried to add --timestamp option, got rid of the timestamp errors, but seems like I need to --deep option to sign binaries
After adding --deep and --timestamp options, able to sign app. However, the application will not ask to access camera and microphones. How to specify entitlements?
-
Hi,
Did you add the appropriate entries in your Info.plist file ?
-
Here is my Info.plist.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CFBundleDocumentTypes</key> <array> <dict> <key>CFBundleTypeExtensions</key> <array> <string>inogeniupdate</string> </array> <key>CFBundleTypeIconFile</key> <string>@ICON@</string> <key>CFBundleTypeName</key> <string>INOGENI Control App</string> <key>CFBundleTypeRole</key> <string>Editor</string> <key>LSTypeIsPackage</key> <true/> <key>NSPersistentStoreTypeKey</key> <string>Binary</string> </dict> </array> <key>CFBundleExecutable</key> <string>@EXECUTABLE@</string> <key>CFBundleGetInfoString</key> <string>INOGENI Control App for updating and preview video</string> <key>CFBundleIconFile</key> <string>@ICON@</string> <key>CFBundleIdentifier</key> <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string> <key>CFBundlePackageType</key> <string>APPL</string> <key>CFBundleShortVersionString</key> <string>@SHORT_VERSION@</string> <key>CFBundleSignature</key> <string>????</string> <key>CFBundleVersionString</key> <string>@FULL_VERSION@</string> <key>LSApplicationCategoryType</key> <string>Utilities</string> <key>NSCameraUsageDescription</key> <string>Allow access to INOGENI video device</string> <key>NSHumanReadableCopyright</key> <string>2018 Dextera Labs Inc.</string> <key>CFBundleGetInfoString</key> <string>INOGENI Control App for updating and preview video</string> <key>CFBundleSignature</key> <string>????</string> <key>CFBundleExecutable</key> <string>@EXECUTABLE@</string> <key>CFBundleIdentifier</key> <string>com.dexteralabs.InogeniControlApp</string> <key>NSCameraUsageDescription</key> <string>Allow access to INOGENI video device</string> <key>NSMicrophoneUsageDescription</key> <string>Allow access to INOGENI audio device</string> <key>NSPrincipalClass</key> <string>NSApplication</string> <key>application-identifier</key> <string>XXXXXX.com.dexteralabs.InogeniControlApp</string> </dict> </plist>After issuing macdeployqt, I see this in the log:
ERROR: Codesign signing error: ERROR: "/Users/support/dextera_inogeni_ctrl_app_s/build-InogeniControlApp-Desktop_Qt_5_14_2_clang_64bit-Release/INOGENIControlApp.app/Contents/MacOS/INOGENIControlApp: code object is not signed at all\nIn subcomponent: /Users/support/dextera_inogeni_ctrl_app_s/build-InogeniControlApp-Desktop_Qt_5_14_2_clang_64bit-Release/INOGENIControlApp.app/Contents/Frameworks/libcyusb.dylib\n" ERROR: codesign verification error: ERROR: "INOGENIControlApp.app: code object is not signed at all\nIn architecture: x86_64\n"If I do this, the problem goes away when I use macdeployqt again.
codesign --sign "Developer ID Application: Laboratoires Dextera Inc., Les (XXXXXXXXXXX)" --deep --force INOGENIControlApp.app/Contents/Frameworks/*.dylibOur application access USB devices like cameras and microphone. After signing, I do not get any messages to access the devices.
-
How to specify right entitlements for my app? specifying --entitlements it in macdeployqt codesignFile() function will lead to a crash after opening app...
Process: INOGENIControlApp [30924] Path: /Users/USER/*/INOGENIControlApp.app/Contents/MacOS/INOGENIControlApp Identifier: INOGENIControlApp Version: ??? Code Type: X86-64 (Native) Parent Process: Qt Creator [2398] Responsible: Qt Creator [2398] User ID: 501 Date/Time: 2020-05-13 16:03:23.379 -0400 OS Version: Mac OS X 10.15.4 (19E287) Report Version: 12 Anonymous UUID: E8D88CDF-07D9-A195-32CD-A03AB946A744 Sleep/Wake UUID: 1E06ED2C-DBB6-4946-A51D-DC1B91660443 Time Awake Since Boot: 38000 seconds Time Since Wake: 21000 seconds System Integrity Protection: enabled Crashed Thread: Unknown Exception Type: EXC_CRASH (Code Signature Invalid) Exception Codes: 0x0000000000000000, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Termination Reason: Namespace CODESIGNING, Code 0x1 kernel messages: Backtrace not available Unknown thread crashed with X86 Thread State (64-bit): rax: 0x0000000000000000 rbx: 0x0000000000000000 rcx: 0x0000000000000000 rdx: 0x0000000000000000 rdi: 0x0000000000000000 rsi: 0x0000000000000000 rbp: 0x0000000000000000 rsp: 0x00007ffeed65eb20 r8: 0x0000000000000000 r9: 0x0000000000000000 r10: 0x0000000000000000 r11: 0x0000000000000000 r12: 0x0000000000000000 r13: 0x0000000000000000 r14: 0x0000000000000000 r15: 0x0000000000000000 rip: 0x000000010623d000 rfl: 0x0000000000000200 cr2: 0x0000000000000000 Logical CPU: 0 Error Code: 0x00000000 Trap Number: 0 Binary images description not available External Modification Summary: Calls made by other processes targeting this process: task_for_pid: 0 thread_create: 0 thread_set_state: 0 Calls made by this process: task_for_pid: 0 thread_create: 0 thread_set_state: 0 Calls made by all processes on this machine: task_for_pid: 20238 thread_create: 0 thread_set_state: 572 -
@sierdzio said in Codesign with Qt 5.14.2 under MacOS 10.15:
<< "-o" << "runtime"
Looks like this one is now done for 5.15
Interested in AI ? www.idiap.ch
Please read the Qt Code of Conduct - https://forum.qt.io/topic/113070/qt-code-of-conduct -
@sierdzio said in Codesign with Qt 5.14.2 under MacOS 10.15:
<< "-o" << "runtime"
Looks like this one is now done for 5.15
@SGaist said in Codesign with Qt 5.14.2 under MacOS 10.15:
@sierdzio said in Codesign with Qt 5.14.2 under MacOS 10.15:
<< "-o" << "runtime"
Looks like this one is now done for 5.15
Thanks for info :-)
