Verification error after signing code in Qt bundle (CSSMERR_TP_NOT_TRUSTED, OSX)

Code Signing General
szszszsz OP
Created May ’17
Replies 3
Boosts 0
Views 2.8k
Participants 2

I am trying to code-sign a desktop application binary for OSX Sierra with bought COMODO certificate. I have a code-signing verification error 

CSSMERR_TP_NOT_TRUSTED
at the end of the command run.


This happens when I try to use codesign utility directly on final bundle (I am giving the same certificate ID as the XCode does):

+ security unlock-keychain -p "$PASSWORD" /Users/user/Library/Keychains/login.keychain 
+ export CODESIGN_ALLOCATE=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate 
+ CODESIGN_ALLOCATE=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate 
+ /usr/bin/codesign --force --sign 118E862D88E30998B6C4BACB8ABCB1FBDEADBEEF --deep --timestamp=none '<build-path>/app_name' 
+ /usr/bin/codesign --verify '<build-path>/app_name' -dv Executable=<build-path>/app_name/Contents/MacOS/app_name 
Identifier=$(PRODUCT_BUNDLE_IDENTIFIER) 
Format=app bundle with Mach-O thin (x86_64) 
CodeDirectory v=20100 size=19725 flags=0x0(none) hashes=611+3 location=embedded 
Signature size=2359 
Info.plist=not bound 
TeamIdentifier=not set 
Sealed Resources version=2 rules=13 files=2 
Internal requirements count=1 size=104 
+ /usr/bin/codesign --verify '<build-path>/app_name' <build-path>/app_name: CSSMERR_TP_NOT_TRUSTED In architecture: x86_64 
+ spctl -a -v <build-path>/app_name <build-path>/app_name/: CSSMERR_TP_NOT_TRUSTED


Binary compiled and signed by XCode is accepted though by gatekeeper (I generate XCode project with CMake and then modify project properties to sign the binary - this however is not making a full bundle for me and more importantly it is not CLI-only solution). I have used the same 

codesign
command (copied from XCode's log) for signing.

I have already:

  • removed and imported the certificate,
  • allowed it to be used on all applications,
  • checked are the permissions system default,
  • checked for doubled certificates in the system.

I use qmake (Qt5.8) to create makefiles. My bundle contents (after 

make
, before 
macdeploy
):
./Contents ./Contents/_CodeSignature ./Contents/_CodeSignature/CodeResources ./Contents/Info.plist ./Contents/MacOS ./Contents/MacOS/app_name ./Contents/PkgInfo ./Contents/Resources ./Contents/Resources/CS_icon.icns ./Contents/Resources/empty.lproj


What should I do to make correct signed binary under OSX Sierra?


Edit:

Maybe it has something to do with this:

`Info.plist=not bound`? How can I bound this file? It is already in bundle's directory. While inspecting XCode's signed binary it's `info` file is 'bounded'.

Replies  3
Boosts  0
Views  2.8k
Participants  2
DTS Engineer OP
Apple
May ’17

I am trying to code-sign a desktop application binary for OSX Sierra with bought COMODO certificate.

Why? Signing your app with a certificate issued by a third-party CA won’t help you on the Gatekeeper front. You should sign your app with a certificate issued by Apple via the Developer ID programme.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"

WWDC runs Mon, 5 Jun through to Fri, 9 Jun. During that time all of DTS will be at the conference, helping folks out face-to-face. http://developer.apple.com/wwdc/

0
szszszsz OP
May ’17

Hi Eskimo!


Sorry for delayed answer. I might not have clearly expressed it - the COMODO certificate is valid - they claim it is possible to codesign OSX Applications. Furthermore I have compiled and signed the application using this certificate (with XCode) and the Gatekeeper says it looks correct (via spctl command).

I would like to do the same using command line tools, but something goes wrong during the process.

I see that in sign summary there is no Info.plist 'bounded' (on the contrary to XCode build status). Would it be possible this is the cause? If yes, how to fix that?

0
DTS Engineer OP
Apple
Jun ’17

I might not have clearly expressed it - the COMODO certificate is valid - they claim it is possible to codesign OSX Applications. Furthermore I have compiled and signed the application using this certificate (with XCode) and the Gatekeeper says it looks correct (via spctl command).

It’s possible to sign code with any digital identity. The issue is whether Gatekeeper will accept it, which I don’t believe it will. I recommend that you do a full end-to-end test with this:

  1. Build the app

  2. Put it on a server

  3. On a fresh machine (I typically use a VM for this), download the app

  4. Run the downloaded app

Will Gatekeeper allow it to run?

I just ran this past DTS’s code signing expert and we’re both convinced that Gatekeeper will only allow code to run if it’s signed by an Apple-issued certificate, either from the Mac App Store or via the Developer ID programme.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"

WWDC runs Mon, 5 Jun through to Fri, 9 Jun. During that time all of DTS will be at the conference, helping folks out face-to-face. http://developer.apple.com/wwdc/

0
Verification error after signing code in Qt bundle (CSSMERR_TP_NOT_TRUSTED, OSX)
First post date Last post date
 
 
Q