[Interest] Fw: Aw: Re: codesign issue with Qt6.9.1

alexander_carot at gmx.net alexander_carot at gmx.net
Fri Oct 3 14:30:26 CEST 2025 

Hej Michael and all,

thanks for the feedback in this context !

>> I just ran into similar using 6.9.3. I too moved signing out of separate step with “--deep” enabled and into
>>macdeployqt6 without the deep option. This enabled me to successfully notarize

After updating to Qt6.10.0 I just tried the same with *only* running

macdeployqt6 my.app

and then checked it via:


codesign --verify --deep --strict --verbose=2 ./my.app

leading to:

./my.app: valid on disk
./my.app: satisfies its Designated Requirement

but then notirising it via:


xcrun notarytool submit app.zip --keychain-profile myProfile --wait

leads to:

status: Invalid

In fact I received a couple of private mails with suggestions for further action and workarounds but is this really the way the process should be ?

Best

Alex




Von: Nelson, Michael <michael.nelson at otthydromet.com>
Datum: Donnerstag, 2. Oktober 2025 um 23:28
An: alexander_carot at gmx.net <alexander_carot at gmx.net>, interest at qt-project.org <interest at qt-project.org>
Betreff: RE: [Interest] Fw: Aw: Re: codesign issue with Qt6.9.1
Hello,

I just ran into similar using 6.9.3. I too moved signing out of separate step with “--deep” enabled and into macdeployqt6 without the deep option. This enabled me to successfully notarize. My understanding is that “--deep" is to be avoided generally, as it can lead to unexpected/unneeded outcomes. Google/Copilot suggests it is known to break Apple notarization because “Apple's notarization process expects a specific structure and signing order. --deep can violate these expectations”.

Perhaps you need --deep nevertheless but thought I’d point out my experience here.

Best regards,
[cid:image001.jpg at 01DC33C1.B700CD20]

MICHAEL NELSON | Sr. Software Engineer
T  +1 (703) 406-2800, 341
michael.nelson at otthydromet.com<mailto:michael.nelson at otthydromet.com> | www.otthydromet.com<http://www.otthydromet.com/>





Confidential - Company Proprietary
From: Interest <interest-bounces at qt-project.org> On Behalf Of alexander_carot--- via Interest
Sent: Thursday, October 2, 2025 4:24 PM
To: interest at qt-project.org
Subject: [Interest] Fw: Aw: Re: codesign issue with Qt6.9.1

Hi all, see subject – with Qt6. 9. 1 now I sign this way: macdeployqt my. app -codesign="myAccount" and then codesign --options=runtime --entitlements ./deployment/entitlements. xml —force ./my. app -s "myAccount" checking this via codesign --verify
Hi all,

see subject – with Qt6.9.1 now I sign this way:

macdeployqt my.app -codesign="myAccount"

and then

codesign --options=runtime --entitlements ./deployment/entitlements.xml —force ./my.app -s "myAccount"

checking this via

codesign --verify --deep --strict --verbose=2 ./myApp.app

it says "valid on disc" - so all is fine.

However, now a new issue comes up: When I zip it and load it up to notarise it via:

xcrun notarytool submit myApp.zip --keychain-profile MYKEYCHAIN --wait

then it eventually fails with:

status: invalid

Thus, I went back to Qt6.5.3 and signed in the same way and also received the INVALID status at the very end.

Deploying and Signing via:

macdeployqt my.app
codesign --options=runtime --entitlements ./deployment/entitlements.xml —deep ./my.app -s "myAccount"

does work out and leads to valid status but unfortunately this does not work out wiqht Qt6.9.1 because it refuses to take the --deep statement.

Can anyone advise how to achieve VALID status with the above structure using Qt6.9 ?

Thanks and
best

Alex

--
http://www.carot.de<https://urldefense.com/v3/__http:/www.carot.de__;!!AC-Zr9Eh!IQrdmsFVAjbe1lxw20zIHc67BeI8b3kxTuRe4zlnWI6fFzc8UjIcp6c9z88_Rk8Yv5haM7aIBhwAp-32Lv4DfeTmHGck8Q$>
Email : Alexander at Carot.de<mailto:Alexander at Carot.de>
Tel.: +49 (0)177 5719797

Gesendet: Donnerstag, 18. September 2025 um 20:49
Von: "Alexander Carôt" <alexander_carot at gmx.net<mailto:alexander_carot at gmx.net>>
An: Kai.Koehne at qt.io<mailto:Kai.Koehne at qt.io>, hamish at risingsoftware.com<mailto:hamish at risingsoftware.com>, interest at qt-project.org<mailto:interest at qt-project.org>
Betreff: Aw: Re: [Interest] codesign issue with Qt6.9.1
Hello Kai,

>>Any reason you don’t use macdeployqt -codesign=“My dev account” ? This should do deep signing...

when I do this and I check the result via

codesign --verify --deep --strict --verbose=2 ./myApp.app

it looks fine:

./myApp.app: valid on disk
./myApp.app: satisfies its Designated Requirement

 but indeed I need to include the entitlements:

--entitlements ./deployment/entitlements.xml

which seems to not work when combining it via macdeployqt or am I mistaken on this ?

Any further help appeciated,
thanks beforehand and
best

Alex

--
http://www.carot.de<https://urldefense.com/v3/__http:/www.carot.de__;!!AC-Zr9Eh!IQrdmsFVAjbe1lxw20zIHc67BeI8b3kxTuRe4zlnWI6fFzc8UjIcp6c9z88_Rk8Yv5haM7aIBhwAp-32Lv4DfeTmHGck8Q$>
Email : Alexander at Carot.de<mailto:Alexander at Carot.de>
Tel.: +49 (0)177 5719797

Gesendet: Donnerstag, 18. September 2025 um 17:44
Von: "Kai Köhne via Interest" <interest at qt-project.org<mailto:interest at qt-project.org>>
An: "Hamish Moffatt" <hamish at risingsoftware.com<mailto:hamish at risingsoftware.com>>, "interest at qt-project.org<mailto:interest at qt-project.org>" <interest at qt-project.org<mailto:interest at qt-project.org>>
Betreff: Re: [Interest] codesign issue with Qt6.9.1


Confidential
>On 17/09/2025 8:31 pm, Alexander Carôt via Interest wrote:
>> Hello all,
>>
>> I just upgraded from Qt6.5.3 to Qt 6.9.1 – it's all fine except that now the codesigning fails. I typically do:
>>
>> macdeployqt My.app
>>
>> codesign --options=runtime --entitlements ./deployment/entitlements.xml --deep ./My.app -s "My dev account"
>
> According to the manual, --deep is deprecated - probably because it’s
> unreliable. You're expected to recurse all of the frameworks yourself, I
> think.

Any reason you don’t use macdeployqt -codesign=“My dev account” ? This should do deep signing...

>I don't know why codesign is so bad. But also I'm surprised that Qt is
> still shipping the official binaries unsigned.

Huh, they are signed?

Regards

Kai
_______________________________________________ Interest mailing list Interest at qt-project.org<mailto:Interest at qt-project.org> https://lists.qt-project.org/listinfo/interest<https://urldefense.com/v3/__https:/lists.qt-project.org/listinfo/interest__;!!AC-Zr9Eh!IQrdmsFVAjbe1lxw20zIHc67BeI8b3kxTuRe4zlnWI6fFzc8UjIcp6c9z88_Rk8Yv5haM7aIBhwAp-32Lv4DfeRQOMjutA$>


Please be advised that this email may contain confidential information. If you are not the intended recipient, please notify us by email by replying to the sender and delete this message. The sender disclaims that the content of this email constitutes an offer to enter into, or the acceptance of, any agreement; provided that the foregoing does not invalidate the binding effect of any digital or other electronic reproduction of a manual signature that is included in any attachment. [0xC3D2]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20251003/6b41339a/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 4926 bytes
Desc: image001.jpg
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20251003/6b41339a/attachment.jpg>

More information about the Interest mailing list