Missing code-signing certificate when uploading MacOS installer to AppStore

This error tells you what’s going on, it’s just a little subtle:

The provisioning profile included in the bundle … is invalid. [Missing code-signing certificate.]

The issue isn’t with your code-signing identity’s certificate per se, but rather a mismatch between it and your provisioning profile. A profile authorises your code to run based on certain criteria. One of those criteria is the allowed list of certificates whose identity’s can sign that code. This error means that the code is signed with an identity whose certificate isn’t listed in the profile.

To investigate this, extract the profile from your app and dump the certificates in its allowlist. See TN3125 Inside Code Signing: Provisioning Profiles for instructions on how to do this.

I suspect you’re signing code by hand, rather than with Xcode. In that case I recommend that you read through Creating distribution-signed code for macOS. It has a section, Embed distribution provisioning profiles, that explains this issue in more detail.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi Quinn!

Thanks a lot, this gives me the correct hint to go a step further! My App Store provisioning profile did not contain any certificate at all.

So now I can archive may app in Xcode and distribute it: Custom > App Store Connect > Export > Manually manage signing > Distribution certificate: Mac App Distribution Installer certificate: Mac Installer Distribution frogSIP.app: frogSIP Mac App Store Connect (the fixed provisioning profile)

This gives me a pkg installer. I now extract the app package from the installer, because I have to do further deployment for my Qt app package.

Then the app package is deployed and code signed with Qt tool macdeployqt6 and certificate "3rd Party Mac Developer Application“. The pkg installer is build with productbuild and signed with certificate ""3rd Party Mac Developer Installer“.

Finally uploaded the pkg with xcrun altool.

Puh ... the old error [Missing code-signing certificate.] is fixed.

But ...

 *** Error: ERROR: [ContentDelivery.Uploader] Validation failed (409) Invalid bundle. The executable couldn’t be re-signed for upload to App Store Connect. The app may have been built or signed with unsupported or prerelease tools. (ID: e43b0690-efd9-402d-a7c8-9fde27199a7c)

*** Error: ERROR: [ContentDelivery.Uploader] Validation failed (409) Invalid Bundle. The application bundle may not contain tools or frameworks provided by Apple, or using bundle identifiers in the 'com.apple.' namespace. Invalid bundle: [com.frogblue.frogCom.pkg/Payload/frogSIP.app/Contents/Resources/qml/QtCore/libqtqmlcoreplugin.dylib.dSYM], with bundle identifier 'com.apple.xcode.dsym.qtqmlcoreplugin'. (ID: b0c9769c-9813-4674-9db5-226321dfc2c8)

Guess this is related to the Qt Resources and Plugins structure which are added to the app package. I can’t see the reason for a ‚com.apple.xcode.dsym.qtqmlcoreplugin‘ bundle identifier.

Any idea how to correctly manage a Mac App Store upload for Qt applications? Should I prefer static linking Qt libraries or how to correctly add Qt Frameworks, Resources and Plugins?

Thank you in advance Dietmar

Dietmar, I had a similar issue some time ago. It sounds like you've navigated a complex signing process, and you're very close! The error message clearly points to an issue with a debug symbol file (.dSYM) within your application bundle having an Apple-reserved bundle identifier (com.apple.xcode.dsym...). This typically happens when these files aren't properly handled during the deployment and signing process for third-party applications.

Understanding the Error:

The App Store Connect validation is rejecting your build because it found a .dSYM file with a bundle identifier that belongs to Apple. This suggests that either:

Debug Symbols for Qt Plugins are Included Incorrectly: The .dSYM file for the libqtqmlcoreplugin.dylib (a Qt plugin) is being bundled in a way that retains Apple's internal identifier. Incorrect Handling of .dSYM Files during macdeployqt6: The macdeployqt6 tool might be copying these debug symbol files without the necessary modifications for App Store distribution. Strategies for Correctly Managing Qt for Mac App Store Distribution:

Here's a breakdown of approaches and steps you should consider:

1. Focus on Release Builds and Stripping Symbols:

Build in Release Mode: Ensure your Qt application is built in Release mode. Debug builds often include extensive debugging symbols that are not needed for the App Store.

Strip Symbols: The most crucial step is to strip debugging symbols from your application and all its dependencies (Qt frameworks, plugins, and your own libraries) before creating the final .app bundle. This removes the .dSYM files that are causing the issue.

You can use the strip command-line tool on macOS for this. For example:

Bash
strip -x frogSIP.app/Contents/Frameworks/QtCore.framework/Versions/A/QtCore
strip -x frogSIP.app/Contents/Frameworks/QtQml.framework/Versions/A/QtQml
strip -x frogSIP.app/Contents/PlugIns/QtQuick/libqtquickplugin.dylib
# ... and so on for all Qt frameworks and plugins
strip -x frogSIP.app/Contents/MacOS/frogSIP

The -x option removes the symbol table and the string table for dynamic symbols.

macdeployqt6 with --strip: The macdeployqt6 tool has a --strip option that should handle the removal of symbols. Ensure you are using this option when deploying your application.

Bash
macdeployqt6 frogSIP.app -bundle-id com.frogblue.frogSIP --strip

2. Review Your macdeployqt6 Usage:

Bundle Identifier: Double-check that you are providing the correct bundle identifier for your application (e.g., com.frogblue.frogSIP) to macdeployqt6. Plugins and Frameworks: Verify that macdeployqt6 is correctly identifying and bundling the necessary Qt frameworks and plugins. It should adjust their internal identifiers as needed for your application bundle.

3. Static vs. Dynamic Linking of Qt:

Dynamic Linking (Recommended for App Store): While static linking might seem simpler for deployment, it can lead to larger application bundles and potential compatibility issues. Dynamic linking is generally preferred for Mac App Store submissions. It allows for smaller app sizes and leverages system-provided libraries where possible (though Qt frameworks are usually bundled). If Dynamically Linking: Ensure that all the required Qt frameworks and plugins are correctly copied into your application bundle's Contents/Frameworks and Contents/PlugIns directories by macdeployqt6.

4. Inspect the Contents of Your .app Bundle:

Before Signing: After running macdeployqt6, carefully examine the contents of your frogSIP.app bundle. Look for any .dSYM files within the Contents/Frameworks or Contents/PlugIns directories, especially within the Resources/qml/QtCore path mentioned in the error. These should ideally be absent after stripping.

5. Code Signing Order and .dSYM Handling:

Sign After Deployment and Stripping: Ensure you are performing code signing after you have used macdeployqt6 and stripped the symbols. .dSYM Generation for App Store: While you need to strip the symbols from the app bundle for submission, you will likely want to keep the .dSYM files for your own crash reporting and debugging purposes. Xcode usually generates these during the archive process. You can archive your app in Xcode (as you did initially) to get these .dSYM files, but do not include them directly in the final .app bundle you deploy with macdeployqt6 and submit. You can store them separately.

Revised Workflow:

Based on the above, here's a refined workflow you should consider:

Build your Qt application in Release mode in Xcode. This will create your initial .app bundle.

Use macdeployqt6 to deploy the necessary Qt frameworks and plugins into your .app bundle. Make sure to use the correct bundle identifier and the --strip option:

Bash
/path/to/Qt/YourQtVersion/bin/macdeployqt6 frogSIP.app -bundle-id com.frogblue.frogSIP --strip
 (Replace /path/to/Qt/YourQtVersion/bin/ with the actual path to your Qt installation).

Code sign your application bundle using the "3rd Party Mac Developer Application" certificate:

Bash
codesign --deep --force --verify --sign "3rd Party Mac Developer Application" frogSIP.app
 Create the .pkg installer using productbuild:

Bash
productbuild --component frogSIP.app /Applications --sign "3rd Party Mac Developer Installer" frogSIP.pkg

Submit the .pkg file using xcrun altool (or Transporter).

Key Takeaway:

The error strongly suggests the presence of unwanted .dSYM files with Apple's bundle identifier within your final application bundle. The --strip option of macdeployqt6 is your primary tool to address this. Ensure you are using it correctly and that no stray .dSYM files are left in your .app before signing and packaging.