[Interest] OSX codesign question

Andy asmaloney at gmail.com
Wed Apr 8 16:33:02 CEST 2020 

Alex:

This doesn't look correct: --sign "52EF48168234769E0FE34C92B157ED7200626FD7"

As I mentioned before, it needs to have the format "Developer ID
Application: ACME_INC (TEAM_IDENTIFER) )”. So I don't think you have the
proper certificate.

You need to create it on the Apple developer site:

   https://developer.apple.com/account/resources/certificates/add

[image: Screen Shot 2020-04-08 at 10.29.04 AM.png]

(Not sure if images work here - its the one called "Developer ID
Application".)

Then you download it and add it to your keychain.

---
Andy Maloney  //  https://asmaloney.com
twitter ~ @asmaloney <https://twitter.com/asmaloney>



On Wed, Apr 8, 2020 at 10:22 AM "Alexander Carôt" <alexander_carot at gmx.net>
wrote:

> Hej Nuno and Andy,
>
> thanks a lot - yes, it is confusing but you helped to achieve progress,
> however, some probably last issue to be solved:
>
> What works is this:
>
>
> soulalex at alexandarotsMBP SJC % codesign --deep --force --verify --verbose
> --timestamp --options runtime --sign
> "52EF48168234769E0FE34C92B157ED7200626FD7" ./soundjack.app
>
> ./soundjack.app: signed app bundle with Mach-O thin (x86_64)
> [com.yourcompany.soundjack]
>
> soulalex at alexandarotsMBP SJC % codesign --verify --deep --strict
> --verbose=2 ./soundjack.app
>
> ./soundjack.app: valid on disk
>
> ./soundjack.app: satisfies its Designated Requirement
>
>
>
> So - this seems to be fine - otherwise please complain :-)
>
>
>
> Now comes the problem:
> When I execute the app now it tells me:
>
> soulalex at alexandarotsMBP SJC % ./soundjackMac.sh
> dyld: Library not loaded:
> @rpath/QtMultimediaWidgets.framework/Versions/5/QtMultimediaWidgets
>   Referenced from:
> /Users/soulalex/Desktop/wip/XP-shared/Soundjack/SJC/./soundjack.app/Contents/MacOS/soundjack
>   Reason: no suitable image found.  Did find:
>
>  /Users/soulalex/Qt/5.12.0/clang_64/lib/QtMultimediaWidgets.framework/Versions/5/QtMultimediaWidgets:
> code signature in
> (/Users/soulalex/Qt/5.12.0/clang_64/lib/QtMultimediaWidgets.framework/Versions/5/QtMultimediaWidgets)
> not valid for use in process using Library Validation: mapped file has no
> cdhash, completely unsigned? Code has to be at least ad-hoc signed.
>
> Without signation the code executes just fine.
>
> Any idea what to do next ?
>
> Thanks a lot in advance again,
> best
>
> Alex
>
>
>
> --
> http://www.carot.de
> Email : Alexander at Carot.de
> Tel.: +49 (0)177 5719797
>
>
> *Gesendet:* Mittwoch, 08. April 2020 um 14:16 Uhr
> *Von:* "Andy" <asmaloney at gmail.com>
> *An:* "Alexander Carôt" <Alexander_Carot at gmx.net>
> *Cc:* "Nuno Santos" <nunosantos at imaginando.pt>, "qt qt" <
> interest at qt-project.org>
> *Betreff:* Re: [Interest] OSX codesign question
> The certificate needs to be added to your Keychain, then you use the name
> for it in the codesign command. I think if you double-click the cert in the
> Finder it will add it to "My Certificates" properly.
>
> As Nuno pointed out, the name should look like this:
>
> "Developer ID Application: ACME_INC (TEAM_IDENTIFER) )”
>
> Where ACME_INC is the name of the organization you registered with Apple,
> and TEAM_IDENTIFER is a random string.
>
> When generating a cert on the Apple site there are a few choices that
> sound similar - frankly the whole process is confusing - but the cert must
> must read "Developer ID Application" to do what you want.
>
> ---
> Andy Maloney  //  https://asmaloney.com
> twitter ~ @asmaloney <https://twitter.com/asmaloney>
>
> On Wed, Apr 8, 2020 at 4:08 AM Alexander Carôt <Alexander_Carot at gmx.net>
> wrote:
>
>> Hi Andy and Nuno,
>>
>>
>>
>> thanks for your answers - looks like being on a good track now.
>>
>>
>>
>> I think the very last problem for me to fix is choosing the correct file
>> - so far I have used the certificate I downloaded from the developer
>> account like this:
>>
>>
>>
>> codesign --deep ./myApp -s development.cer
>>
>>
>>
>> but this give me:
>>
>>
>>
>> development.cer: no identity found
>>
>>
>>
>> Do you know how to fix this ? Do I probably use the wrong file or is
>> there anything else to be changed ?
>>
>>
>>
>> Thanks again,
>>
>> best
>>
>>
>>
>> Alex
>>
>>
>>
>> --
>>
>> http://www.carot.de
>> <https://service.gmx.net/de/cgi/derefer?TYPE=3&DEST=http%3A%2F%2Fwww.carot.de>
>> Email : Alexander at Carot.de
>> <https://service.gmx.net/de/cgi/g.fcgi/mail/new?CUSTOMERNO=3660908&t=de61720084.1316506814.edd64584&to=Alexander%40carot.de>
>> Tel.: +49 (0)177 5719797
>>
>>
>>
>>
>>
>> *Von: *Andy <asmaloney at gmail.com>
>> *Datum: *Montag, 6. April 2020 um 13:34
>> *An: *Nuno Santos <nunosantos at imaginando.pt>
>> *Cc: *Alexander Carôt <alexander_carot at gmx.net>, qt qt <
>> interest at qt-project.org>
>> *Betreff: *Re: [Interest] OSX codesign question
>>
>>
>>
>> I just did this yesterday. I could not get macdeployqt to work either, so
>> I do it using the command line in my build process.
>>
>>
>>
>> Here's the command line I'm using:
>>
>>
>>
>>   codesign --deep --force --verify --verbose --timestamp --options
>> runtime --sign "${CODE_SIGNING_ID}" "${APP_PATH}"
>>
>>
>>
>> Which signing ID you use depends on where you are releasing your
>> application. Nuno gave the command line tool to list them - you can also
>> see them under "My Certificates" in the Keychain Access application. To
>> distribute a macOS application outside the Apple Store, you want the
>> "Developer ID Application" one as Nuno showed.
>>
>>
>>
>> Two good sources of info for codesign are "man codesign" and this page:
>>
>>
>>
>>  https://developer.apple.com/library/archive/technotes/tn2206/_index.html
>>
>>
>>
>> Once your application is signed, you can use this command to verify it:
>>
>>
>>
>>   codesign --verify --deep --strict --verbose=2 "${APP_PATH}"
>>
>>
>>
>> Note that you can sign DMGs and ZIP files as well.
>>
>>
>>
>> Good luck!
>>
>>
>>
>> ---
>> Andy Maloney  //  https://asmaloney.com
>>
>> twitter ~ @asmaloney <https://twitter.com/asmaloney>
>>
>>
>>
>>
>>
>>
>>
>> On Mon, Apr 6, 2020 at 6:39 AM Nuno Santos <nunosantos at imaginando.pt>
>> wrote:
>>
>> Alexander,
>>
>> I don’t use macdeployqt for signing.
>>
>> I call the codesign command manually in the POST LINK phase.
>>
>> You need to pass to the code sign the string representing your team. You
>> can list the available signing entities with the following command:
>>
>> > security find-identity -v -p codesigning
>>
>> Then you need to do something like this:
>>
>> codesign --deep PATH_TO_BUNDLE -s "Developer ID Application: ACME_INC
>> (TEAM_IDENTIFER) )”
>>
>> Hope it helps!
>>
>> Best,
>>
>> Nuno
>>
>> > On 6 Apr 2020, at 10:32, Alexander Carôt <alexander_carot at gmx.net>
>> wrote:
>> >
>> > Hello all,
>> >
>> > I want to sign my OSX code in order to have it running on a client's
>> machine without the need to right-click and open it.
>> >
>> > I signed at https://developer.apple.com/ and received my valid
>> certificate called "developer.cer".
>> >
>> > Then I exectued
>> >
>> > macdeployqt myApp.app -dmg -codesign=developer.cer
>> >
>> > but I got this error:
>> >
>> > ERROR: "developer.cer: no identity found\n"
>> > ERROR: Codesign signing error:
>> > ERROR: "developer.cer: no identity found\n"
>> > ERROR: codesign verification error:
>> > ERROR: "soundjack.app: code object is not signed at all\nIn
>> architecture: x86_64\n"
>> >
>> > Does anyone know what to do ? Is there probably a different/better way
>> to sign it ?
>> >
>> > Thanks a lot in advance,
>> > best
>> >
>> > Alex
>> >
>> > --
>> > http://www.carot.de
>> > Email : Alexander at Carot.de
>> > Tel.: +49 (0)177 5719797
>> >
>> > _______________________________________________
>> > Interest mailing list
>> > Interest at qt-project.org
>> > https://lists.qt-project.org/listinfo/interest
>>
>> _______________________________________________
>> Interest mailing list
>> Interest at qt-project.org
>> https://lists.qt-project.org/listinfo/interest
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20200408/7d49ca54/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2020-04-08 at 10.29.04 AM.png
Type: image/png
Size: 137706 bytes
Desc: not available
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20200408/7d49ca54/attachment-0001.png>

More information about the Interest mailing list