Maintenance Tool not signed correctly for MacOS Sequoia
-
Hi! I am developing a desktop app which is deployed across multiple systems. The app has an online installer which is generated using the Qt Installer Framework (4.7).
When the program is installed, it comes with the Maintenance Tool deployed alongside. I have encountered wrong Apple signature issues preventing me from launching the Maintenance Tool on the latest MacOS Sequoia (likely due to the forced Gatekeeper feature).
Any tips on how to correctly sign the Maintenance Tool app bundle?
The deployment process in short:
- a dedicated project with a .pro file where I define the configuration and it compiles the installer
- a pipeline which builds the project and for MacOS it signs the installer
- the pipeline also performs notarization of the installer
I checked the signature of the Maintenance Tool after installation and it does seem to be signed, but the system still reports that the signature is invalid, as if there was something missing. This has not been an issue in past OS versions.
I don't have any plist or entitlements files for the installer. Any help would be greatly appreciated.
-
Hi,
From the looks of it, it seems you are doing things correctly. Which error message do you get ?
-
The MaintenanceTool.app fails with an exception of "Code Signature Invalid" and a termination reason of "CODESIGNING 1 Taskgated Invalid Signature".
It looks like the issue is specific to the new MacOS Sequoia as per this bug report.
I am now trying to come up with a solution which will generate the Maintenance Tool with the binarycreator, then sign the MT and make my installer app use this signed variant. I have succeeded with generating my own Maintenance Tool using this guide, but I have encountered some problems along the way:
-
I need to generate the MT in a separate call of the binarycreator - what I would prefer is to add the --mt option to my existing installer generation logic (which is as below)
INPUT = $$CONFIG_XML installer.input = INPUT installer.output = $$PWD/../build/$$INSTALLER installer.commands = $$BINARYCREATOR --online-only --ignore-invalid-packages -c $$CONFIG_XML -r $$PWD/resources.qrc -p $$PWD/config ${QMAKE_FILE_OUT} installer.CONFIG += target_predeps no_link combine QMAKE_EXTRA_COMPILERS += installer -
When i run the command below, I cannot make the binarycreator output the Maintenance Tool to a desired directory using this command - it always generates this to a default directory above my main repository path. This is not critical, I can copy the generated MT to a desired location myself. Interestingly this --mt option is not documented
binarycreator -c config/config.xml --mt $$OUTPUT_DIR -
As far as I understand the documentation, the next step after having a generated MT is to create an installscript.qs with correct logic that will replace the default MT with my generated and signed one - what I don't know is how I should reference the generated Maintenance Tool app
The entire installer generation logic is kept in a project separate from my application code. I don't know if this is relevant, but might further complicate things. For the desktop app, I already have a "qs" script which handles several things (some custom installer behavior). Perhaps the MT replacement code should be placed there?
*Edit:
I have been able to confirm that creating a custom MT, signing and notarizing it in the pipeline, then replacing the original with it works. All I need now is to understand how to correctly distribute this app bundle on installation process. -
-
Posting a solution for those who might encounter the same issue.
As per the suggestion mentioned in the bug report linked in my original post, starting from MacOS Sequoia, the Maintenance Tool app bundle needs to be signed and notarized separately (unless this is fixed in Qt IFW > 4.8).
Fix steps:
- use the binarycreator to generate a Maintenance Tool (use your preferred config.xml)
- sign and notarize the Maintenance Tool yourself
- implement the logic of replacing the tool as per the Qt IFW documentation in your installscript.qs (provided in previous post)
- distribute the Maintenance Tool as other packages (your logic may vary here)
- additionally, you may need to elevate the Maintenance Tool's permissions by executing a chmod +x operation (can be done in your XML config)
-
S szumial has marked this topic as solved
-
Nice !
Thanks for the feedback :-)
