Qt Frameworks issues with MacOS notarization
-
Hi, thank you for your answer. I am using Qt 5.12.2 and yes, I did check for hidden files but even when I removed them the issue persisted.
What I have saw from other tests I made in the meantime is that if I structure a framework in a way more "Apple-like" (meaning that the Versions folder contain an A folder and a Current symlink pointing to A instead of a 5) the bundle is correctly signed and validated.
Unfortunately it does not run because there are some runpaths of some framework which I have not been able to correct with install_name_tool command and are still set to QtFramework/Versions/5/QtFramework instead of QtFramework/Versions/A/QtFramework.
We have always been able to build the app with the qt frameworks but since we upgraded to Mojave 10.14.6 we need to sign (and from next month on) t notarize our app bundle to successfully distribute it outside the App Store
-
Looks like there's something related on the bug report system
-
Hello, thanks for the link you provided, but they did not solve our issue.
We are now trying to go down themacdeployqt
path, but there must be something going on when it copies the Qt Frameworks in the Contents/Frameworks/ folder because somehow it skips (at least) one of the required frameworks.At this point there are a few things I need to figure out: how does macdeployqt know which frameworks need to be copied inside the bundle? I have checked in the output of
otool -L
command and the framework is listed there. Is it anything I must check somewhere else? Is it possible to specify manually which frameworks we want to add? Is it something we need to check in our .cmake files?Thank you again
-
macdeployqt uses macOS tools to gather the required information. What was the missing framework ?
Recent version of the tool got fixed with regard to some missing framework or plugins.
-
@SGaist QtOpenGL. It caused the
macdeployqt
command to fail during the signing process, so I tried to add it manually (usingcp -R
command) and to re-sign the bundle callingcodesign
but it gave the "unsealed contents" error again.
This is why I asked if there is a way to specify manually the frameworks to be added bymacdeployqt
or a way to figure out why it is not adding it -
Can you check with the windeployqt version coming with the latest Qt 5.14 ?
Note that Qt 5.12.7 has been released, you might also want to upgrade. -
@SGaist I just tried with Qt 5.14.1 and this time
macdeployqt
was successful. There are still some notarization issues with the hardened runtime and some default entitlements I granted to the app but at least the frameworks look in place now. Thank you for your help -
@SGaist and @p_Each, i am facing the same problem. I have tried this in 5.12.4 and 5.14.1. The entire application gets code signed but notarization and sptcl fails because of "unsealed contents present in the root directory of an embedded framework". Spctl specifically mentions unsealed contents and when i try "codesign --verify --verbose=4 --deep" on any Qt framework. I have also tried verifying every component of the framework using the codesign command in the framework but it states that they are valid on disk and satisfies its Designated Requirement. The only file which has no code-signature in the framework is the CodeResources file created by the codesign itself and placed in the _CodeSignature folder.
I have created the following symbolic links:
QtGui.framework |_ QtGui -> Versions/Current/QtGui |_ Resources -> Versions/Current/Resources |_ Info.plist |_ Versions |_ 5 |_ QtGui |_ Resources |_ _CodeSignature |_ CodeResources |_ A -> 5 |_ Current -> 5
Codesign command:
"codesign --force --verify --verbose --entitlements 'abc.plist' --sign 'Developer ID Application: ABC (XYZ)' --timestamp --options=runtime --strict QtGui.framework/Versions/5 "
-
@angadhanoa hi and welcome to devnet,
IIRC, there was a thread recently about the same issue which was solved. Keep searching the forum.
-
We had a similar problem. There does not appear to be any purpose for a lot of the stuff that Qt Creator piles into the ".app" file, and it interferes with Apple Notarization.
We solved the problem by simply creating a command file that deletes the conflicting files:
# Clean out detritus that prevents notarization cd foo.app find . -name "*.h" -delete find . -name "*.prl" -delete find . -name "*.cstemp" -delete find . -name "Headers" -delete find ./ -name "*_debug" -delete