norulez | 13 Feb 23:14 2012

Re: [Qt-interest] Latest on Mac App Store + sandboxing?

Hi,

I had also troubles with this after lion comes out last year.
In short words... You must use codesign for each file which is in your bundle, except for frameworks (see
point 1) 

1.) use codesign for all your frameworks (e.g. Bundle/Contents/Frameworks/QtGui.framework)
2.) use codesign for all your plugins (e.g. Bundle/Contents/PlugIns/imageformats/libqgif.dylib)
3.) use codesign with the entitlements file on your bundle
4.) run productbuild
5.) test the created package with the installer

I hope this helps

Best Regards
NoRulez

Am 13.02.2012 um 20:16 schrieb Paul Miller <paul <at> fxtech.com>:

> As the Sandbox deadline is now March 1, today I tried to submit an 
> update to one of my Mac App Store apps and received an email with this 
> information:
> 
> "Invalid Signature - the executable 
> <application>.app/Contents/Frameworks/QtCore.framework/Versions/4/QtCore 
> is not signed, the signature is invalid, or it is not signed with an 
> Apple submission certificate. Refer to the Code Signing and Application 
> Sandboxing Guide for more information.
> 
> Invalid Signature - the executable 
(Continue reading)

Paul Miller | 13 Feb 23:22 2012

Re: [Qt-interest] Latest on Mac App Store + sandboxing?

On 2/13/2012 4:14 PM, norulez <at> me.com wrote:
> Hi,
>
> I had also troubles with this after lion comes out last year.
> In short words... You must use codesign for each file which is in your bundle, except for frameworks (see
point 1)
>
> 1.) use codesign for all your frameworks (e.g. Bundle/Contents/Frameworks/QtGui.framework)
> 2.) use codesign for all your plugins (e.g. Bundle/Contents/PlugIns/imageformats/libqgif.dylib)
> 3.) use codesign with the entitlements file on your bundle
> 4.) run productbuild
> 5.) test the created package with the installer
>
> I hope this helps

Yes - that stuff makes sense (and I'm glad there is a manual way to sign 
the Qt frameworks). However, I've always just used Build+Archive and the 
Organizer to do this stuff. Can you outline how I would replace those 
steps with manual codesign and productbuild commands?

Cheers!
NoRulez | 13 Feb 23:48 2012

Re: [Qt-interest] Latest on Mac App Store + sandboxing?

I tried it also this way, but i want to be able to generate packages on a build server, so in my case the command line tools are simpler ;-)

I had made a mistake in the example (point 2) in the last mail, here are "all" steps copied from my project

So, let's say the bundle indentifier in this example is called BUNDLE
(bundle.app) and the project PROJECT

The APPLICATION_CERTIFICATE and INSTALLER_CERTIFICATE are the certificates which you have installed from http://developer.apple.com.
APPLICATION_CERTIFICATE is something like "3rd Party Mac Developer Application: YOUR NAME"
INSTALLER_CERTIFICATE is something like "3rd Party Mac Developer Installer: YOUR NAME"

I use the following steps (Maybe you can handle this in a qmake's project file (*.pro) as a post build process, I use CMake as the build system so that way it is easier for me):

1.) macdeployqt BUNDLE
2.) remove unnecessary directories and files (plugins, frameworks and so on)
3.) unlock the keychain (/usr/bin/security unlock-keychain $HOME/Library/Keychains/login.keychain)
4.) Sign all frameworks (/usr/bin/codesign --force --verbose --verify --sign "APPLICATION_CERTIFICATE" BUNDLE/Contents/Frameworks/QtGui.framework/Versions/4/QtGui)
5.) Sign all plugins (/usr/bin/codesign --force --verbose --verify --sign "APPLICATION_CERTIFICATE" BUNDLE/Contents/PlugIns/imageformats/libqgif.dylib)

6.) Sign the application bundle (/usr/bin/codesign --force --verbose --verify --sign "APPLICATION_CERTIFICATE" BUNDLE)
7.) Run productbuild (/usr/bin/productbuild --component "BUNDLE" /Applications --sign "INSTALLER_CERTIFICATE" --product "BUNDLE/Contents/Info.plist" PROJECT.pkg)
8.) Try it with the installer (/usr/sbin/installer -store -pkg PROJECT.pkg -target /)

That's it

Best Regards
NoRulez

Am 13. Feb 2012 um 23:22 schrieb Paul Miller <paul <at> fxtech.com>:

On 2/13/2012 4:14 PM, norulez <at> me.com wrote:
> Hi,
>
> I had also troubles with this after lion comes out last year.
> In short words... You must use codesign for each file which is in your bundle, except for frameworks (see point 1)
>
> 1.) use codesign for all your frameworks (e.g. Bundle/Contents/Frameworks/QtGui.framework)
> 2.) use codesign for all your plugins (e.g. Bundle/Contents/PlugIns/imageformats/libqgif.dylib)
> 3.) use codesign with the entitlements file on your bundle
> 4.) run productbuild
> 5.) test the created package with the installer
>
> I hope this helps

Yes - that stuff makes sense (and I'm glad there is a manual way to sign
the Qt frameworks). However, I've always just used Build+Archive and the
Organizer to do this stuff. Can you outline how I would replace those
steps with manual codesign and productbuild commands?

Cheers!
_______________________________________________
Interest mailing list
Interest <at> qt-project.org
http://lists.qt-project.org/mailman/listinfo/interest
<div>
<div>
<span>I tried it also this way, but i want to be able to generate packages on a build server, so in my case the command line tools are simpler ;-)<br><br>I had made a mistake in the example (point 2) in the last mail, here are "all" steps copied from my project<br><br>So, let's say the bundle indentifier in this example is called BUNDLE</span> (bundle.app) and the project PROJECT<br><br>The <span><span>APPLICATION_CERTIFICATE </span></span><span><span></span></span><span>and </span><span><span>INSTALLER_CERTIFICATE </span></span><span>are the certificates which you have installed from http://developer.apple.com</span><span><span></span></span>.<br><span><span>APPLICATION_CERTIFICATE </span></span><span><span></span></span><span>is something like </span>"3rd Party Mac Developer Application: YOUR NAME"<br><span><span>INSTALLER_CERTIFICATE </span></span><span><span></span></span><span></span><span><span></span></span><span><span></span></span><span>is something like </span><span></span>"3rd Party Mac Developer Installer: YOUR NAME"<br><br><span>I use the following steps (Maybe you can handle this in a qmake's project file (*.pro) as a post build process, I use CMake as the build system so that way it is easier for me):</span><br><br><span>1.) macdeployqt BUNDLE</span><br><span>2.) remove unnecessary directories and files (plugins, frameworks and so on)</span><br><span>3.) unlock the keychain (<span>/usr/bin/security unlock-keychain $HOME/Library/Keychains/login.keychain</span>)</span><br><span>4.) Sign  all frameworks (<span>/usr/bin/codesign --force --verbose --verify --sign "APPLICATION_CERTIFICATE" BUNDLE/Contents/Frameworks/QtGui.framework/Versions/4/QtGui</span>)<br>
5.)&nbsp;Sign  all plugins <span>(/usr/bin/codesign --force --verbose --verify --sign "APPLICATION_CERTIFICATE" BUNDLE/Contents/PlugIns/imageformats/libqgif.dylib</span>)</span><br><span>6.) Sign the application bundle <span>(/usr/bin/codesign --force --verbose --verify --sign "APPLICATION_CERTIFICATE" BUNDLE</span>)</span><br><span>7.) Run productbuild (<span>/usr/bin/productbuild --component "BUNDLE" /Applications --sign "INSTALLER_CERTIFICATE" --product "BUNDLE/Contents/Info.plist" PROJECT.pkg</span>)</span><br><span>8.) Try it with the installer (<span>/usr/sbin/installer -store -pkg PROJECT.pkg -target /</span>)</span><br><br>That's it<br><br><span>Best Regards</span><br><span>NoRulez</span>
</div>
<div>
<br>Am 13. Feb 2012 um 23:22 schrieb Paul Miller &lt;paul <at> fxtech.com&gt;:<br><br><div><blockquote type="cite"><div class="msg-quote"><div class="_stretch">On 2/13/2012 4:14 PM, <a href="mailto:norulez <at> me.com" data-mce-href="mailto:norulez <at> me.com">norulez <at> me.com</a> wrote:<br> &gt; Hi,<br> &gt;<br> &gt; I had also troubles with this after lion comes out last year.<br> &gt; In short words... You must use codesign for each file which is in your bundle, except for frameworks (see point 1)<br> &gt;<br> &gt; 1.) use codesign for all your frameworks (e.g. Bundle/Contents/Frameworks/QtGui.framework)<br> &gt; 2.) use codesign for all your plugins (e.g. Bundle/Contents/PlugIns/imageformats/libqgif.dylib)<br> &gt; 3.) use codesign with the entitlements file on your bundle<br> &gt; 4.) run productbuild<br> &gt; 5.) test the created package with the installer<br> &gt;<br> &gt; I hope this helps<br><br> Yes - that stuff makes sense (and I'm glad there is a manual way to sign <br> the Qt frameworks). However, I've always just used Build+Archive and the <br> Organizer to do this stuff. Can you outline how I would replace those <br> steps with manual codesign and productbuild commands?<br><br> Cheers!<br> _______________________________________________<br> Interest mailing list<br><a href="mailto:Interest <at> qt-project.org" data-mce-href="mailto:Interest <at> qt-project.org">Interest <at> qt-project.org</a><br><a href="http://lists.qt-project.org/mailman/listinfo/interest" data-mce-href="http://lists.qt-project.org/mailman/listinfo/interest">http://lists.qt-project.org/mailman/listinfo/interest</a><br>
</div></div></blockquote></div>
</div>
</div>
Paul Miller | 14 Feb 15:09 2012

Re: [Qt-interest] Latest on Mac App Store + sandboxing?

On 2/13/2012 4:48 PM, NoRulez wrote:
> I tried it also this way, but i want to be able to generate packages on
> a build server, so in my case the command line tools are simpler ;-)
>
> I had made a mistake in the example (point 2) in the last mail, here are
> "all" steps copied from my project
>
> So, let's say the bundle indentifier in this example is called BUNDLE
> (bundle.app) and the project PROJECT
>
> The APPLICATION_CERTIFICATE and INSTALLER_CERTIFICATE are the
> certificates which you have installed from http://developer.apple.com.
> APPLICATION_CERTIFICATE is something like "3rd Party Mac Developer
> Application: YOUR NAME"
> INSTALLER_CERTIFICATE is something like "3rd Party Mac Developer
> Installer: YOUR NAME"
>
> I use the following steps (Maybe you can handle this in a qmake's
> project file (*.pro) as a post build process, I use CMake as the build
> system so that way it is easier for me):
>
> 1.) macdeployqt BUNDLE
> 2.) remove unnecessary directories and files (plugins, frameworks and so on)
> 3.) unlock the keychain (/usr/bin/security unlock-keychain
> $HOME/Library/Keychains/login.keychain)
> 4.) Sign all frameworks (/usr/bin/codesign --force --verbose --verify
> --sign "APPLICATION_CERTIFICATE"
> BUNDLE/Contents/Frameworks/QtGui.framework/Versions/4/QtGui)
> 5.) Sign all plugins (/usr/bin/codesign --force --verbose --verify
> --sign "APPLICATION_CERTIFICATE"
> BUNDLE/Contents/PlugIns/imageformats/libqgif.dylib)
> 6.) Sign the application bundle (/usr/bin/codesign --force --verbose
> --verify --sign "APPLICATION_CERTIFICATE" BUNDLE)
> 7.) Run productbuild (/usr/bin/productbuild --component "BUNDLE"
> /Applications --sign "INSTALLER_CERTIFICATE" --product
> "BUNDLE/Contents/Info.plist" PROJECT.pkg)
> 8.) Try it with the installer (/usr/sbin/installer -store -pkg
> PROJECT.pkg -target /)
>
> That's it

Thanks for that - that was VERY helpful!

In fact, all I did was manually sign the two Qt Frameworks in my bundle 
and then used Build+Archive (since I'm using XCode) to rebuild the 
installer. We'll see what they say!

Gmane