Signing and sandbox errors when submitting a Qt mac app. Please help!!

I'm not sure if it's actually possible to publish a Qt app in the Mac App Store..please advice if anyone has done it!

I'm not sure if it's actually possible to publish a Qt app in the Mac App Store.

It definitely is; I’ve worked with a bunch of developers in similar situations to you.

There are limits to how much I can help you with this. All I can do is explain the requirements imposed by Apple’s distribution channels. When working with third-party tooling, it’s up to the tool’s vendor to explain how best to meet those requirements with their tools.

You can find my general advice on this topic in:

• Creating Distribution-Signed Code for Mac

• Packaging Mac Software for Distribution

after I uploaded to Apple Store Connect through the Organizer, I'd get an email with errors, ITMS-90238: Invalid Signature, mentioning a long list of plugins, and then ITMS-90296: App sandbox not enabled.

App Store Connection requires that:

• All your code be signed with your Apple Distribution signing identity [1]

• Every executable have the App Sandbox enabled

I suspect that your deployment processing has failed to re-sign some of the code in your app, which is why you’re getting ITMS-90238. With regards ITMS-90296, remember that every executable has to have the App Sandbox enabled. That includes the main executable and any ‘helper tools’ you have embedded within the app bundle.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Or one of the legacy alternatives.

Thanks for your reply The Eskimo! It helps a lot to know that it's done before by others! :)

Thanks for the pointers! I will look into these directions!

Another question, when I use the Automatically manage signing feature in XCode (15.0.1), it only gives me the option to select a Development Signing Certificate. I saw some people online saying we were meant to just use the Development certificate with Automatically manage signing, even for distribution. Should I uncheck Automatic signing and select the Distribution certificate? Or is there a way I can make the Distribution certificate show up?

The standard workflow for Xcode is:

• Enable automatic signing. When you choose Product > Run, Xcode will build and sign your app with Apple Development.

• To distribute, first choose Product > Archive. The app inside the archive will also use Apple Development signing.

• Then, in the Xcode organiser, click Distribute App and follow one of the workflows there. Xcode will re-sign the app appropriately as port of the export or upload process.

• You can do the previous two steps using xcodebuild.

See the Export an App from Xcode section of Creating Distribution-Signed Code for Mac for more background.

The Xcode organiser workflows work reliably [1] if your app is structured according to the rules in Placing Content in a Bundle. My experience is that third-party tooling tends to not follow those rules, and thus, in the words of that article, “you may encounter hard-to-debug code signing and distribution problems” )-:

If that’s the case, you have two options. The first is to change your product to follow the rules. This is my preferred option because not all of these “hard-to-debug code signing and distribution problems” show up when you build your product. Sometimes they show up on user’s machines.

I most commonly see such problems with directly distributed apps, where they bump into Gatekeeper issues. This is less common for App Store apps, where the App Store is more likely to detect such problems during app ingestion.

The second option is to manually export your app from the archive. I talk about this in the Export a Non-App Product Built with Xcode section of Creating Distribution-Signed Code for Mac. That section is focused on non-app products, because of my preference for the first option in app products. However, the same basic strategy works for weirdly constructed app products as well.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Well “should work reliable” )-: Every now and again you bump into a case where Xcode has missed a memo when it comes to correctly re-signing an app. For example, there’s the issue discussed in Exporting a Developer ID Network Extension. Fortunately, these are relatively rare.

Thanks for explaining the Xcode signing workflow! That makes sense.

Yeah true, I agree about these “hard-to-debug code signing and distribution problems”..and that they may show up only on the user's machines. I'll have a deeper look into the bundle structure and figure it out! Thanks so much for your help!! 🙏

Yes!! Finally! I managed to get it through to App Store Connect! :D

So I removed the call to Qt's deployment tool, macdeployqt. Instead, I tried to do what it does without it, namely copying the Frameworks, Plugins and Resources. I used Xcode's embed and sign Frameworks feature and Copy Bundle Resources to cover the Frameworks and Resources. I tried to use a Copy Files step in Build Phases to copy the Plugins, but it'd give me build errors saying failing to sign no matter if I tick the Code Sign box. For now I got around it by manually copying the plugins from another bundle that I deployed with Qt's deployment tool... Then Xcode's organiser manages to re-sign and upload!

Still a bit hacky but at least I got there! Any advice on what I'm doing wrong with the Plugins?

I managed to get it through to App Store Connect! :D

Yay!

Any advice on what I'm doing wrong with the Plugins?

Not off the top of my head. I know that Qt uses a lot of different plug-ins. Are you able to narrow down that scope? If, for example, you could post details about the structure of one specific plug-in that triggered this problem, I could take a look at that.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Actually don't worry! I think it's some fancy things Qt's deployment tool's doing.. I could go look at the source code for a better solution, but I'll just work around it for now. I was trying to copy the Plugins from my local Qt install, which didn't work, but copying from the build that's been through Qt's deployment tool worked. For now I'll just manually coping things over.. Thanks so much for your support @eskimo! Couldn't have gotten here without you!

@AmyXS

Hello!

Finally, someone who reports having succeeded in publishing their QT-written application for MacOS in the Apple Store. I've been trying for several days and I've never been able to figure anything out. I usually use macdeploy, but from what I've read, you didn't use it. I've never used Xcode for anything in my attempts except for code-signing.

May I kindly ask you to detail how you managed to sign and post your QT-written app? It would greatly help the developer community as there isn't a truly up-to-date tutorial. Personally, I would be infinitely grateful to you!