Sign a Framework for OSX 10.9

Question

After using macdeployqt I sign my application to avoid Gatekeeper problems.

I can use codesign on all the frameworks and everything inside

Answer 1

I use this script to correct the QT 4.8 frameworks before codesigning. Hope this helps. It took me and a coworker about 3-4 days to figure this out (this was before the blog post by QT).

# we need to massage qt frameworks so they get codesigned by the new codesign
# more information about this $#@$!@# piece of $@#$@$!
# http://blog.qt.digia.com/blog/2014/10/29/an-update-on-os-x-code-signing/

QT_LIB_DIR=$(qmake -query QT_INSTALL_LIBS)
for i in $(find "$APP/Contents/Frameworks/" -name Qt\*.framework); do
   FW_NAME=$(basename "$i")
   FW_SHORTNAME=$(basename -s ".framework" "$i")
   mv "$i/Resources" "$i/Versions/4"
   ln -s Versions/Current/Resources "$i/"
   ln -s Versions/Current/${FW_SHORTNAME} "$i/${FW_SHORTNAME}"
   ln -s 4 "$i/Versions/Current"
   cp "${QT_LIB_DIR}/${FW_NAME}/Contents/Info.plist" "$i/Resources"
   chmod u+w "$i/Resources/Info.plist"
   # now comes the real magic, we have to add CFBundleIdentifier and CFBundleVersion to the Info.plist
   awk "/<\/dict>/{print \"<key>CFBundleIdentifier</key>\n<string>org.qt-project.${FW_SHORTNAME}</string>\"}1" "$i/Resources/Info.plist" > "$i/Resources/Info.plist.tmp"
   mv "$i/Resources/Info.plist.tmp" "$i/Resources/Info.plist"
   awk '/<\/dict>/{print "<key>CFBundleVersion</key>\n<string>4.8</string>"}1' "$i/Resources/Info.plist" > "$i/Resources/Info.plist.tmp"
   mv "$i/Resources/Info.plist.tmp" "$i/Resources/Info.plist"
done

Answer 2

I wrote up a script based on Benoît's answer that does the work of patching the .app: https://gist.github.com/kainjow/8059407

The code:

#!/usr/bin/env ruby

# Copies missing Info.plist files for a .app's Qt frameworks installed
# from macdeployqt. Without the plists, 'codesign' fails on 10.9 with
# "bundle format unrecognized, invalid, or unsuitable".
#
# Example usage:
# ruby macdeployqt_fix_frameworks.rb /Users/me/Qt5.2.0/5.2.0/clang_64/ MyProgram.app
#
# Links:
# https://bugreports.qt-project.org/browse/QTBUG-23268
# http://stackoverflow.com/questions/19637131/sign-a-framework-for-osx-10-9
# http://qt-project.org/forums/viewthread/35312

require 'fileutils'

qtdir = ARGV.shift
dotapp = ARGV.shift

abort "Missing args." if !qtdir || !dotapp
abort "\"#{qtdir}\" invalid" if !File.exists?(qtdir) || !File.directory?(qtdir)
abort "\"#{dotapp}\" invalid" if !File.exists?(dotapp) || !File.directory?(dotapp)

frameworksDir = File.join(dotapp, 'Contents', 'Frameworks')
Dir.foreach(frameworksDir) do |framework|
next if !framework.match(/^Qt.*.framework$/)
fullPath = File.join(frameworksDir, framework)
destPlist = File.join(fullPath, 'Resources', 'Info.plist')
next if File.exists?(destPlist)
srcPlist = File.join(qtdir, 'lib', framework, 'Contents', 'Info.plist')
abort "Source plist not found: \"#{srcPlist}\"" if !File.exists?(srcPlist)
FileUtils.cp(srcPlist, destPlist)
end 

Answer 3

Got the same error this morning. The codesign application seems to be stricter on OSX 10.9

The problem is caused by macdeployqt not copying the Qt framework bundles' info.plist file into the app bundle.

You can work around this problem by telling your script to copy the files manually into the embedded framework's bundle file.

e.g.

$ cp ~/Qt5.2.0/5.2.0-beta1/clang_64/lib/QtCore.framework/Contents/Info.plist MyApplication.app/Contents/Frameworks/QtCore.framework/Resources/

Do this for each of the qt modules your app uses, AFTER calling macdeployqt*, but BEFORE calling codesign. (* or mkdir the destination directories)

Also, call codesign on the framework's folders, not on the version subfolder.

i.e.

$ codesign --force --verify --verbose --sign "Developer ID Application: My ID" MyApplication.app/Contents/Frameworks/QtConcurrent.framework

Hope this helps.

Answer 4

According to Apple docs you need to sign version folders, not the framework itself. I've tried that and run into two issues. First of all, some of the Info.plist files of Qt frameworks have incorrect executable names (a _debug suffix). After fixing that I've managed to sign all the frameworks the "Apple way". However, after doing that I was unable to sign the main app and got errors about the Qt frameworks I've just signed.

So the weird but working solution is to sign framework folders instead. This works even with incorrect executable names in Info.plist files.

Answer 5

Thank you very much!

You also have to sign all plugins used by your application

i.e.

$ codesign --force --verify --verbose --sign "Developer ID Application: My ID" MyApplication.app/Contents/PlugIns/imageformats/libqgif.dylib

Best regards,

Rainer

Answer 6

Summary

1. Fix the malformed Qt frameworks by moving the Info.plist to the Resources folder at the current version level in the framework.
2. Use the codesign --deep option to sign all the binaries in the package at once, including frameworks and plugins.

Details

The simplest way to solve this problem is to use the --deep codesign option. This option (which I believe was introduced with Mavericks) will sign all of the binaries in a target package, including the main application binary, and its frameworks and plugins.

However before using this option (or any of the other suggested signing techniques), you must fix the Qt frameworks as per other posts on this thread. For some odd reason, the Qt frameworks as built do not conform to Apple's framework norms and will confuse the codesign tool. This in turn can result in bad behaviors like replacing the top level symlink of a framework with an additional copy of the signed framework binary.

To fix the Qt frameworks, you should copy the Info.plist to a Resources folder in the specific version of the framework, not to the top level of the framework (as has been previously suggested). Also, you might want to throw away the original copy of the Info.plist in the application package framework, since it's basically in the wrong place.

Specifically you should do something like this to fix each framework as needed:

mkdir -p MyKillerApp.app/Contents/Frameworks/QtCore.framework/Versions/Current/Resources
cp lib/QtCore.framework/Contents/Info.plist MyKillerApp.app/Contents/Frameworks/QtCore.framework/Versions/Current/Resources
rm -rf MyKillerApp.app/Contents/Frameworks/QtCore.framework/Contents

The above assumes that there is a "Versions/Current" symlink in the framework. I think that this is the case for all built Qt libraries. But if that's not the case for your build, then you can use the specific version folder name (like "4") rather than the "Current" symlink.

After normalizing the frameworks, you can then use the --deep option to sign all of the binaries in the application package:

codesign --deep --force --verify --sign "Developer ID Application: My ID" MyKillerApp.app

Alternatively if you've enabled codesign at the project level for deployment post processing, you can just pass the --deep option in the "Other Code Signing Flags":

OTHER_CODE_SIGN_FLAGS = --deep

If you have different codesign requirements for your main application than for your frameworks or plugins, you can use a little trick. First you sign with the --deep option using the frameworks/plugins requirements. Then you can sign again with the --force option but without the --deep option, specifying the application level requirements. The result will be that the main application will be signed with the application requirements, and all the sub-binaries will be signed with the frameworks/plugin requirements.

This approach might be considered a bit lazy and wasteful, since you're signing the main application twice. But it's simpler than the alternative of finding and signing all the sub binaries separately from the main application binary.