Regarding Qt application Code signing on MACOS

Code Signing General
Atanu
Atanu OP
Created 2w
Replies 1
Boosts 0
Views 18
Participants 2

Hi support,

Currently we are in a process of migrating our Qt application for MAC OS - ventura -v13.4.

There is a specific feature in our application in which client tries to communicate with server (Socket communication) using Qt's QsslSocket Apis . To achieve this we are using self signed Ca certificate (.pem ) generated by using openSSl commands which uses IP address of the server.

We are manually installing the certificate inside MAC OS - keychain and trusting it manually as well after installing .

This is working fine in XCode environment in debug mode in MAC OS and client -server handshake is happening successfully. How ever after creating .dmg file (installer) the same handshake is not happening and we are getting error -Connection time out.

Upon investigating this online, we got to know there has to be codesigning (both app bundle and the dmg file )along with notarization of the .dmg file in order to access keychain of MAC OS at runtime to access the self signed certificate installed.

Now we have 2 queries here.

Is code signing mandatory if we want to verify our app through keychain with .dmg file ?

   If yes, whats the best way to achieve this ?
     
   We have tried 2 options without any luck.
   option1  -  Trying to build our specific target among 'ALL_BUILD' with signing key settings inside xcode where we are providing developer provisional certificate with  apple team ID . After that we are trying to archive to generate dmg file which is code signed. 
 
    We are failing here as the signed dmg is not getting installed due to  other app related dependencies are missing .
 option 2-     Code signing the dmg and the app bundle manually outside the environment of xcode  with developer certificate and team ID.
 
    We are failing here as notarization needs to be done it seems to access keychain for certificate verification

If Code signing is not mandatory then whats the best possible way to achieve this considering manually installation of certificate inside keychain with adding trust option is not working at the moment.

Please specify the best solution if possible.

Replies  1
Boosts  0
Views  18
Participants  2
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
2w

Gosh, there are two separate issues tangled up here:

  • Code signing

  • Override TLS server trust evaluation

IMO they are completely separable. Let me start with code signing.

If you distribute your product widely, it must be signed:

  • If you’re targeting the Mac App Store, you can only submit a signed app.

  • If you’re distributing directly, you product must be signed and notarised to pass Gatekeeper.

If you’re not using Xcode then see the following docs for specific advice on how to sign your product:

Regarding TLS server trust evaluation, that’s not really related to your code signing. You wrote:

Written by Atanu in 777675021
Upon investigating this online, we got to know there has to be codesigning (both app bundle and the dmg file ) along with notarization of the .dmg file in order to access keychain of [macOS]

That’s not entirely correct. It’s true the signing your app and your disk image and then notarising your disk image is a good idea, but not all of those steps are required to access the keychain. Specifically:

  • The keychain doesn’t care about your disk image.

  • Signing your app is required to access the data protection keychain.

  • Signing your app is important, but not absolutely required, to access the file-base keychain.

Note If you’re not familiar with those terms, see TN3137 On Mac keychain APIs and implementations.

However, none of this is relevant to TLS server trust evaluation. You should be able to customise TLS server trust evaluation without using the keychain at all.

To advise you further on this topic I need to know more about what you’re doing with TLS. You wrote:

Written by Atanu in 777675021
There is a specific feature in our application in which client tries to communicate with server (Socket communication) using Qt's QsslSocket Apis.

I’d like to confirm the following:

  • You’re building a macOS app.

  • It’s talking to an TLS server that’s not running on macOS.

  • That server’s certificate is not trusted by macOS by default.

  • You want to override TLS server trust evaluation so that your app can talk to that server.

Is that all correct?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Regarding Qt application Code signing on MACOS
First post date Last post date
 
 
Q