[Interest] Fw: Aw: Re: Re: Re: OSX codesign question

Andy asmaloney at gmail.com
Wed Apr 8 17:41:15 CEST 2020


Yes. Apple has totally lost the plot. This stuff is way too confusing and
complicated. (And it's a total waste of time - but that's another rant.)

The command you need for notarization looks something like this:

   xcrun altool --notarize-app -f "${APP}" --primary-bundle-id ${BUNDLE_ID}
-u ${NOTARIZATION_USER} -p ${NOTARIZATION_PASSWORD}

Where:

   APP is something like foo.app
   BUNDLE_ID is "com.foo.appname" (I believe you need to set this up for
each application on the Apple site as well.)
   NOTARIZATION_USER is your Apple ID
   NOTARIZATION_PASSWORD is a keychain reference like this:
@keychain:AppNameNotarization (you need to create this in your keychain)

After you get it successfully notarized (you need to wait for an email),
you'll need to "staple" the receipt to your app as well.

   xcrun stapler staple "${APP}"

Basically, the process that is described like this:

[image: Build Process.png]

Actually looks more like this:

[image: Build Process Full.png]


---
Andy Maloney  //  https://asmaloney.com
twitter ~ @asmaloney <https://twitter.com/asmaloney>



On Wed, Apr 8, 2020 at 11:30 AM "Alexander Carôt" <alexander_carot at gmx.net>
wrote:

> P.S.: I might have overlooked this info:
>
> *Software Distribution Reminder*
>
> If you're generating your first Developer ID certificate, the software
> that you sign it with must be notarized by Apple in order to run on macOS
> 10.14.5 or later. Learn how to submit your software for notarization
> <https://developer.apple.com/developer-id/>
>
> Phhhewww --- well, this is all pretty annoying - OSX used to be easy and
> straight-forward but well - I will have to live with it and now look what
> they want in terms of "notarization".
>
>
> --
> http://www.carot.de
> Email : Alexander at Carot.de
> Tel.: +49 (0)177 5719797
>
>
> *Gesendet:* Mittwoch, 08. April 2020 um 17:15 Uhr
> *Von:* "Alexander Carôt" <alexander_carot at gmx.net>
> *An:* "Andy" <asmaloney at gmail.com>
> *Cc:* "Nuno Santos" <nunosantos at imaginando.pt>, "qt qt" <
> interest at qt-project.org>
> *Betreff:* Aw: Re: Re: Re: [Interest] OSX codesign question
> So - I received the new certificate, installed it on my keychain tool and
> this is what happened again:
>
> soulalex at alexandarotsMBP SJC % codesign --deep --force --verify --verbose
> --timestamp --options runtime --sign "Developer ID Application: Alexander
> Carot (92C65YCLK8)" ./soundjack.app
> ./soundjack.app: signed app bundle with Mach-O thin (x86_64)
> [com.yourcompany.soundjack]
>
> soulalex at alexandarotsMBP SJC % codesign --verify --deep --strict
> --verbose=2 ./soundjack.app
> ./soundjack.app: valid on disk
> ./soundjack.app: satisfies its Designated Requirement
>
> soulalex at alexandarotsMBP SJC % ./soundjack.app/Contents/MacOS/soundjack
> dyld: Library not loaded:
> @rpath/QtMultimediaWidgets.framework/Versions/5/QtMultimediaWidgets
>   Referenced from:
> /Users/soulalex/Desktop/wip/XP-shared/Soundjack/SJC/./soundjack.app/Contents/MacOS/soundjack
>   Reason: no suitable image found.  Did find:
>
>  /Users/soulalex/Qt-5.14.2/5.14.2/clang_64/lib/QtMultimediaWidgets.framework/Versions/5/QtMultimediaWidgets:
> code signature in
> (/Users/soulalex/Qt-5.14.2/5.14.2/clang_64/lib/QtMultimediaWidgets.framework/Versions/5/QtMultimediaWidgets)
> not valid for use in process using Library Validation: mapped file has no
> cdhash, completely unsigned? Code has to be at least ad-hoc signed.
> zsh: abort      ./soundjack.app/Contents/MacOS/soundjack
> soulalex at alexandarotsMBP SJC %
>
> Any idea left ?
>
> Thanks,
> best
>
> Alex
>
> --
> http://www.carot.de
> Email : Alexander at Carot.de
> Tel.: +49 (0)177 5719797
>
>
> *Gesendet:* Mittwoch, 08. April 2020 um 16:57 Uhr
> *Von:* "Andy" <asmaloney at gmail.com>
> *An:* "Alexander Carôt" <alexander_carot at gmx.net>
> *Cc:* "Nuno Santos" <nunosantos at imaginando.pt>, "qt qt" <
> interest at qt-project.org>
> *Betreff:* Re: Re: Re: [Interest] OSX codesign question
> Please take another look at my previous emails.
>
> You are using the wrong certificate.
>
> I don't know if using the right one will fix the problem you are seeing,
> but... you still need to use the right one.
>
> ---
> Andy Maloney  //  https://asmaloney.com
> twitter ~ @asmaloney <https://twitter.com/asmaloney>
>
> On Wed, Apr 8, 2020 at 10:54 AM "Alexander Carôt" <alexander_carot at gmx.net>
> wrote:
>
>> >>This doesn't look correct: --sign
>> "52EF48168234769E0FE34C92B157ED7200626FD7"
>> >>As I mentioned before, it needs to have the format "Developer ID
>> Application: ACME_INC (TEAM_IDENTIFER) )”. So I don't think you
>> >>have the proper certificate.
>>
>> Searching for existing identities gives me this:
>>
>> soulalex at alexandarotsMBP SJC % security find-identity -v -p
>> codesigning
>>
>>   1) 4D819554CF93C21868FA8D8780BEB39CCDD8B49F "Alexander Carôt"
>>   2) 52EF48168234769E0FE34C92B157ED7200626FD7 "Apple Development:
>> jazzalex at gmail.com (8T5GF549SQ)"
>>   3) 52EF48168234769E0FE34C92B157ED7200626FD7 "Apple Development:
>> jazzalex at gmail.com (8T5GF549SQ)"
>>   4) 6135CA7BAF240DA02508B36ACBBA5CC287FBFB38 "gdb-cert"
>>      4 valid identities found
>>
>> Applying
>>
>> soulalex at alexandarotsMBP SJC % codesign --deep --force --verify
>> --verbose --timestamp --options runtime --sign
>> "52EF48168234769E0FE34C92B157ED7200626FD7" ./soundjack.app
>>
>> or
>>
>> soulalex at alexandarotsMBP SJC % codesign --deep --force --verify
>> --verbose --timestamp --options runtime --sign "Apple Development:
>> jazzalex at gmail.com (8T5GF549SQ)" ./soundjack.app
>>
>> has the same result.
>>
>> Previously I had imported the certificate into the keychain as described.
>> Will check it again but the error described below confuses me still.
>>
>> Best
>>
>> Alex
>>
>> --
>> http://www.carot.de
>> Email : Alexander at Carot.de
>> Tel.: +49 (0)177 5719797
>>
>>
>> *Gesendet:* Mittwoch, 08. April 2020 um 16:33 Uhr
>> *Von:* "Andy" <asmaloney at gmail.com>
>> *An:* "Alexander Carôt" <alexander_carot at gmx.net>
>> *Cc:* "Nuno Santos" <nunosantos at imaginando.pt>, "qt qt" <
>> interest at qt-project.org>
>> *Betreff:* Re: Re: [Interest] OSX codesign question
>> Alex:
>>
>> This doesn't look correct: --sign
>> "52EF48168234769E0FE34C92B157ED7200626FD7"
>>
>> As I mentioned before, it needs to have the format "Developer ID
>> Application: ACME_INC (TEAM_IDENTIFER) )”. So I don't think you have the
>> proper certificate.
>>
>> You need to create it on the Apple developer site:
>>
>>    https://developer.apple.com/account/resources/certificates/add
>>
>> [image: Screen Shot 2020-04-08 at 10.29.04 AM.png]
>>
>> (Not sure if images work here - its the one called "Developer ID
>> Application".)
>>
>> Then you download it and add it to your keychain.
>>
>> ---
>> Andy Maloney  //  https://asmaloney.com
>> twitter ~ @asmaloney <https://twitter.com/asmaloney>
>>
>> On Wed, Apr 8, 2020 at 10:22 AM "Alexander Carôt" <
>> alexander_carot at gmx.net> wrote:
>>
>>> Hej Nuno and Andy,
>>>
>>> thanks a lot - yes, it is confusing but you helped to achieve progress,
>>> however, some probably last issue to be solved:
>>>
>>> What works is this:
>>>
>>>
>>> soulalex at alexandarotsMBP SJC % codesign --deep --force --verify
>>> --verbose --timestamp --options runtime --sign
>>> "52EF48168234769E0FE34C92B157ED7200626FD7" ./soundjack.app
>>>
>>> ./soundjack.app: signed app bundle with Mach-O thin (x86_64)
>>> [com.yourcompany.soundjack]
>>>
>>> soulalex at alexandarotsMBP SJC % codesign --verify --deep --strict
>>> --verbose=2 ./soundjack.app
>>>
>>> ./soundjack.app: valid on disk
>>>
>>> ./soundjack.app: satisfies its Designated Requirement
>>>
>>>
>>>
>>> So - this seems to be fine - otherwise please complain :-)
>>>
>>>
>>>
>>> Now comes the problem:
>>> When I execute the app now it tells me:
>>>
>>> soulalex at alexandarotsMBP SJC % ./soundjackMac.sh
>>> dyld: Library not loaded:
>>> @rpath/QtMultimediaWidgets.framework/Versions/5/QtMultimediaWidgets
>>>   Referenced from:
>>> /Users/soulalex/Desktop/wip/XP-shared/Soundjack/SJC/./soundjack.app/Contents/MacOS/soundjack
>>>   Reason: no suitable image found.  Did find:
>>>
>>>  /Users/soulalex/Qt/5.12.0/clang_64/lib/QtMultimediaWidgets.framework/Versions/5/QtMultimediaWidgets:
>>> code signature in
>>> (/Users/soulalex/Qt/5.12.0/clang_64/lib/QtMultimediaWidgets.framework/Versions/5/QtMultimediaWidgets)
>>> not valid for use in process using Library Validation: mapped file has no
>>> cdhash, completely unsigned? Code has to be at least ad-hoc signed.
>>>
>>> Without signation the code executes just fine.
>>>
>>> Any idea what to do next ?
>>>
>>> Thanks a lot in advance again,
>>> best
>>>
>>> Alex
>>>
>>>
>>>
>>> --
>>> http://www.carot.de
>>> Email : Alexander at Carot.de
>>> Tel.: +49 (0)177 5719797
>>>
>>>
>>> *Gesendet:* Mittwoch, 08. April 2020 um 14:16 Uhr
>>> *Von:* "Andy" <asmaloney at gmail.com>
>>> *An:* "Alexander Carôt" <Alexander_Carot at gmx.net>
>>> *Cc:* "Nuno Santos" <nunosantos at imaginando.pt>, "qt qt" <
>>> interest at qt-project.org>
>>> *Betreff:* Re: [Interest] OSX codesign question
>>> The certificate needs to be added to your Keychain, then you use the
>>> name for it in the codesign command. I think if you double-click the cert
>>> in the Finder it will add it to "My Certificates" properly.
>>>
>>> As Nuno pointed out, the name should look like this:
>>>
>>> "Developer ID Application: ACME_INC (TEAM_IDENTIFER) )”
>>>
>>> Where ACME_INC is the name of the organization you registered with
>>> Apple, and TEAM_IDENTIFER is a random string.
>>>
>>> When generating a cert on the Apple site there are a few choices that
>>> sound similar - frankly the whole process is confusing - but the cert must
>>> must read "Developer ID Application" to do what you want.
>>>
>>> ---
>>> Andy Maloney  //  https://asmaloney.com
>>> twitter ~ @asmaloney <https://twitter.com/asmaloney>
>>>
>>> On Wed, Apr 8, 2020 at 4:08 AM Alexander Carôt <Alexander_Carot at gmx.net>
>>> wrote:
>>>
>>>> Hi Andy and Nuno,
>>>>
>>>>
>>>>
>>>> thanks for your answers - looks like being on a good track now.
>>>>
>>>>
>>>>
>>>> I think the very last problem for me to fix is choosing the correct
>>>> file - so far I have used the certificate I downloaded from the developer
>>>> account like this:
>>>>
>>>>
>>>>
>>>> codesign --deep ./myApp -s development.cer
>>>>
>>>>
>>>>
>>>> but this give me:
>>>>
>>>>
>>>>
>>>> development.cer: no identity found
>>>>
>>>>
>>>>
>>>> Do you know how to fix this ? Do I probably use the wrong file or is
>>>> there anything else to be changed ?
>>>>
>>>>
>>>>
>>>> Thanks again,
>>>>
>>>> best
>>>>
>>>>
>>>>
>>>> Alex
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> http://www.carot.de
>>>> <https://service.gmx.net/de/cgi/derefer?TYPE=3&DEST=http%3A%2F%2Fwww.carot.de>
>>>> Email : Alexander at Carot.de
>>>> <https://service.gmx.net/de/cgi/g.fcgi/mail/new?CUSTOMERNO=3660908&t=de61720084.1316506814.edd64584&to=Alexander%40carot.de>
>>>> Tel.: +49 (0)177 5719797
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *Von: *Andy <asmaloney at gmail.com>
>>>> *Datum: *Montag, 6. April 2020 um 13:34
>>>> *An: *Nuno Santos <nunosantos at imaginando.pt>
>>>> *Cc: *Alexander Carôt <alexander_carot at gmx.net>, qt qt <
>>>> interest at qt-project.org>
>>>> *Betreff: *Re: [Interest] OSX codesign question
>>>>
>>>>
>>>>
>>>> I just did this yesterday. I could not get macdeployqt to work either,
>>>> so I do it using the command line in my build process.
>>>>
>>>>
>>>>
>>>> Here's the command line I'm using:
>>>>
>>>>
>>>>
>>>>   codesign --deep --force --verify --verbose --timestamp --options
>>>> runtime --sign "${CODE_SIGNING_ID}" "${APP_PATH}"
>>>>
>>>>
>>>>
>>>> Which signing ID you use depends on where you are releasing your
>>>> application. Nuno gave the command line tool to list them - you can also
>>>> see them under "My Certificates" in the Keychain Access application. To
>>>> distribute a macOS application outside the Apple Store, you want the
>>>> "Developer ID Application" one as Nuno showed.
>>>>
>>>>
>>>>
>>>> Two good sources of info for codesign are "man codesign" and this page:
>>>>
>>>>
>>>>
>>>>
>>>> https://developer.apple.com/library/archive/technotes/tn2206/_index.html
>>>>
>>>>
>>>>
>>>> Once your application is signed, you can use this command to verify it:
>>>>
>>>>
>>>>
>>>>   codesign --verify --deep --strict --verbose=2 "${APP_PATH}"
>>>>
>>>>
>>>>
>>>> Note that you can sign DMGs and ZIP files as well.
>>>>
>>>>
>>>>
>>>> Good luck!
>>>>
>>>>
>>>>
>>>> ---
>>>> Andy Maloney  //  https://asmaloney.com
>>>>
>>>> twitter ~ @asmaloney <https://twitter.com/asmaloney>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Mon, Apr 6, 2020 at 6:39 AM Nuno Santos <nunosantos at imaginando.pt>
>>>> wrote:
>>>>
>>>> Alexander,
>>>>
>>>> I don’t use macdeployqt for signing.
>>>>
>>>> I call the codesign command manually in the POST LINK phase.
>>>>
>>>> You need to pass to the code sign the string representing your team.
>>>> You can list the available signing entities with the following command:
>>>>
>>>> > security find-identity -v -p codesigning
>>>>
>>>> Then you need to do something like this:
>>>>
>>>> codesign --deep PATH_TO_BUNDLE -s "Developer ID Application: ACME_INC
>>>> (TEAM_IDENTIFER) )”
>>>>
>>>> Hope it helps!
>>>>
>>>> Best,
>>>>
>>>> Nuno
>>>>
>>>> > On 6 Apr 2020, at 10:32, Alexander Carôt <alexander_carot at gmx.net>
>>>> wrote:
>>>> >
>>>> > Hello all,
>>>> >
>>>> > I want to sign my OSX code in order to have it running on a client's
>>>> machine without the need to right-click and open it.
>>>> >
>>>> > I signed at https://developer.apple.com/ and received my valid
>>>> certificate called "developer.cer".
>>>> >
>>>> > Then I exectued
>>>> >
>>>> > macdeployqt myApp.app -dmg -codesign=developer.cer
>>>> >
>>>> > but I got this error:
>>>> >
>>>> > ERROR: "developer.cer: no identity found\n"
>>>> > ERROR: Codesign signing error:
>>>> > ERROR: "developer.cer: no identity found\n"
>>>> > ERROR: codesign verification error:
>>>> > ERROR: "soundjack.app: code object is not signed at all\nIn
>>>> architecture: x86_64\n"
>>>> >
>>>> > Does anyone know what to do ? Is there probably a different/better
>>>> way to sign it ?
>>>> >
>>>> > Thanks a lot in advance,
>>>> > best
>>>> >
>>>> > Alex
>>>> >
>>>> > --
>>>> > http://www.carot.de
>>>> > Email : Alexander at Carot.de
>>>> > Tel.: +49 (0)177 5719797
>>>> >
>>>> > _______________________________________________
>>>> > Interest mailing list
>>>> > Interest at qt-project.org
>>>> > https://lists.qt-project.org/listinfo/interest
>>>>
>>>> _______________________________________________
>>>> Interest mailing list
>>>> Interest at qt-project.org
>>>> https://lists.qt-project.org/listinfo/interest
>>>>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20200408/00be7dc7/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: noname
Type: image/png
Size: 137706 bytes
Desc: not available
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20200408/00be7dc7/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Build Process.png
Type: image/png
Size: 122953 bytes
Desc: not available
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20200408/00be7dc7/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Build Process Full.png
Type: image/png
Size: 70161 bytes
Desc: not available
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20200408/00be7dc7/attachment-0005.png>


More information about the Interest mailing list