Qt Frameworks issues with MacOS notarization
-
Hello, thanks for the link you provided, but they did not solve our issue.
We are now trying to go down themacdeployqtpath, but there must be something going on when it copies the Qt Frameworks in the Contents/Frameworks/ folder because somehow it skips (at least) one of the required frameworks.At this point there are a few things I need to figure out: how does macdeployqt know which frameworks need to be copied inside the bundle? I have checked in the output of
otool -Lcommand and the framework is listed there. Is it anything I must check somewhere else? Is it possible to specify manually which frameworks we want to add? Is it something we need to check in our .cmake files?Thank you again
-
macdeployqt uses macOS tools to gather the required information. What was the missing framework ?
Recent version of the tool got fixed with regard to some missing framework or plugins.
-
macdeployqt uses macOS tools to gather the required information. What was the missing framework ?
Recent version of the tool got fixed with regard to some missing framework or plugins.
@SGaist QtOpenGL. It caused the
macdeployqtcommand to fail during the signing process, so I tried to add it manually (usingcp -Rcommand) and to re-sign the bundle callingcodesignbut it gave the "unsealed contents" error again.
This is why I asked if there is a way to specify manually the frameworks to be added bymacdeployqtor a way to figure out why it is not adding it -
Can you check with the windeployqt version coming with the latest Qt 5.14 ?
Note that Qt 5.12.7 has been released, you might also want to upgrade. -
Can you check with the windeployqt version coming with the latest Qt 5.14 ?
Note that Qt 5.12.7 has been released, you might also want to upgrade.@SGaist I just tried with Qt 5.14.1 and this time
macdeployqtwas successful. There are still some notarization issues with the hardened runtime and some default entitlements I granted to the app but at least the frameworks look in place now. Thank you for your help -
Not sure if it will help in anything, but I used this script on a .dmg and it works well (although not reliably - Apple randomly rejects notarization calls, but it's usually to wait a bit and run it again).
-
Can you check with the windeployqt version coming with the latest Qt 5.14 ?
Note that Qt 5.12.7 has been released, you might also want to upgrade.@SGaist and @p_Each, i am facing the same problem. I have tried this in 5.12.4 and 5.14.1. The entire application gets code signed but notarization and sptcl fails because of "unsealed contents present in the root directory of an embedded framework". Spctl specifically mentions unsealed contents and when i try "codesign --verify --verbose=4 --deep" on any Qt framework. I have also tried verifying every component of the framework using the codesign command in the framework but it states that they are valid on disk and satisfies its Designated Requirement. The only file which has no code-signature in the framework is the CodeResources file created by the codesign itself and placed in the _CodeSignature folder.
I have created the following symbolic links:
QtGui.framework |_ QtGui -> Versions/Current/QtGui |_ Resources -> Versions/Current/Resources |_ Info.plist |_ Versions |_ 5 |_ QtGui |_ Resources |_ _CodeSignature |_ CodeResources |_ A -> 5 |_ Current -> 5Codesign command:
"codesign --force --verify --verbose --entitlements 'abc.plist' --sign 'Developer ID Application: ABC (XYZ)' --timestamp --options=runtime --strict QtGui.framework/Versions/5 " -
@SGaist and @p_Each, i am facing the same problem. I have tried this in 5.12.4 and 5.14.1. The entire application gets code signed but notarization and sptcl fails because of "unsealed contents present in the root directory of an embedded framework". Spctl specifically mentions unsealed contents and when i try "codesign --verify --verbose=4 --deep" on any Qt framework. I have also tried verifying every component of the framework using the codesign command in the framework but it states that they are valid on disk and satisfies its Designated Requirement. The only file which has no code-signature in the framework is the CodeResources file created by the codesign itself and placed in the _CodeSignature folder.
I have created the following symbolic links:
QtGui.framework |_ QtGui -> Versions/Current/QtGui |_ Resources -> Versions/Current/Resources |_ Info.plist |_ Versions |_ 5 |_ QtGui |_ Resources |_ _CodeSignature |_ CodeResources |_ A -> 5 |_ Current -> 5Codesign command:
"codesign --force --verify --verbose --entitlements 'abc.plist' --sign 'Developer ID Application: ABC (XYZ)' --timestamp --options=runtime --strict QtGui.framework/Versions/5 "@angadhanoa hi and welcome to devnet,
IIRC, there was a thread recently about the same issue which was solved. Keep searching the forum.
-
@angadhanoa hi and welcome to devnet,
IIRC, there was a thread recently about the same issue which was solved. Keep searching the forum.
@SGaist Thanks, I will. This is giving me a lot of headache. At first i was thinking that i have the same issue but that was not it. Once again, thank you. i will try to find that thread.
-
We had a similar problem. There does not appear to be any purpose for a lot of the stuff that Qt Creator piles into the ".app" file, and it interferes with Apple Notarization.
We solved the problem by simply creating a command file that deletes the conflicting files:
# Clean out detritus that prevents notarization cd foo.app find . -name "*.h" -delete find . -name "*.prl" -delete find . -name "*.cstemp" -delete find . -name "Headers" -delete find ./ -name "*_debug" -delete
