[Interest] OSX codesign question

Andy asmaloney at gmail.com
Wed Apr 8 16:57:18 CEST 2020


Please take another look at my previous emails.

You are using the wrong certificate.

I don't know if using the right one will fix the problem you are seeing,
but... you still need to use the right one.

---
Andy Maloney  //  https://asmaloney.com
twitter ~ @asmaloney <https://twitter.com/asmaloney>



On Wed, Apr 8, 2020 at 10:54 AM "Alexander Carôt" <alexander_carot at gmx.net>
wrote:

> >>This doesn't look correct: --sign
> "52EF48168234769E0FE34C92B157ED7200626FD7"
> >>As I mentioned before, it needs to have the format "Developer ID
> Application: ACME_INC (TEAM_IDENTIFER) )”. So I don't think you
> >>have the proper certificate.
>
> Searching for existing identities gives me this:
>
> soulalex at alexandarotsMBP SJC % security find-identity -v -p
> codesigning
>
>   1) 4D819554CF93C21868FA8D8780BEB39CCDD8B49F "Alexander Carôt"
>   2) 52EF48168234769E0FE34C92B157ED7200626FD7 "Apple Development:
> jazzalex at gmail.com (8T5GF549SQ)"
>   3) 52EF48168234769E0FE34C92B157ED7200626FD7 "Apple Development:
> jazzalex at gmail.com (8T5GF549SQ)"
>   4) 6135CA7BAF240DA02508B36ACBBA5CC287FBFB38 "gdb-cert"
>      4 valid identities found
>
> Applying
>
> soulalex at alexandarotsMBP SJC % codesign --deep --force --verify --verbose
> --timestamp --options runtime --sign
> "52EF48168234769E0FE34C92B157ED7200626FD7" ./soundjack.app
>
> or
>
> soulalex at alexandarotsMBP SJC % codesign --deep --force --verify --verbose
> --timestamp --options runtime --sign "Apple Development:
> jazzalex at gmail.com (8T5GF549SQ)" ./soundjack.app
>
> has the same result.
>
> Previously I had imported the certificate into the keychain as described.
> Will check it again but the error described below confuses me still.
>
> Best
>
> Alex
>
> --
> http://www.carot.de
> Email : Alexander at Carot.de
> Tel.: +49 (0)177 5719797
>
>
> *Gesendet:* Mittwoch, 08. April 2020 um 16:33 Uhr
> *Von:* "Andy" <asmaloney at gmail.com>
> *An:* "Alexander Carôt" <alexander_carot at gmx.net>
> *Cc:* "Nuno Santos" <nunosantos at imaginando.pt>, "qt qt" <
> interest at qt-project.org>
> *Betreff:* Re: Re: [Interest] OSX codesign question
> Alex:
>
> This doesn't look correct: --sign
> "52EF48168234769E0FE34C92B157ED7200626FD7"
>
> As I mentioned before, it needs to have the format "Developer ID
> Application: ACME_INC (TEAM_IDENTIFER) )”. So I don't think you have the
> proper certificate.
>
> You need to create it on the Apple developer site:
>
>    https://developer.apple.com/account/resources/certificates/add
>
> [image: Screen Shot 2020-04-08 at 10.29.04 AM.png]
>
> (Not sure if images work here - its the one called "Developer ID
> Application".)
>
> Then you download it and add it to your keychain.
>
> ---
> Andy Maloney  //  https://asmaloney.com
> twitter ~ @asmaloney <https://twitter.com/asmaloney>
>
> On Wed, Apr 8, 2020 at 10:22 AM "Alexander Carôt" <alexander_carot at gmx.net>
> wrote:
>
>> Hej Nuno and Andy,
>>
>> thanks a lot - yes, it is confusing but you helped to achieve progress,
>> however, some probably last issue to be solved:
>>
>> What works is this:
>>
>>
>> soulalex at alexandarotsMBP SJC % codesign --deep --force --verify
>> --verbose --timestamp --options runtime --sign
>> "52EF48168234769E0FE34C92B157ED7200626FD7" ./soundjack.app
>>
>> ./soundjack.app: signed app bundle with Mach-O thin (x86_64)
>> [com.yourcompany.soundjack]
>>
>> soulalex at alexandarotsMBP SJC % codesign --verify --deep --strict
>> --verbose=2 ./soundjack.app
>>
>> ./soundjack.app: valid on disk
>>
>> ./soundjack.app: satisfies its Designated Requirement
>>
>>
>>
>> So - this seems to be fine - otherwise please complain :-)
>>
>>
>>
>> Now comes the problem:
>> When I execute the app now it tells me:
>>
>> soulalex at alexandarotsMBP SJC % ./soundjackMac.sh
>> dyld: Library not loaded:
>> @rpath/QtMultimediaWidgets.framework/Versions/5/QtMultimediaWidgets
>>   Referenced from:
>> /Users/soulalex/Desktop/wip/XP-shared/Soundjack/SJC/./soundjack.app/Contents/MacOS/soundjack
>>   Reason: no suitable image found.  Did find:
>>
>>  /Users/soulalex/Qt/5.12.0/clang_64/lib/QtMultimediaWidgets.framework/Versions/5/QtMultimediaWidgets:
>> code signature in
>> (/Users/soulalex/Qt/5.12.0/clang_64/lib/QtMultimediaWidgets.framework/Versions/5/QtMultimediaWidgets)
>> not valid for use in process using Library Validation: mapped file has no
>> cdhash, completely unsigned? Code has to be at least ad-hoc signed.
>>
>> Without signation the code executes just fine.
>>
>> Any idea what to do next ?
>>
>> Thanks a lot in advance again,
>> best
>>
>> Alex
>>
>>
>>
>> --
>> http://www.carot.de
>> Email : Alexander at Carot.de
>> Tel.: +49 (0)177 5719797
>>
>>
>> *Gesendet:* Mittwoch, 08. April 2020 um 14:16 Uhr
>> *Von:* "Andy" <asmaloney at gmail.com>
>> *An:* "Alexander Carôt" <Alexander_Carot at gmx.net>
>> *Cc:* "Nuno Santos" <nunosantos at imaginando.pt>, "qt qt" <
>> interest at qt-project.org>
>> *Betreff:* Re: [Interest] OSX codesign question
>> The certificate needs to be added to your Keychain, then you use the name
>> for it in the codesign command. I think if you double-click the cert in the
>> Finder it will add it to "My Certificates" properly.
>>
>> As Nuno pointed out, the name should look like this:
>>
>> "Developer ID Application: ACME_INC (TEAM_IDENTIFER) )”
>>
>> Where ACME_INC is the name of the organization you registered with Apple,
>> and TEAM_IDENTIFER is a random string.
>>
>> When generating a cert on the Apple site there are a few choices that
>> sound similar - frankly the whole process is confusing - but the cert must
>> must read "Developer ID Application" to do what you want.
>>
>> ---
>> Andy Maloney  //  https://asmaloney.com
>> twitter ~ @asmaloney <https://twitter.com/asmaloney>
>>
>> On Wed, Apr 8, 2020 at 4:08 AM Alexander Carôt <Alexander_Carot at gmx.net>
>> wrote:
>>
>>> Hi Andy and Nuno,
>>>
>>>
>>>
>>> thanks for your answers - looks like being on a good track now.
>>>
>>>
>>>
>>> I think the very last problem for me to fix is choosing the correct file
>>> - so far I have used the certificate I downloaded from the developer
>>> account like this:
>>>
>>>
>>>
>>> codesign --deep ./myApp -s development.cer
>>>
>>>
>>>
>>> but this give me:
>>>
>>>
>>>
>>> development.cer: no identity found
>>>
>>>
>>>
>>> Do you know how to fix this ? Do I probably use the wrong file or is
>>> there anything else to be changed ?
>>>
>>>
>>>
>>> Thanks again,
>>>
>>> best
>>>
>>>
>>>
>>> Alex
>>>
>>>
>>>
>>> --
>>>
>>> http://www.carot.de
>>> <https://service.gmx.net/de/cgi/derefer?TYPE=3&DEST=http%3A%2F%2Fwww.carot.de>
>>> Email : Alexander at Carot.de
>>> <https://service.gmx.net/de/cgi/g.fcgi/mail/new?CUSTOMERNO=3660908&t=de61720084.1316506814.edd64584&to=Alexander%40carot.de>
>>> Tel.: +49 (0)177 5719797
>>>
>>>
>>>
>>>
>>>
>>> *Von: *Andy <asmaloney at gmail.com>
>>> *Datum: *Montag, 6. April 2020 um 13:34
>>> *An: *Nuno Santos <nunosantos at imaginando.pt>
>>> *Cc: *Alexander Carôt <alexander_carot at gmx.net>, qt qt <
>>> interest at qt-project.org>
>>> *Betreff: *Re: [Interest] OSX codesign question
>>>
>>>
>>>
>>> I just did this yesterday. I could not get macdeployqt to work either,
>>> so I do it using the command line in my build process.
>>>
>>>
>>>
>>> Here's the command line I'm using:
>>>
>>>
>>>
>>>   codesign --deep --force --verify --verbose --timestamp --options
>>> runtime --sign "${CODE_SIGNING_ID}" "${APP_PATH}"
>>>
>>>
>>>
>>> Which signing ID you use depends on where you are releasing your
>>> application. Nuno gave the command line tool to list them - you can also
>>> see them under "My Certificates" in the Keychain Access application. To
>>> distribute a macOS application outside the Apple Store, you want the
>>> "Developer ID Application" one as Nuno showed.
>>>
>>>
>>>
>>> Two good sources of info for codesign are "man codesign" and this page:
>>>
>>>
>>>
>>>
>>> https://developer.apple.com/library/archive/technotes/tn2206/_index.html
>>>
>>>
>>>
>>> Once your application is signed, you can use this command to verify it:
>>>
>>>
>>>
>>>   codesign --verify --deep --strict --verbose=2 "${APP_PATH}"
>>>
>>>
>>>
>>> Note that you can sign DMGs and ZIP files as well.
>>>
>>>
>>>
>>> Good luck!
>>>
>>>
>>>
>>> ---
>>> Andy Maloney  //  https://asmaloney.com
>>>
>>> twitter ~ @asmaloney <https://twitter.com/asmaloney>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Mon, Apr 6, 2020 at 6:39 AM Nuno Santos <nunosantos at imaginando.pt>
>>> wrote:
>>>
>>> Alexander,
>>>
>>> I don’t use macdeployqt for signing.
>>>
>>> I call the codesign command manually in the POST LINK phase.
>>>
>>> You need to pass to the code sign the string representing your team. You
>>> can list the available signing entities with the following command:
>>>
>>> > security find-identity -v -p codesigning
>>>
>>> Then you need to do something like this:
>>>
>>> codesign --deep PATH_TO_BUNDLE -s "Developer ID Application: ACME_INC
>>> (TEAM_IDENTIFER) )”
>>>
>>> Hope it helps!
>>>
>>> Best,
>>>
>>> Nuno
>>>
>>> > On 6 Apr 2020, at 10:32, Alexander Carôt <alexander_carot at gmx.net>
>>> wrote:
>>> >
>>> > Hello all,
>>> >
>>> > I want to sign my OSX code in order to have it running on a client's
>>> machine without the need to right-click and open it.
>>> >
>>> > I signed at https://developer.apple.com/ and received my valid
>>> certificate called "developer.cer".
>>> >
>>> > Then I exectued
>>> >
>>> > macdeployqt myApp.app -dmg -codesign=developer.cer
>>> >
>>> > but I got this error:
>>> >
>>> > ERROR: "developer.cer: no identity found\n"
>>> > ERROR: Codesign signing error:
>>> > ERROR: "developer.cer: no identity found\n"
>>> > ERROR: codesign verification error:
>>> > ERROR: "soundjack.app: code object is not signed at all\nIn
>>> architecture: x86_64\n"
>>> >
>>> > Does anyone know what to do ? Is there probably a different/better way
>>> to sign it ?
>>> >
>>> > Thanks a lot in advance,
>>> > best
>>> >
>>> > Alex
>>> >
>>> > --
>>> > http://www.carot.de
>>> > Email : Alexander at Carot.de
>>> > Tel.: +49 (0)177 5719797
>>> >
>>> > _______________________________________________
>>> > Interest mailing list
>>> > Interest at qt-project.org
>>> > https://lists.qt-project.org/listinfo/interest
>>>
>>> _______________________________________________
>>> Interest mailing list
>>> Interest at qt-project.org
>>> https://lists.qt-project.org/listinfo/interest
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20200408/d09eef1e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: noname
Type: image/png
Size: 137706 bytes
Desc: not available
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20200408/d09eef1e/attachment-0001.png>


More information about the Interest mailing list