How to 'notarize' Qt application on MacOS?

AndyBrice

I am trying to get my Mac application 'notarized' on Mac. I followed the steps recommended on various sites:

https://cycling74.com/forums/apple-notarizing-for-mojave-10-14-and-beyond
https://www.mbsplugins.de/archive/2018-11-02/Notarize_apps_for_MacOS
https://forum.xojo.com/50655-how-to-codesign-and-notarise-your-app-for-macos-10-14-and-highe
https://forum.xojo.com/49408-10-14-hardened-runtime-and-app-notarization/11
https://stackoverflow.com/questions/53112078/how-to-upload-dmg-file-for-notarization-in-xcode

But got the message:

"The executable does not have the hardened runtime enabled"

I can only find instructions on how to enable hardened runtime using XCode. Any ideas on how to use it when building with QtCreator? Googling has not turned up much.

SGaist

Hi,

AFAIK, it's not yet supported and would likely rather be part of macdeployqt, I'd recommend checking the bug report system to see if there's anything related. If not, you should consider opening a feature request providing your findings.

AndyBrice

According to:

https://github.com/sparkle-project/Sparkle/issues/1266

It might just be a case of adding:

-o runtime

To my codesign arguments. In which case it might be a bit out of scope for macdeployqt.

AndyBrice

Also notarization is (weirdly) an asynchronous multi-step process.

if I get it working I will write it up and post a link here.

SGaist

It's still something for macdeployqt as you can do the code signing through it.

AndyBrice

I didn't know that macdeployqt supported codesign. You learn something new every day!

There is a request to support hardened runtimes in Qt:
https://bugreports.qt.io/projects/QTBUG/issues/QTBUG-71291?filter=allissues

SGaist

You should add the links you provided here to the report, they have some useful information.

AndyBrice

I did get it working. Adding "-o runtime" to codesign was the key. I will write it up into a blog post and link here and in the bug report.

AndyBrice

I wrote it up the whole process here:

https://successfulsoftware.net/2018/11/16/how-to-notarize-your-software-on-macos/

--
Andy Brice
https://www.hyperplan.com
https://www.perfecttableplan.com
https://www.successfulsoftware.net

Juan Garcia

@AndyBrice thanks for the post, it helps a lot. Is there any way to automatize the process? I'm including notarizing process in my CI/CD and it is being a pain ...

PSI_lbc

Does anyone have any thoughts on how the notariztion would work if your app bundle contains a helper app (.exe) that the app bundle .exe launches?

Example: The app bundle is named MyApp. In the /MacOS folder inside the app bundle is MyApp.exe. The helper app that gets launched as a Qt process is in the same folder and is named MyHelper.exe.

Does the helper app get notarized first or does it need to notarized at all?

Martin Delille - Lylo

@AndyBrice I followed your article and I thank you for that!

I'm developping an application that access the microphone but unfortunately since I added the -o runtime option to the codesigning process I don't have recording capabilities anymore (the pop up asking for microphone acces doesn't show up). Any idea how this option could affect the access to the device capabilities?

Martin Delille - Lylo

This post is deleted!

Martin Delille - Lylo

@Martin-Delille-Lylo Ok I found the solution to my problem: I needed to add the proper entitlement when codesigning: https://developer.apple.com/library/archive/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/EnablingAppSandbox.html

codesign --deep --force –verify --verbose \
         --sign “Developer ID Application: Phonations” \
         --options runtime \
         --entitlements myentitlements.plist \
         myApp.app

Martin Delille - Lylo

@Juan-Garcia The full process is totally automatic on my side. What do you lack in @AndyBrice article? Maybe this script https://github.com/create-dmg/create-dmg ?

dporobic

@Martin-Delille-Lylo Would be nice if you could provide an example of your automated process. I'm trying to make this work on TravisCI.

dporobic

@Martin-Delille-Lylo how did you manage to staple the result to the dmg file? When my script gets to the staple part the notarization is not finished on the Apple side. Is there way to query the status?

dporobic

Ok, got it fully automated running on Travis CI with the script below, might need some cleaning up but it seems to be working.

```
macdeployqt ksnip.app -dmg -sign-for-notarization="${APPLE_DEV_IDENTITY}"
mv ksnip.dmg ksnip-${VERSION}.dmg

echo "--> Start Notarization process"
response=$(xcrun altool -t osx -f ksnip-${VERSION}.dmg --primary-bundle-id org.ksnip.ksnip --notarize-app -u ${APPLE_DEV_USER} -p ${APPLE_DEV_PASS})
requestUUID=$(echo "${response}" | tr ' ' '\n' | tail -1)

while true; do
  echo "--> Checking notarization status"

  statusCheckResponse=$(xcrun altool --notarization-info ${requestUUID} -u ${APPLE_DEV_USER} -p ${APPLE_DEV_PASS})

  isSuccess=$(echo "${statusCheckResponse}" | grep "success")
  isFailure=$(echo "${statusCheckResponse}" | grep "invalid")

  if [[ "${isSuccess}" != "" ]]; then
      echo "Notarization done!"
      xcrun stapler staple -v ksnip-${VERSION}.dmg
      echo "Stapler done!"
      break
  fi
  if [[ "${isFailure}" != "" ]]; then
      echo "Notarization failed"
      return 1
  fi
  echo "Notarization not finished yet, sleep 2m then check again..."
  sleep 120
done
```

Useful links:
https://successfulsoftware.net/2018/11/16/how-to-notarize-your-software-on-macos/
https://www.logcg.com/en/archives/3222.html
https://www.update.rocks/blog/osx-signing-with-travis/