What is the fastest/easiest way - step by step, from the beginning - to "code sign" my Qt app on OS X so that it can be distributed?

Question

I am writing a cross-platform app in Qt (using Qt Creator). One of the target platforms is OS X.

The application is being packaged for installation on OS X by using the BitRock Installer system to create an .app file.

The application is intended for download and use by students and researchers in political science at various different colleges and universities. (A download either from the App Store, or from a product website, is fine.)

I do not need iCloud or any other features associated with the App Store. I just need to be able to distribute this application so that the warning (below) does not appear.

Currently the application is in an alpha-testing state - it is being tested by the product managers only. I would nonetheless prefer to offer the product managers an installation package for OS X that does not present them with the following warning:

The [installer application] can't be opened because it is from an unidentified developer

(And, more importantly, when the application is released, I also don't want this warning to appear for end users.)

I understand that I need to prepare my application for distribution by using an Apple Developer account and properly signing the application.

I have created a developer account, and I am attempting to follow the steps in the link to sign my application and prepare it for distribution.

However, because the application is built in Qt, not Xcode, I do not know how to follow the steps through to completion, because some of the key steps assume that Xcode is being used.

I have searched for any questions that might describe how to prepare Qt applications on OS X for distribution, but come up empty.

(Further, I would also prefer to have a set of steps provided that is as simple as possible - preferably simpler than the steps provided in the above link - in any case.)

What is the simplest possible set of steps that will allow me to code sign my application, developed with Qt, on OS X, so that it can be distributed?

Answer 1

Prepare .app file

This is a step by step guide to create a signed package which can be uploaded to the Mac App Store, or distributed independently as a standalone application + installer:

• Check app icon - it should have all sizes (16x16, 32x32, 64x64, 128x128, 256x256, 512x512, 1024x1024). (See https://stackoverflow.com/a/21028483/368896)

• Add compile options for proper generation of debugging symbols:

  QMAKE_CFLAGS += -gdwarf-2 QMAKE_CXXFLAGS += -gdwarf-2

  (noting that QMAKE_CFLAGS may not be highlighted by Qt Creator as valid, but still may need to be included - see here)

• Settings should be saved in a directory with same name as bundle identifier.

• Check the application's Info.plist file. It should contain the correct bundle identifier and minimum MacOS X version of 10.6.6.

  (Note: though Qt Creator automatically generates a default info.plist file that is placed inside the .app bundle, it is also possible to create your own file and have this automatically used instead. See this link for a sample info.plist file that works with Qt and the App Store, and note that QMAKE_INFO_PLIST does work to use a custom file (see comments in that link).)

  (Also, see notes below about how to obtain a bundle identifier.)

  (The minimum OS X version - which should be set to 10.6.6 or later - can be set with the following line in the .pro file: QMAKE_MACOSX_DEPLOYMENT_TARGET = 10.6 - but if you use a custom info.plist file, this setting won't take effect, so you must include the proper setting in your custom info.plist anyways; see previous link for the entry that should be used in the file.)

• You also need certificates to sign your application and installer: open “Keychain Access” (use Mac OS X search) -> double click on each certificate (look in the kind column for these) and enter password -> check added certificates in Keychain Access.

Register application in iTunesConnect

• Log in to your developer account at http://itunesconnect.apple.com (which will reroute you to https://, but you may need to first enter http://)

  (Note: If you do not already have one, you must first create a Mac Developer Account, $99/year, in order to proceed.)

• Click on “Manage your apps” -> “Add new app”

• If application has no Bundle ID - create it.

Creating a new Bundle ID is not intuitive.

To create a new Bundle ID:

-> Log in to the Developer Center website: This is a different site (perhaps open it in a new tab): http://developer.apple.com.

-> Click Member Center near the very top right (next to the search bar)

-> Click on Manage your certificates, App IDs, devices, and provisioning profiles (underneath Certificates, Identifiers & Profiles)

-> Click on App IDs in the left navigation bar (in the Identifiers section) (This might already be selected.)

-> Click on + button

-> The screen you now see (Register Mac App ID / Registering an App ID) is the screen you use to create a new bundle identifier

-> Enter the necessary information. Write anything for the App ID Description (it can contain only a short line of text)

The Explicit App ID field is actually the new Bundle ID. Type a reverse URL here, such as com.mydomain.myapp. A website or server does not actually need to exist at this URL. You just make one up here, but of course you can use one that already exists if you wish.

-> Click Continue, then Submit if you're satisfied, then Done

Now be sure to go back to the previous section, and add the Bundle ID you have just created to the custom info.plist file.

Also save the Team ID in case you need it later - this is the string that precedes the Bundle > > ID (called the prefix) that you see when you look at the details of the Bundle ID you've just > > > created in the Developer Center.

• Now, go back to the iTunesConnect website. (Perhaps in another tab - this is not the Developer Center website.)

• In the App Information section, select language. Then, enter app name. Make up a random string of characters for the SKU field (I use something of the format 2436-7623-7782-8327). Finally, select the Bundle ID. Click Continue.

• Select availability date (simply as far as possible, for now - currently, it's only possible to make it available for at most 2 years). Select price tier (can be any - customer can change later). Click Continue.

• Enter detailed application information on the following screen, and click Save.

• Click “View Details” in app page -> Click “Ready to upload binary” -> On summary page click on link “latest version of Application Loader” and download it -> Click “Continue”.

Creating and Uploading installer

• Check application Info.plist - enter right bundle id, app name, category.

• Build application in release mode.

• Extract debug symbols. At the command line:

  dsymutil MyApp.app/Contents/MacOS/MyApp -o MyApp.app.dSYM

• Execute the helper program macdeployqt (included with Qt). At the command line:

  /path/to/macdeployqt /path/to/myapp.app

  (macdeployqt can be found in QTDIR/bin. See this link for a handful of official details.)

  Running macdeployqt modifies your existing application by incorporating the necessary Qt frameworks internal to the .app bundle and changing various other internal settings in the application.

• Codesign application:

Codesigning is a tricky step.

(1) Obtaining a DISTRIBUTION CERTIFICATE

You must first create a Distribution certificate, if you don't already have one. (Not a Developer certificate.)

(The following steps are taken from this link, with a correction regarding the certificate type)

-> Open Xcode (version 5 as of this writing) -> Navigate to Xcode > Preferences -> Click the Accounts tab -> If you have not already done so, add the Apple ID that is registered in the Mac Developer Program -> Select the Apple ID that you want to use, and click View Details -> In the window that opens, click Add (+) and then select Mac App Distribution.

(2) Code signing the application with the Distribution Certificate

To properly codesign, every .framework and .dylib inside the .app bundle must FIRST be signed; and then the .app itself must be signed. See critical steps in bottom paragraph of this grey block before you codesign the internal Qt frameworks - and be sure to do this first.

The command to sign the internal libraries/frameworks, and the command to sign the main .app, is the same:

codesign -s "3rd Party Mac Developer Application: Daniel Nissenbaum (S6V5TT9QRL)" –-entitlements MyEntitlements.plist MyApp.app

The --entitlements MyEntitlements.plist option is only necessary if you actually have entitlements beyond the basic defaults. I (Dan Nissenbaum) did not select additional privileges for my app when I created the Bundle ID in Developer Center (such as ability to access iCloud, push notifications, etc.). So, I left off the --entitlements option, and I have not looked into how to obtain a MyEntitlements.plist file.

Note regarding the -s argument: See paragraph below for information about finding the correct name to use (this is the Distribution Certificate "Common Name").

This codesign command is for the main .app. To codesign the internal (Qt) libraries/frameworks, which must be done first, use the proper path; i.e., in the command above, use MyApp.app/Contents/Frameworks/QtCore.framework rather than MyApp.app - and note that the path to the libraries/frameworks must be just to the root of the internal library/framework bundle, not to inside the internal library/framework bundle.

Various other internal .dylibs or .frameworks may also need to be signed, in addition to the Qt .frameworks - if you try to sign your main application but have not signed all of the internal .dylibs/.frameworks, you will receive an error indicating another internal .dylib/.framework that needs signing. Just proceed through them all. In my case, there were about 10 additional .dylibs that needed to be signed after I completed signing the Qt .frameworks.

Once you have the developer certificate, you need to find the name of the certificate for use with the codesign process. Open "Keychain Access" (to find this, simply type "Keychain Access" into the Search bar in the Finder, and locate the application from among the results returned). In the main list that you see when Keychain Access runs, you will see your Developer certificate among various other things. There will also be some other certificates - ignore those. It should be obvious which certificate is the correct one. In my case (which is standard, I assume), the certificate name is "3rd Party Mac Developer Application: Daniel Nissenbaum (S6V5TT9QRL)". This is the official name of the certificate, to be used as the -s argument to codesign, but to really confirm this, double-click on the certificate and in the info window that appears, have a look at the "Common Name". The value of Common Name is the official text to use as the -s argument of codesign.

Note regarding a complication with codesign'ing the internal Qt frameworks. As of today, when macdeployqt is run, the Qt frameworks are not fully copied correctly into the .app bundle. They are missing their Info.plist file. But these necessary Info.plist files DO exist inside the Qt installation. You can simply use the Finder to copy them. (For example on my system, the required Info.plist file for the QtWidgets.framework framework has this path (where "Qt" corresponds to the root path of your Qt installation): Qt/5.1.1/clang_64/lib/QtWidgets.framework/Contents/Info.plist. This is to be copied into MyApp.app/Contents/Frameworks/QtWidgets.framework/Resources. Ditto for all of the other Qt frameworks that were copied into the MyApp.app bundle by macdeployqt. See https://stackoverflow.com/a/19639825/368896 for more details.exists and is enabled for code

• Create installer (a different certificate is required; see comment):

  productbuild –-component ./MyApp.app /Applications –-sign "3rd Party Mac Developer Installer: Daniel Nissenbaum (S6V5TT9QRL)" MyApp.pkg

  Note that a different certificate is required to be used as the argument to the --sign parameter. The certificate has type "Mac Installer Certificate", rather than "Mac App Distribution" (the type of the certificate used with codesign, above). To create this certificate, follow the same steps above, but select Mac Installer Certificate as the type. Use its Common Name as the argument to the --sign parameter here.

  The ./ preceeding the application name might be important. Also, use the same argument to the --sign parameter that you did when you ran codesign - the Common Name of your Developer certificate. See above.

• Check the installer:

  sudo installer -store -pkg MyApp.pkg -target /

• If there are no errors, you now have a legitimate Mac application, packaged into a legitimate Mac installer, both of which can be distributed to anyone. You can distribute them by simply sending them the .pkg file (via website, Dropbox, etc.), or you can upload to the Mac App Store.

• I have not confirmed these steps, which are for actually uploading the application to the Mac App Store: Open Application Loader and sign in with Apple Developer Account -> Select “Deliver Your App” -> Choose right AppID -> Click on “Choose…” button on “Application Information” page and select created pkg file -> Click “Send”.

Additional information

• Information about entitlements
• Information about Info.plist
• Additional information about deploying app to Mac AppStore

Answer 2

First, see Sign Qt applications on Mac with Developer ID and Sign a Framework for OSX 10.9

Basically,

1. compile your application
2. run macdeployqt
3. check using otool -L ... the dependencies of all your frameworks, libraries and plugins
4. use install_name_tool -change ... to change any dependencies not properly deployed to inside the bundle
5. sign your frameworks and bundle (see the 2 links given above)

You will need to pay Apple for a developer ID to be able to sign your application otherwise your users will have to deal with Gatekeeper.