Sign maintenancetool on MacOS platform?
-
Dear Qt folks,
I have just spent a few days implementing signing of the maintenancetool
within our application's installer and online repository for Windows
platform. This has been made possible with
https://bugreports.qt.io/browse/QTIFW-667 .I have taken the approach from Katja Marttila' comment in
https://bugreports.qt.io/browse/QTIFW-1482 :- Add a signed installerbase via an additional package
- Set installerbaseBinaryPath via installscript.qs
On Windows platform, this succeeds both running the installation path or
the online update path. Fine.Now I am facing the MacOS side.
I expected a similar behaviour on MacOS since installscript.qs contains
an explicit if case handling the installerbase executable file name on
MacOS.But I am facing differences:
- On MacOS, there is no simple maintenancetool executable. Instead there
is a maintenancetool.app application bundle - After both installation or update, I find a (useless) signed
installerbase executable besides the unsigned maintenancetool.app
application bundle. The installerbase executable cannot be run as
the necessary ressources are missing.
The directory tree listing looks basically as follows:
myapplication.app\ +--- Contents\ +--- InstallationLog.txt +--- Licenses +--- components.xml +--- installerbase /* installerbase, signed */ +--- network.xml +--- setup.app\ /* Renamed maintenancetool application bundle, unsigned */ +--- setup.dat +--- setup.iniI am wondering now if maintenancetool signing is even necessary on
MacOS at all:
on Windows, an increasing number of malware detection software
complains about maintenancetool's missing signature. Not so on MacOS.
On MacOS, we already pass the whole process of signing our application
bundle with hardened runtime enabled and notarization. Gatekeeper does
not complain.So my question is:
Do we need to sign the maintenancetool on MacOS platform?
If yes, how do I sign the maintenancetool.app application bundle?Thanks,
Markus