Qt application, correctly signed and notarized, does not launch the first time

Also, my binary is statically linked against Qt

Well, that’s a good start.

What do you entitlements look like? You can dump these using:

Code Block  
% codesign -d --entitlements :- score.app

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi, thanks for your quick answer.
Here are the entitlements:

Code Block xml
Executable=/Applications/score.app/Contents/MacOS/score
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.app-sandbox</key>
    <false/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
    <key>com.apple.security.assets.music.read-write</key>
    <true/>
    <key>com.apple.security.files.downloads.read-write</key>
    <true/>
    <key>com.apple.security.device.firewire</key>
    <true/>
    <key>com.apple.security.device.microphone</key>
    <true/>
    <key>com.apple.security.device.usb</key>
    <true/>
    <key>com.apple.security.device.audio-input</key>
    <true/>
    <key>com.apple.security.device.camera</key>
    <true/>
    <key>com.apple.security.device.bluetooth</key>
    <true/>
    <key>com.apple.security.network.server</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-write</key>
    <true/>
    <key>com.apple.security.files.bookmarks.app-scope</key>
    <true/>
  </dict>
</plist>

Here is also a cleaner log of a single "first run" of the app: paste.ofcode.org/387PDMEeidkygVE8EBMSfzU

More information:

• I have tried disabling gatekeeper with sudo spctl --master-disable but I am seeing the same behaviour... so maybe it isn't a gatekeeper issue after all.

• If I launch the software from the terminal, through its executable directly:

/Applications/score.app/Contents/MacOS/score

then it works without issue ?

So I thought, maybe it is more of a launchservices issue ?
But I tried doing

/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -R -f score.app

and that does not help.

With lsregister I noticed something:

before the first launch, there is the line

bundle flags: launch-disabled (0000000000000080)

for my app. It disappears after the first launch.

Also, if I remove manually the com.apple.quarantine attribute, it launches correctly:

Code Block 
$ xattr -d com.apple.quarantine score.app

Also, if I remove manually the com.apple.quarantine attribute, it
launches correctly

Right, because this is a Gatekeeper problem and, for most software, Gatekeeper only kicks in if the software is quarantined.

Here are the entitlements:

Thanks. I’ll note that you have library validation disabled (com.apple.security.cs.disable-library-validation). Why? Does your app need to load plug-ins from other third parties (which is the most common reason that you’d need to disable it)?

For context, disabling library validation makes it harder to pass Gatekeeper. Library validation is a critical security feature, so if you disable it then Gatekeeper runs extra checks to try to rule out the sorts of security vulnerabilities that library validation prevents.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Why? Does your app need to load plug-ins from other third parties
(which is the most common reason that you’d need to disable it)?

Yes, exactly. This is an audio sequencer which must be able to load VST, VST3, etc... audio plug-ins from third-parties. (Other examples are Cubase, Ableton Live, Bitwig Studio, Ardour, Reaper...)

What I don't really understand then is that the second time my app launches without any issues and the "quarantine" attribute seems to be removed automatically ? So ultimately, the checks do pass, no ?

What I don't really understand then is that the second time my app
launches without any issues

See Testing a Notarised Product for my recommendation on how best to get reliable results from Gatekeeper.

This is an audio sequencer which must be able to load VST, VST3,
etc... audio plug-ins from third-parties.

OK, then disabling library validation is absolutely the right thing to do (you’d be surprised how many folks mistakenly disable it).

As to what’s causing your Gatekeeper issue, my experience is that Qt apps commonly have a wide variety of structural problems that make Gatekeeper grumpy. To help us narrow down the search space I’d like you to temporarily re-enable library validation — that is, remove the com.apple.security.cs.disable-library-validation — and then retest. Does your app pass Gatekeeper in that case?

---

If so, it’s likely that one of the code items in your app has a rogue load command. To track these down, first find all the Mach-O images in your app:

Code Block  
% find MyApp.app -type f -print0 | xargs -0 file | grep Mach-O

Then use otool to dump the load commands in each one:

Code Block  
% otool -l /path/to/your/mach-o

Look for commands that reference a library, like LC_LOAD_DYLIB, or that set up a library search path, like LC_RPATH. The paths involved should all either be absolute paths that reference system libraries (in /usr/libr or /System/Library/Frameworks) or relative paths that resolve to inside your app’s bundle. I suspect you’ll find that there’s a path to some other absolute location, like a Qt build directory.

Let us know what you uncover.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hello,
I ran the following command to check the linked libs:

Code Block bash
$ for exe in $(find score.app -type f -print0 | xargs -0 file | grep Mach-O | cut -d ':' -f 1); do
  otool -l $exe | grep DYLIB -A2 | grep name
done | sort | uniq
         name /System/Library/Frameworks/AGL.framework/Versions/A/AGL (offset 24)
         name /System/Library/Frameworks/AVFoundation.framework/Versions/A/AVFoundation (offset 24)
         name /System/Library/Frameworks/Accelerate.framework/Versions/A/Accelerate (offset 24)
         name /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit (offset 24)
         name /System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices (offset 24)
         name /System/Library/Frameworks/AudioToolbox.framework/Versions/A/AudioToolbox (offset 24)
         name /System/Library/Frameworks/AudioUnit.framework/Versions/A/AudioUnit (offset 24)
         name /System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork (offset 24)
         name /System/Library/Frameworks/Carbon.framework/Versions/A/Carbon (offset 24)
         name /System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa (offset 24)
         name /System/Library/Frameworks/ColorSync.framework/Versions/A/ColorSync (offset 24)
         name /System/Library/Frameworks/CoreAudio.framework/Versions/A/CoreAudio (offset 24)
         name /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (offset 24)
         name /System/Library/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics (offset 24)
         name /System/Library/Frameworks/CoreImage.framework/Versions/A/CoreImage (offset 24)
         name /System/Library/Frameworks/CoreMIDI.framework/Versions/A/CoreMIDI (offset 24)
         name /System/Library/Frameworks/CoreMedia.framework/Versions/A/CoreMedia (offset 24)
         name /System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices (offset 24)
         name /System/Library/Frameworks/CoreText.framework/Versions/A/CoreText (offset 24)
         name /System/Library/Frameworks/CoreVideo.framework/Versions/A/CoreVideo (offset 24)
         name /System/Library/Frameworks/DiskArbitration.framework/Versions/A/DiskArbitration (offset 24)
         name /System/Library/Frameworks/ForceFeedback.framework/Versions/A/ForceFeedback (offset 24)
         name /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation (offset 24)
         name /System/Library/Frameworks/GSS.framework/Versions/A/GSS (offset 24)
         name /System/Library/Frameworks/IOBluetooth.framework/Versions/A/IOBluetooth (offset 24)
         name /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit (offset 24)
         name /System/Library/Frameworks/IOSurface.framework/Versions/A/IOSurface (offset 24)
         name /System/Library/Frameworks/ImageIO.framework/Versions/A/ImageIO (offset 24)
         name /System/Library/Frameworks/Metal.framework/Versions/A/Metal (offset 24)
         name /System/Library/Frameworks/OpenGL.framework/Versions/A/OpenGL (offset 24)
         name /System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore (offset 24)
         name /System/Library/Frameworks/Security.framework/Versions/A/Security (offset 24)
         name /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration (offset 24)
         name /System/Library/Frameworks/VideoDecodeAcceleration.framework/Versions/A/VideoDecodeAcceleration (offset 24)
         name /System/Library/Frameworks/VideoToolbox.framework/Versions/A/VideoToolbox (offset 24)
         name /usr/lib/libSystem.B.dylib (offset 24)
         name /usr/lib/libbz2.1.0.dylib (offset 24)
         name /usr/lib/libc++.1.dylib (offset 24)
         name /usr/lib/libcups.2.dylib (offset 24)
         name /usr/lib/libedit.3.dylib (offset 24)
         name /usr/lib/libiconv.2.dylib (offset 24)
         name /usr/lib/libncurses.5.4.dylib (offset 24)
         name /usr/lib/libobjc.A.dylib (offset 24)
         name /usr/lib/libxml2.2.dylib (offset 24)
         name /usr/lib/libz.1.dylib (offset 24)

and everything seems to be in /System/Library/Frameworks or /usr/lib.
I also grepped for RPATH (and "@" and "executable_path") but there is no match for any of those.

I also grepped for RPATH

To clarify, does this mean you replaced grep DYLIB with grep RPATH? If so, that should have uncovered any rogue rpath entries, which is the most common source of such problems.

Beyond that, I don’t have any clear next steps. I recommend that you open a DTS tech support incident so that I can look at your specific case in more detail.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

To clarify, does this mean you replaced grep DYLIB with grep RPATH? If so, that should have uncovered any rogue rpath entries, which is the most common source of such problems.

yes, there's not a single mention of rpath in otool output (complete log just in case: paste.ofcode.org/gffeJWNJVSDm8rTTqRpLrs ).

My TSI followup number is 765008778, thanks a lot if you have time to check it !

Just to (kinda) close the loop here…

Some debugging reveals that the app launched just fine but code within the app didn’t like the environment in it was being launched (specifically, the command-line arguments) and responded by calling exit. Calling exit doesn’t generate a crash report, which makes it hard to debug from the ‘outside’.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"