[Development] Important OSX 10.9.5 & 10.10 codesign changes

Alexander Ilyin ip.alexander.ilyin at gmail.com
Wed Sep 24 16:17:34 CEST 2014 

Sorvig Morten <Morten.Sorvig <at> digia.com> writes:

> 
> 
> > On 22 Sep 2014, at 12:03, Sorvig Morten <Morten.Sorvig <at> digia.com>
wrote:
> > 
> > 
> >> On 19 Sep 2014, at 11:28, Sorvig Morten <Morten.Sorvig <at> digia.com>
wrote:
> >> 
> >> This will indeed receive attention in the coming days. There are
already some patches attached to the
> QTBUGs. I’ll post back here once we have a complete patch set ready.
Target branches are Qt 5.3 and Qt 4.8.
> > 
> > I’m using QTBUG-32896 as a metabug to track the effort.
> 
> Backports to Qt 4.8:
> 
> https://codereview.qt-project.org/95572
> https://codereview.qt-project.org/95573
> https://codereview.qt-project.org/95574
> https://codereview.qt-project.org/95575
> https://codereview.qt-project.org/95576
> 
> Morten
> _______________________________________________
> Development mailing list
> Development <at> qt-project.org
> http://lists.qt-project.org/mailman/listinfo/development
> 

Dear colleagues,

I see that you are trying to fix the problem 
with signing Qt apps for Mac OS X 10.9.5 and 10.10.
I have faced the problem with signing my app on 
Mac OS X 10.9.5, Qt 4.8.6 (LGPL).
I have read about wrong Qt frameworks structure 
and absent info.plist files after macdeployqt.
To localize the problem, I have created the simple Qt app 
using QtCore and QtGui, 
and tried different methods suggested in forums (after running macdeployqt).

The 1st method is to copy info.plist files from Qt location to the
Resources folders in s-test.app/Contents/Frameworks/Qt*.framework/ 
(this folders are empty after macdeployqt); 
sign dylibs, frameworks, app - each call with --deep option. 
CODESIGN IS OK, BUT "spctl -a -t exec -vv" REJECTED THE APP
("obsolete resource envelope").

The 2nd method is to move Resources folders from 
s-test.app/Contents/Frameworks/Qt*.framework/ to 
s-test.app/Contents/Frameworks/Qt*.framework/Versions/4/, 
copy info.plist files from Qt location to these Resources folders, 
create symlinks "Current", "Resources", "Qt*"; 
sign dylibs, frameworks, app - each call with --deep option. 
CODESIGN FAILED WITH MESSAGE "unsealed contents present in the root
directory of an embedded framework In subcomponent:
/Developer/res-plan/bin/s-test.app/Contents/Frameworks/QtCore.framework"
(Please look at the listing below)

I also tried codesign without --depp - no success.

Could you give me simple instruction - how to fix the problem manually 
and sign the app to be accepted by OS X 10.9.5 and later? 
Or I have to wait for an update of Qt 4.8?

Thank you in advance,
Alexander Ilyin

METHOD 1 (without fixing Frameworks structure, like in deploy.txt from
https://bugreports.qt-project.org/browse/QTBUG-38511)
----------------------------------------------------------------------------

1) cp /Library/Frameworks/QtCore.framework/Contents/Info.plist
s-test.app/Contents/Frameworks/QtCore.framework/Resources/
   cp /Library/Frameworks/QtGui.framework/Contents/Info.plist
s-test.app/Contents/Frameworks/QtGui.framework/Resources/
   
2) find s-test.app/Contents -name *.dylib | xargs -I $ codesign -vvvv
   --force --verify --deep --verbose --sign "Developer ID Application: 
   Alexander Ilyin" $
   find s-test.app/Contents -name Qt* -type f | xargs -I $ codesign -vvvv
   --force --verify --deep --verbose --sign "Developer ID Application:
   Alexander Ilyin" $
   codesign -vvvv --force --verify --deep --verbose --sign 
   "Developer ID Application: Alexander Ilyin" s-test.app

RESULT - CODESIGN IS OK, BUT "spctl -a -t exec -vv" REJECTED THE APP:

...
s-test.app/Contents/Frameworks/QtCore.framework/Versions/4/QtCore: 
signed Mach-O thin (x86_64) [QtCore]
s-test.app/Contents/Frameworks/QtGui.framework/Versions/4/QtGui: 
signed Mach-O thin (x86_64) [QtGui]
s-test.app: signed bundle with Mach-O thin (x86_64) [com.yourcompany.s-test]

$ spctl -a -t exec -vv s-test.app
s-test.app: rejected
source=obsolete resource envelope

$ codesign --verify --deep --verbose=3 s-test.app
--prepared:/Developer/res-plan/bin/s-test.app/Contents/Framework
 /QtCore.framework
--validated:/Developer/res-plan/bin/s-test.app/Contents/Frameworks
 /QtCore.framework
s-test.app: embedded framework contains modified or invalid version
In subcomponent:
/Developer/res-plan/bin/s-test.app/Contents/Frameworks/QtCore.framework

METHOD 2 (with fixing Frameworks structure)
----------------------------------------------------------------------------

1) mv /Developer/res-plan/bin/s-test.app/Contents/Frameworks
/QtCore.framework/Resources
s-test.app/Contents/Frameworks/QtCore.framework/Versions/4/
   cp /Library/Frameworks/QtCore.framework/Contents/Info.plist
s-test.app/Contents/Frameworks/QtCore.framework/Versions/4/Resources/
   ln -s
/Developer/res-plan/bin/s-test.app/Contents/Frameworks/QtCore.framework
/Versions/4/
s-test.app/Contents/Frameworks/QtCore.framework/Versions/Current
   ln -s
/Developer/res-plan/bin/s-test.app/Contents/Frameworks/QtCore.framework
/Versions/Current/Resources/
s-test.app/Contents/Frameworks/QtCore.framework/Resources
   ln -s
/Developer/res-plan/bin/s-test.app/Contents/Frameworks/QtCore.framework
/Versions/Current/QtCore
s-test.app/Contents/Frameworks/QtCore.framework/QtCore

   ... (similar 5 instructions for QtGui)

2) find s-test.app/Contents -name *.dylib | xargs -I $ codesign -vvvv
   --force --verify --deep --verbose --sign "Developer ID Application: 
   Alexander Ilyin" $
   find s-test.app/Contents -name Qt* -type f | xargs -I $ codesign -vvvv
   --force --verify --deep --verbose --sign "Developer ID Application:
   Alexander Ilyin" $
   codesign -vvvv --force --verify --deep --verbose --sign 
   "Developer ID Application: Alexander Ilyin" s-test.app

RESULT - CODESIGN FAILED :

$ sh sign.sh
... (dylibs OK)
s-test.app/Contents/Frameworks/QtCore.framework/Versions/4/QtCore: 
signed bundle with Mach-O thin (x86_64) [4]
s-test.app/Contents/Frameworks/QtGui.framework/Versions/4/QtGui: 
signed Mach-O thin (x86_64) [QtGui]
s-test.app: 
unsealed contents present in the root directory of an embedded framework
In subcomponent:
/Developer/res-plan/bin/s-test.app/Contents/Frameworks/QtCore.framework

----------------------------------------------------------------------------

More information about the Development mailing list