[Interest] OSX codesign question

Michael Jackson mike.jackson at bluequartz.net
Thu Apr 9 22:11:00 CEST 2020


The application is trying to load the Qt frameworks that are *outside* of the .app package. If you do an “otool -L” on the actual executable within the .app package (SoundJack.app/Contents/MacOS/SoundJack), all non-system dependencies that get listed should start with @rpath/something. If you see *any* kind of absolution path in there such as /Users/soulalex/Qt/5.12.0/clang_64/lib/QtMultimediaWidgets.framework/Versions/5/QtMultimediaWidgets then the .app package has not been properly “fixed up” to create a portable .app package.

 

A quick way to verify if you have at least packaged SOundJack correctly is to run the macdeployqt application. Now before you start the application rename /Users/soulalex/Qt/5.12.0 to /Users/soulalex/Qt/5.12.0.bak and then start the application. If it starts OK then you are good, if you get a crash because the Qt libraries could not be found then something went wrong. If you are using CMake by chance then you can try using the “BundleUtilties” to “fix up” the .app package. For our application we ended up doing a combination of BundleUtilities and our own custom shell script.

 

 

--

Michael Jackson | Owner, President

      BlueQuartz Software, LLC

[e] mike.jackson at bluequartz.net

[w] www.bluequartz.net

 

From: Interest <interest-bounces at qt-project.org> on behalf of Alexander Carôt <alexander_carot at gmx.net>
Date: Wednesday, April 8, 2020 at 12:29 PM
To: Andy <asmaloney at gmail.com>
Cc: qt qt <interest at qt-project.org>
Subject: Re: [Interest] OSX codesign question

 

Hej Nuno and Andy,

 

thanks a lot - yes, it is confusing but you helped to achieve progress, however, some probably last issue to be solved:

 

What works is this:

 

soulalex at alexandarotsMBP SJC % codesign --deep --force --verify --verbose --timestamp --options runtime --sign "52EF48168234769E0FE34C92B157ED7200626FD7" ./soundjack.app r

./soundjack.app: signed app bundle with Mach-O thin (x86_64) [com.yourcompany.soundjack]

soulalex at alexandarotsMBP SJC % codesign --verify --deep --strict --verbose=2 ./soundjack.app 

./soundjack.app: valid on disk

./soundjack.app: satisfies its Designated Requirement

 

So - this seems to be fine - otherwise please complain :-)

 

Now comes the problem:

When I execute the app now it tells me:

 

soulalex at alexandarotsMBP SJC % ./soundjackMac.sh
dyld: Library not loaded: @rpath/QtMultimediaWidgets.framework/Versions/5/QtMultimediaWidgets
  Referenced from: /Users/soulalex/Desktop/wip/XP-shared/Soundjack/SJC/./soundjack.app/Contents/MacOS/soundjack
  Reason: no suitable image found.  Did find:
    /Users/soulalex/Qt/5.12.0/clang_64/lib/QtMultimediaWidgets.framework/Versions/5/QtMultimediaWidgets: code signature in (/Users/soulalex/Qt/5.12.0/clang_64/lib/QtMultimediaWidgets.framework/Versions/5/QtMultimediaWidgets) not valid for use in process using Library Validation: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.

 

Without signation the code executes just fine.

 

Any idea what to do next ?

 

Thanks a lot in advance again,

best

 

Alex

 

 

 

--
http://www.carot.de
Email : Alexander at Carot.de
Tel.: +49 (0)177 5719797

  

  

Gesendet: Mittwoch, 08. April 2020 um 14:16 Uhr
Von: "Andy" <asmaloney at gmail.com>
An: "Alexander Carôt" <Alexander_Carot at gmx.net>
Cc: "Nuno Santos" <nunosantos at imaginando.pt>, "qt qt" <interest at qt-project.org>
Betreff: Re: [Interest] OSX codesign question

The certificate needs to be added to your Keychain, then you use the name for it in the codesign command. I think if you double-click the cert in the Finder it will add it to "My Certificates" properly.

 

As Nuno pointed out, the name should look like this:

 

"Developer ID Application: ACME_INC (TEAM_IDENTIFER) )”

 

Where ACME_INC is the name of the organization you registered with Apple, and TEAM_IDENTIFER is a random string.

 

When generating a cert on the Apple site there are a few choices that sound similar - frankly the whole process is confusing - but the cert must must read "Developer ID Application" to do what you want.

 

---
Andy Maloney  //  https://asmaloney.com 

twitter ~ @asmaloney

  

On Wed, Apr 8, 2020 at 4:08 AM Alexander Carôt <Alexander_Carot at gmx.net> wrote:

Hi Andy and Nuno,

 

thanks for your answers - looks like being on a good track now.

 

I think the very last problem for me to fix is choosing the correct file - so far I have used the certificate I downloaded from the developer account like this:

 

codesign --deep ./myApp -s development.cer

 

but this give me:

 

development.cer: no identity found

 

Do you know how to fix this ? Do I probably use the wrong file or is there anything else to be changed ?

 

Thanks again,

best

 

Alex

 

-- 

http://www.carot.de
Email : Alexander at Carot.de
Tel.: +49 (0)177 5719797

 

 

Von: Andy <asmaloney at gmail.com>
Datum: Montag, 6. April 2020 um 13:34
An: Nuno Santos <nunosantos at imaginando.pt>
Cc: Alexander Carôt <alexander_carot at gmx.net>, qt qt <interest at qt-project.org>
Betreff: Re: [Interest] OSX codesign question

 

I just did this yesterday. I could not get macdeployqt to work either, so I do it using the command line in my build process.

 

Here's the command line I'm using:

 

  codesign --deep --force --verify --verbose --timestamp --options runtime --sign "${CODE_SIGNING_ID}" "${APP_PATH}"

 

Which signing ID you use depends on where you are releasing your application. Nuno gave the command line tool to list them - you can also see them under "My Certificates" in the Keychain Access application. To distribute a macOS application outside the Apple Store, you want the "Developer ID Application" one as Nuno showed.

 

Two good sources of info for codesign are "man codesign" and this page:

 

 https://developer.apple.com/library/archive/technotes/tn2206/_index.html

 

Once your application is signed, you can use this command to verify it:

 

  codesign --verify --deep --strict --verbose=2 "${APP_PATH}"

 

Note that you can sign DMGs and ZIP files as well.

 

Good luck!

 

---
Andy Maloney  //  https://asmaloney.com

twitter ~ @asmaloney

 

 

 

On Mon, Apr 6, 2020 at 6:39 AM Nuno Santos <nunosantos at imaginando.pt> wrote:

Alexander,

I don’t use macdeployqt for signing.

I call the codesign command manually in the POST LINK phase.

You need to pass to the code sign the string representing your team. You can list the available signing entities with the following command:

> security find-identity -v -p codesigning

Then you need to do something like this:

codesign --deep PATH_TO_BUNDLE -s "Developer ID Application: ACME_INC (TEAM_IDENTIFER) )”

Hope it helps!

Best,

Nuno

> On 6 Apr 2020, at 10:32, Alexander Carôt <alexander_carot at gmx.net> wrote:
>
> Hello all,
>
> I want to sign my OSX code in order to have it running on a client's machine without the need to right-click and open it.
>
> I signed at https://developer.apple.com/ and received my valid certificate called "developer.cer".
>
> Then I exectued
>
> macdeployqt myApp.app -dmg -codesign=developer.cer
>
> but I got this error:
>
> ERROR: "developer.cer: no identity found\n"
> ERROR: Codesign signing error:
> ERROR: "developer.cer: no identity found\n"
> ERROR: codesign verification error:
> ERROR: "soundjack.app: code object is not signed at all\nIn architecture: x86_64\n"
>
> Does anyone know what to do ? Is there probably a different/better way to sign it ?
>
> Thanks a lot in advance,
> best
>
> Alex
>
> --
> http://www.carot.de
> Email : Alexander at Carot.de
> Tel.: +49 (0)177 5719797
>
> _______________________________________________
> Interest mailing list
> Interest at qt-project.org
> https://lists.qt-project.org/listinfo/interest

_______________________________________________
Interest mailing list
Interest at qt-project.org
https://lists.qt-project.org/listinfo/interest

_______________________________________________ Interest mailing list Interest at qt-project.org https://lists.qt-project.org/listinfo/interest 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20200409/8bb1555c/attachment-0001.html>


More information about the Interest mailing list