Sign a Framework for OSX 10.9

Question

After using macdeployqt I sign my application to avoid Gatekeeper problems.

I can use codesign on all the frameworks and everything inside the bundle but when I come to sign the bundle I get an error:

$ codesign --force --verify --verbose --sign "Developer ID Application: My ID" MyApplication.app
MyApplication.app: bundle format unrecognized, invalid, or unsuitable
In subcomponent: /Users/username/Dev/Apps/MyApplication/MyApplication.app/Contents/Frameworks/QtConcurrent.framework

If I check the signature:

$codesign -vvv MyApplication.app/Contents/Frameworks/QtConcurrent.framework/Versions/5/QtConcurrent 
MyApplication.app/Contents/Frameworks/QtConcurrent.framework/Versions/5/QtConcurrent: valid on disk
MyApplication.app/Contents/Frameworks/QtConcurrent.framework/Versions/5/QtConcurrent: satisfies its Designated Requirement

According to http://furbo.org/2013/10/17/code-signing-and-mavericks/ it seems that I should sign the framework bundle something like this

$ codesign --force --verify --verbose --sign "Developer ID Application: My ID" MyApplication.app/Contents/Frameworks/QtConcurrent.framework/Versions/5

but this results in

MyApplication.app/Contents/Frameworks/QtConcurrent.framework/Versions/5: bundle format unrecognized, invalid, or unsuitable

Answer 1

Got the same error this morning. The codesign application seems to be stricter on OSX 10.9

The problem is caused by macdeployqt not copying the Qt framework bundles' info.plist file into the app bundle.

You can work around this problem by telling your script to copy the files manually into the embedded framework's bundle file.

e.g.

$ cp ~/Qt5.2.0/5.2.0-beta1/clang_64/lib/QtCore.framework/Contents/Info.plist MyApplication.app/Contents/Frameworks/QtCore.framework/Resources/

Do this for each of the qt modules your app uses, AFTER calling macdeployqt*, but BEFORE calling codesign. (* or mkdir the destination directories)

Also, call codesign on the framework's folders, not on the version subfolder.

i.e.

$ codesign --force --verify --verbose --sign "Developer ID Application: My ID" MyApplication.app/Contents/Frameworks/QtConcurrent.framework

Hope this helps.

Answer 2

Summary

1. Fix the malformed Qt frameworks by moving the Info.plist to the Resources folder at the current version level in the framework.
2. Use the codesign --deep option to sign all the binaries in the package at once, including frameworks and plugins.

Details

The simplest way to solve this problem is to use the --deep codesign option. This option (which I believe was introduced with Mavericks) will sign all of the binaries in a target package, including the main application binary, and its frameworks and plugins.

However before using this option (or any of the other suggested signing techniques), you must fix the Qt frameworks as per other posts on this thread. For some odd reason, the Qt frameworks as built do not conform to Apple's framework norms and will confuse the codesign tool. This in turn can result in bad behaviors like replacing the top level symlink of a framework with an additional copy of the signed framework binary.

To fix the Qt frameworks, you should copy the Info.plist to a Resources folder in the specific version of the framework, not to the top level of the framework (as has been previously suggested). Also, you might want to throw away the original copy of the Info.plist in the application package framework, since it's basically in the wrong place.

Specifically you should do something like this to fix each framework as needed:

mkdir -p MyKillerApp.app/Contents/Frameworks/QtCore.framework/Versions/Current/Resources
cp lib/QtCore.framework/Contents/Info.plist MyKillerApp.app/Contents/Frameworks/QtCore.framework/Versions/Current/Resources
rm -rf MyKillerApp.app/Contents/Frameworks/QtCore.framework/Contents

The above assumes that there is a "Versions/Current" symlink in the framework. I think that this is the case for all built Qt libraries. But if that's not the case for your build, then you can use the specific version folder name (like "4") rather than the "Current" symlink.

After normalizing the frameworks, you can then use the --deep option to sign all of the binaries in the application package:

codesign --deep --force --verify --sign "Developer ID Application: My ID" MyKillerApp.app

Alternatively if you've enabled codesign at the project level for deployment post processing, you can just pass the --deep option in the "Other Code Signing Flags":

OTHER_CODE_SIGN_FLAGS = --deep

If you have different codesign requirements for your main application than for your frameworks or plugins, you can use a little trick. First you sign with the --deep option using the frameworks/plugins requirements. Then you can sign again with the --force option but without the --deep option, specifying the application level requirements. The result will be that the main application will be signed with the application requirements, and all the sub-binaries will be signed with the frameworks/plugin requirements.

This approach might be considered a bit lazy and wasteful, since you're signing the main application twice. But it's simpler than the alternative of finding and signing all the sub binaries separately from the main application binary.

Answer 3

Thank you very much!

You also have to sign all plugins used by your application

i.e.

$ codesign --force --verify --verbose --sign "Developer ID Application: My ID" MyApplication.app/Contents/PlugIns/imageformats/libqgif.dylib

Best regards,

Rainer