无法在OS X 10.10上使用Qt框架对应用程序包进行签名 [英] Unable to sign app bundle using Qt frameworks on OS X 10.10
问题描述
我无法在OS X上签名基于Qt的应用程序.我正在使用Qt 5.3.2.
我已经阅读了各种包含矛盾信息的信息源.
这是我运行bin/macdeployqt
Qt实用程序
SimpleHello.app/
Contents/
Info.plist
PkgInfo
Frameworks/
QtCore.framework/
Resources/
Versions/
5/
QtCore
QtGui.framework/ ... same as Qt core
QtPrintSupport.framework/ ... same as Qt core
QtWidgets.framework/ ... same as Qt core
MacOS/
SimpleHello
PlugIns/ ... some plugins
Resources/
empty.lproj
qt.conf
第一
我尝试过:签署OSX 10.9框架 >
我能够对整个应用程序进行签名而没有任何错误.但是,当运行spctl
验证应用程序的有效性时,我得到了
spctl -a -vvvv SimpleHello.app
SimpleHello.app/: rejected
source=obsolete resource envelope
origin=Developer ID Application: MY CERTIFICATE
另外,当用codesign验证签名时,我得到了:
codesign --verify --deep --verbose=4 SimpleHello.app
--prepared:/My/Path/SimpleHello.app/Contents/Frameworks/QtCore.framework
--validated:/My/Path/SimpleHello.app/Contents/Frameworks/QtCore.framework
SimpleHello.app/: embedded framework contains modified or invalid version
In subcomponent: /My/Path/SimpleHello.app/Contents/Frameworks/QtCore.framework
第三:
根据以下内容在代码签名验证中添加了--no-strict
选项:导出存档时出错
它通过代码签名验证解决了该问题,但没有解决spctl
问题.
第四次:
我在签署框架时尝试添加--no-legacy-signing
选项.但是,在验证捆绑包签名时(同时使用codesign
和spctl
codesign --verify --deep --verbose=4 SimpleHello.app
SimpleHello.app/: code has no resources but signature indicates they must be present
第五名:
根据以下内容修改了框架结构: http://qt-project.org/forums/viewthread/47768 和 https://gist.github.com/kingcheez/6154462d7734e0c0f3a4
在这种情况下,当我尝试对框架进行签名时会出现此错误
SimpleHello.app/Contents/Frameworks/QtCore.framework: unsealed contents present in the root directory of an embedded framework
SimpleHello.app/Contents/Frameworks/QtGui.framework: unsealed contents present in the root directory of an embedded framework
SimpleHello.app/Contents/Frameworks/QtPrintSupport.framework: unsealed contents present in the root directory of an embedded framework
SimpleHello.app/Contents/Frameworks/QtWidgets.framework: unsealed contents present in the root directory of an embedded framework
unsealed contents present in the root directory of an embedded framework
的问题似乎是因为simlink之一格式错误.是:
QtCore.framework.framework/Versions/Current -> 5/
代替
QtCore.framework.framework/Versions/Current -> 5
此修复程序完成后,我仍然得到与第六相同的结果.
第六名:
在调用Framework的codesign
时添加了--no-strict
选项.我能够签署除一个框架之外的所有框架
SimpleHello.app//Contents/Frameworks/QtCore.framework: signed bundle with Mach-O thin (x86_64) [.]
SimpleHello.app//Contents/Frameworks/QtGui.framework: signed bundle with Mach-O thin (x86_64) [.]
SimpleHello.app//Contents/Frameworks/QtPrintSupport.framework: code object is not signed at all
In subcomponent: /My/Path/SimpleHello.app/Contents/Frameworks/QtPrintSupport.framework/Versions/Current/QtPrintSupport
SimpleHello.app//Contents/Frameworks/QtWidgets.framework: signed bundle with Mach-O thin (x86_64) [.]
第七名:
我发布了这个问题,因为我不知道要寻找什么了
深入研究之后,我发现第七部分的问题是:一些Qt Framework包含错误信息. Info.plist文件(框架名称以_debug结尾)
我用这个脚本解决了所有问题(仍有一些硬编码的值可能会通过对该脚本进行一些改进而得到处理)
#!/bin/bash
# Script name: deploy.sh
# Following environment variables must be defined:
# - QT_FRAMEWORK_PATH
# - QT_BIN_PATH
# - CERTIFICATE
# - FRAMEWORKS
# - BAD_FRAMEWORKS
# retrieve bundle name from first parameter
BUNDLE_NAME=$1
# Run QT tool to deploy
${QT_BIN_PATH}/macdeployqt $BUNDLE_NAME
# FIX ISSUE 6
# Please note that Qt5 frameworks have incorrect layout after SDK build, so this isn't just a problem with `macdeployqt` but whole framework assembly part.
# Present
# QtCore.framework/
# Contents/
# Info.plist
# QtCore -> Versions/Current/QtCore
# Versions/
# Current -> 5
# 5/
# QtCore
# After macdeployqt
# QtCore.framework/
# Resources/
# Versions/
# 5/
# QtCore
#
# Expected
# QtCore.framework/
# QtCore -> Versions/Current/QtCore
# Resources -> Versions/Current/Resources
# Versions/
# Current -> 5
# 5/
# QtCore
# Resources/
# Info.plist
# So in order to comply with expected layout: https://developer.apple.com/library/mac/documentation/MacOSX/Conceptual/BPFrameworks/Concepts/FrameworkAnatomy.html
for CURRENT_FRAMEWORK in ${FRAMEWORKS}; do
echo "Processing framework: ${CURRENT_FRAMEWORK}"
echo "Deleting existing resource folder"
rmdir ${BUNDLE_NAME}/Contents/Frameworks/${CURRENT_FRAMEWORK}.framework/Resources
echo "create resource folder"
mkdir -p ${BUNDLE_NAME}/Contents/Frameworks/${CURRENT_FRAMEWORK}.framework/Versions/5/Resources
echo "create copy resource file"
cp ${QT_FRAMEWORK_PATH}/${CURRENT_FRAMEWORK}.framework/Contents/Info.plist $BUNDLE_NAME/Contents/Frameworks/${CURRENT_FRAMEWORK}.framework/Versions/5/Resources/
echo "create symbolic links"
ln -nfs 5 ${BUNDLE_NAME}/Contents/Frameworks/${CURRENT_FRAMEWORK}.framework/Versions/Current
ln -nfs Versions/Current/${CURRENT_FRAMEWORK} ${BUNDLE_NAME}/Contents/Frameworks/${CURRENT_FRAMEWORK}.framework/${CURRENT_FRAMEWORK}
ln -nfs Versions/Current/Resources ${BUNDLE_NAME}/Contents/Frameworks/${CURRENT_FRAMEWORK}.framework/Resources
done
# FIX ISSUE 7
echo "***** Correct Frameworks Info.plist file*****"
for CURRENT_FRAMEWORK in ${BAD_FRAMEWORKS}; do
echo "Correcting bad framework Info.plist: ${CURRENT_FRAMEWORK}"
TMP=$(sed 's/_debug//g' ${BUNDLE_NAME}/Contents/Frameworks/${CURRENT_FRAMEWORK}.framework/Resources/Info.plist)
echo "$TMP" > ${BUNDLE_NAME}/Contents/Frameworks/${CURRENT_FRAMEWORK}.framework/Resources/Info.plist
done
# SIGNING FIXED FRAMEWORK
CODESIGN_OPTIONS="--verbose=4"
#echo "******* Sign QtWebEngineProcess ***********"
#codesign --force --verify ${CODESIGN_OPTIONS} --sign "$CERTIFICATE" $BUNDLE_NAME/Contents/Frameworks/QtWebEngineCore.framework/Versions/Current/Helpers/QtWebEngineProcess.app
echo "******* Sign Frameworks-subApps ***********"
codesign --force --verify ${CODESIGN_OPTIONS} --sign "$CERTIFICATE" $BUNDLE_NAME/Contents/Frameworks/*.framework/Versions/*/*/*.app
echo "******* Signing Frameworks ***********"
for CURRENT_FRAMEWORK in ${FRAMEWORKS}; do
echo "Signing framework: ${CURRENT_FRAMEWORK}"
codesign --force --verify ${CODESIGN_OPTIONS} --sign "$CERTIFICATE" $BUNDLE_NAME/Contents/Frameworks/${CURRENT_FRAMEWORK}.framework
done
# Sign plugins
echo "******* Signing Plugins ***********"
codesign --force --verify ${CODESIGN_OPTIONS} --sign "${CERTIFICATE}" ${BUNDLE_NAME}/Contents/Plugins/*/*.dylib
# Sign bundle itself
echo "******* Signing Bundle ***********"
codesign --force --verify ${CODESIGN_OPTIONS} --sign "$CERTIFICATE" $BUNDLE_NAME
# Verify
echo "******* Verify Bundle ***********"
codesign --verify --deep ${CODESIGN_OPTIONS} $BUNDLE_NAME
echo "******* Verify Bundle using dpctl ***********"
spctl -a -vvvv $BUNDLE_NAME
关于调用脚本:
# Define environment variables
export QT_FRAMEWORK_PATH=/Path/To/Qt_5.3.2/5.3/clang_64/lib
export QT_BIN_PATH=/Path/To/Qt_5.3.2/5.3/clang_64/bin
export CERTIFICATE="Developer ID Application: My Certificate"
export FRAMEWORKS="QtCore QtGui QtPrintSupport QtWidgets"
export BAD_FRAMEWORKS="QtPrintSupport"
# Call itself
deploy.sh SimpleHello.app
使用此脚本,最终输出为:
SimpleHello.app/: accepted
source=Developer ID
origin=Developer ID Application: My Certificate (HASH)
I am having trouble signing Qt Based application un OS X. I am using Qt 5.3.2.
I have read various information source that contain contradictory information.
Here is the content of my application bundle after I run the bin/macdeployqt
Qt utility
SimpleHello.app/
Contents/
Info.plist
PkgInfo
Frameworks/
QtCore.framework/
Resources/
Versions/
5/
QtCore
QtGui.framework/ ... same as Qt core
QtPrintSupport.framework/ ... same as Qt core
QtWidgets.framework/ ... same as Qt core
MacOS/
SimpleHello
PlugIns/ ... some plugins
Resources/
empty.lproj
qt.conf
First:
I tried: http://successfulsoftware.net/2012/08/30/how-to-sign-your-mac-os-x-app-for-gatekeeper/
However, it seems that it is not valid anymore in OS X 10.10 Yosemite
Second:
I tried: Sign a Framework for OSX 10.9
I was able to sign the whole application without any error. However, when running spctl
to verify the validity of the application, I get
spctl -a -vvvv SimpleHello.app
SimpleHello.app/: rejected
source=obsolete resource envelope
origin=Developer ID Application: MY CERTIFICATE
Additionally when verifying signature with codesign, I get this:
codesign --verify --deep --verbose=4 SimpleHello.app
--prepared:/My/Path/SimpleHello.app/Contents/Frameworks/QtCore.framework
--validated:/My/Path/SimpleHello.app/Contents/Frameworks/QtCore.framework
SimpleHello.app/: embedded framework contains modified or invalid version
In subcomponent: /My/Path/SimpleHello.app/Contents/Frameworks/QtCore.framework
Third:
Added the --no-strict
option in codesign verification according to: Error when export archive
It fixes the issue with codesign verification but does not fix the spctl
issue.
Forth:
I tried adding the --no-legacy-signing
option when signing frameworks. However I get this error when verifying the bundle signature (both with codesign
and spctl
codesign --verify --deep --verbose=4 SimpleHello.app
SimpleHello.app/: code has no resources but signature indicates they must be present
Fifth:
Modified the framework structure according to: http://qt-project.org/forums/viewthread/47768 and https://gist.github.com/kingcheez/6154462d7734e0c0f3a4
In this case I get this error when trying to sign frameworks
SimpleHello.app/Contents/Frameworks/QtCore.framework: unsealed contents present in the root directory of an embedded framework
SimpleHello.app/Contents/Frameworks/QtGui.framework: unsealed contents present in the root directory of an embedded framework
SimpleHello.app/Contents/Frameworks/QtPrintSupport.framework: unsealed contents present in the root directory of an embedded framework
SimpleHello.app/Contents/Frameworks/QtWidgets.framework: unsealed contents present in the root directory of an embedded framework
EDIT: It seems that the issue with the unsealed contents present in the root directory of an embedded framework
was because one of the simlink was malformed. It was:
QtCore.framework.framework/Versions/Current -> 5/
Instead of
QtCore.framework.framework/Versions/Current -> 5
After this fix, I still get the same result as in Sixth though.
Sixth:
Added the --no-strict
option when calling codesign
for Frameworks. I was able to sign all frameworks except for one
SimpleHello.app//Contents/Frameworks/QtCore.framework: signed bundle with Mach-O thin (x86_64) [.]
SimpleHello.app//Contents/Frameworks/QtGui.framework: signed bundle with Mach-O thin (x86_64) [.]
SimpleHello.app//Contents/Frameworks/QtPrintSupport.framework: code object is not signed at all
In subcomponent: /My/Path/SimpleHello.app/Contents/Frameworks/QtPrintSupport.framework/Versions/Current/QtPrintSupport
SimpleHello.app//Contents/Frameworks/QtWidgets.framework: signed bundle with Mach-O thin (x86_64) [.]
Seventh:
I posted this question since I don't know what to look for anymore
After digging a bit more, I figured out what the issue in section seventh was: Some of the Qt Framework contain bad information in the Info.plist files (framework name ends with _debug)
I came out with this script that fixes all issues (there are still a few hardcoded values that could probably get processed with some improvement to the script)
#!/bin/bash
# Script name: deploy.sh
# Following environment variables must be defined:
# - QT_FRAMEWORK_PATH
# - QT_BIN_PATH
# - CERTIFICATE
# - FRAMEWORKS
# - BAD_FRAMEWORKS
# retrieve bundle name from first parameter
BUNDLE_NAME=$1
# Run QT tool to deploy
${QT_BIN_PATH}/macdeployqt $BUNDLE_NAME
# FIX ISSUE 6
# Please note that Qt5 frameworks have incorrect layout after SDK build, so this isn't just a problem with `macdeployqt` but whole framework assembly part.
# Present
# QtCore.framework/
# Contents/
# Info.plist
# QtCore -> Versions/Current/QtCore
# Versions/
# Current -> 5
# 5/
# QtCore
# After macdeployqt
# QtCore.framework/
# Resources/
# Versions/
# 5/
# QtCore
#
# Expected
# QtCore.framework/
# QtCore -> Versions/Current/QtCore
# Resources -> Versions/Current/Resources
# Versions/
# Current -> 5
# 5/
# QtCore
# Resources/
# Info.plist
# So in order to comply with expected layout: https://developer.apple.com/library/mac/documentation/MacOSX/Conceptual/BPFrameworks/Concepts/FrameworkAnatomy.html
for CURRENT_FRAMEWORK in ${FRAMEWORKS}; do
echo "Processing framework: ${CURRENT_FRAMEWORK}"
echo "Deleting existing resource folder"
rmdir ${BUNDLE_NAME}/Contents/Frameworks/${CURRENT_FRAMEWORK}.framework/Resources
echo "create resource folder"
mkdir -p ${BUNDLE_NAME}/Contents/Frameworks/${CURRENT_FRAMEWORK}.framework/Versions/5/Resources
echo "create copy resource file"
cp ${QT_FRAMEWORK_PATH}/${CURRENT_FRAMEWORK}.framework/Contents/Info.plist $BUNDLE_NAME/Contents/Frameworks/${CURRENT_FRAMEWORK}.framework/Versions/5/Resources/
echo "create symbolic links"
ln -nfs 5 ${BUNDLE_NAME}/Contents/Frameworks/${CURRENT_FRAMEWORK}.framework/Versions/Current
ln -nfs Versions/Current/${CURRENT_FRAMEWORK} ${BUNDLE_NAME}/Contents/Frameworks/${CURRENT_FRAMEWORK}.framework/${CURRENT_FRAMEWORK}
ln -nfs Versions/Current/Resources ${BUNDLE_NAME}/Contents/Frameworks/${CURRENT_FRAMEWORK}.framework/Resources
done
# FIX ISSUE 7
echo "***** Correct Frameworks Info.plist file*****"
for CURRENT_FRAMEWORK in ${BAD_FRAMEWORKS}; do
echo "Correcting bad framework Info.plist: ${CURRENT_FRAMEWORK}"
TMP=$(sed 's/_debug//g' ${BUNDLE_NAME}/Contents/Frameworks/${CURRENT_FRAMEWORK}.framework/Resources/Info.plist)
echo "$TMP" > ${BUNDLE_NAME}/Contents/Frameworks/${CURRENT_FRAMEWORK}.framework/Resources/Info.plist
done
# SIGNING FIXED FRAMEWORK
CODESIGN_OPTIONS="--verbose=4"
#echo "******* Sign QtWebEngineProcess ***********"
#codesign --force --verify ${CODESIGN_OPTIONS} --sign "$CERTIFICATE" $BUNDLE_NAME/Contents/Frameworks/QtWebEngineCore.framework/Versions/Current/Helpers/QtWebEngineProcess.app
echo "******* Sign Frameworks-subApps ***********"
codesign --force --verify ${CODESIGN_OPTIONS} --sign "$CERTIFICATE" $BUNDLE_NAME/Contents/Frameworks/*.framework/Versions/*/*/*.app
echo "******* Signing Frameworks ***********"
for CURRENT_FRAMEWORK in ${FRAMEWORKS}; do
echo "Signing framework: ${CURRENT_FRAMEWORK}"
codesign --force --verify ${CODESIGN_OPTIONS} --sign "$CERTIFICATE" $BUNDLE_NAME/Contents/Frameworks/${CURRENT_FRAMEWORK}.framework
done
# Sign plugins
echo "******* Signing Plugins ***********"
codesign --force --verify ${CODESIGN_OPTIONS} --sign "${CERTIFICATE}" ${BUNDLE_NAME}/Contents/Plugins/*/*.dylib
# Sign bundle itself
echo "******* Signing Bundle ***********"
codesign --force --verify ${CODESIGN_OPTIONS} --sign "$CERTIFICATE" $BUNDLE_NAME
# Verify
echo "******* Verify Bundle ***********"
codesign --verify --deep ${CODESIGN_OPTIONS} $BUNDLE_NAME
echo "******* Verify Bundle using dpctl ***********"
spctl -a -vvvv $BUNDLE_NAME
As for calling the script:
# Define environment variables
export QT_FRAMEWORK_PATH=/Path/To/Qt_5.3.2/5.3/clang_64/lib
export QT_BIN_PATH=/Path/To/Qt_5.3.2/5.3/clang_64/bin
export CERTIFICATE="Developer ID Application: My Certificate"
export FRAMEWORKS="QtCore QtGui QtPrintSupport QtWidgets"
export BAD_FRAMEWORKS="QtPrintSupport"
# Call itself
deploy.sh SimpleHello.app
With this script, the final output is:
SimpleHello.app/: accepted
source=Developer ID
origin=Developer ID Application: My Certificate (HASH)
这篇关于无法在OS X 10.10上使用Qt框架对应用程序包进行签名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!