codesign: "unsealed contents present in root directory"

Question

Crudebyte OP

Created Dec ’17

Replies 1

Boosts 0

Views 7.0k

Participants 1

I am currently struggling with code signing the Qt 5 frameworks, which gives me a strange error:

[me@box ~/qt-src-5.9.3/qtbase/lib]$ codesign -s '-' --deep --force --verbose=3 QtCore.framework
QtCore.framework: unsealed contents present in the root directory of an embedded framework
[me@box ~/qt-src-5.9.3/qtbase/lib]$

Unfortunately codesign is not very verbose on which file(s) it is bothering with. This is the directory structure:

[me@box ~/qt-src-5.9.3/qtbase/lib]$ ls -la QtCore.framework/
total 32
drwxr-xr-x    7 me  staff   238 Dec 14 23:29 .
drwxr-xr-x@ 102 me  staff  3468 Dec 14 22:42 ..
lrwxr-xr-x    1 me  staff    24 Dec 14 01:47 Headers -> Versions/Current/Headers
lrwxr-xr-x    1 me  staff    23 Dec 14 01:49 QtCore -> Versions/Current/QtCore
lrwxr-xr-x    1 me  staff    29 Dec 14 23:29 QtCore_debug -> Versions/Current/QtCore_debug
lrwxr-xr-x    1 me  staff    26 Dec 14 01:47 Resources -> Versions/Current/Resources
drwxr-xr-x    5 me  staff   170 Dec 14 22:53 Versions
[me@box ~/qt-src-5.9.3/qtbase/lib]$

I don't see any file in the root directory, only symlinks. And I also don't see any "embedded" framework there.

[me@box ~/qt-src-5.9.3/qtbase/lib]$ ls -la QtCore.framework/Versions/Current/Resources/
total 24
drwxr-xr-x  5 me  staff   170 Dec 14 23:08 .
drwxr-xr-x  6 me  staff   204 Dec 14 01:49 ..
-rw-r--r--  1 me  staff   708 Dec 14 01:47 Info.plist
-rw-r--r--  1 me  staff  1490 Dec 14 01:47 QtCore.prl
-rw-r--r--  1 me  staff  1508 Dec 14 01:47 QtCore_debug.prl
[me@box ~/qt-src-5.9.3/qtbase/lib]$ ls -la QtCore.framework/Versions/
total 16
drwxr-xr-x  5 me  staff  170 Dec 14 22:53 .
drwxr-xr-x  7 me  staff  238 Dec 14 23:29 ..
drwxr-xr-x  6 me  staff  204 Dec 14 01:49 5
lrwxr-xr-x  1 me  staff    1 Dec 14 22:53 A -> 5
lrwxr-xr-x  1 me  staff    1 Dec 14 22:53 Current -> 5
[me@box ~/qt-src-5.9.3/qtbase/lib]$ which codesign
/usr/bin/codesign
[me@box ~/qt-src-5.9.3/qtbase/lib]$ what /usr/bin/codesign
/usr/bin/codesign
  PROGRAM:codesign  PROJECT:codesign-12.70.1
[me@box ~/qt-src-5.9.3/qtbase/lib]$

Does anybody have an idea what could be wrong here?

Boost

Answer 1

Crudebyte OP

Dec ’17

Ok, I finally solved it.

First of all, the way the Qt framework bundles are currently rolled out upstream (Qt 5.9.3) is no longer a valid/accepted Mac framework directory structure. Qt itself builds fine, but then when you try to link any app against these Qt frameworks you get all kinds of code signing error messages with Xcode, no matter what you setup in Xcode (i.e. embedding and requesting to auto deep signing the Qt frameworks into the app).

This is how I got it working:

Make sure there are no regular files in the top level directory of the respective framework bundle. With Qt 5.9.3 you'll find .prl files in the root dir, so I moved them into the "Resources" subdir for now:
```
[me@box ~/qt-src-5.9.3/qtbase/lib]$ mv QtCore.framework/*.prl QtCore.framework/Resources/
```

For some reason the codesign binary expects now an "A" version to be always present in any framework, Qt however was always using the current Qt major version number instead. So I created a symlink for that:

[me@box ~/qt-src-5.9.3/qtbase/lib]$ cd QtCore.framework/Versions/
[me@box ~/qt-src-5.9.3/qtbase/lib/Versions]$ ln -s 5 A
[me@box ~/qt-src-5.9.3/qtbase/lib/Versions]$ ls -lha
total 16
drwxr-xr-x  5 me  staff  170B Dec 14 22:53 .
drwxr-xr-x  7 me  staff  238B Dec 14 23:29 ..
drwxr-xr-x  7 me  staff  238B Dec 15 17:48 5
lrwxr-xr-x  1 me  staff    1B Dec 14 22:53 A -> 5
lrwxr-xr-x  1 me  staff    1B Dec 14 22:53 Current -> 5
[me@box ~/qt-src-5.9.3/qtbase/lib/Versions]$

Then code sign the DLL files explicitly:

[me@box ~/qt-src-5.9.3/qtbase/lib]$ codesign -s '-' --force --deep --verbose=3 --file-list '-' QtGui.framework/Versions/Current/QtGui
QtGui.framework/Versions/Current/QtGui: signed bundle with Mach-O thin (x86_64) [org.qt-project.QtGui]
/Users/me/qt-src-5.9.3/qtbase/lib/QtGui.framework/Versions/5/QtGui
/Users/me/qt-src-5.9.3/qtbase/lib/QtGui.framework/Versions/5/_CodeSignature/CodeResources
[me@box ~/qt-src-5.9.3/qtbase/lib]$ codesign -s '-' --force --deep --verbose=3 --file-list '-' QtGui.framework/Versions/Current/QtGui_debug
QtGui.framework/Versions/Current/QtGui_debug: replacing existing signature
QtGui.framework/Versions/Current/QtGui_debug: signed Mach-O thin (x86_64) [QtGui_debug-43271349affd69534688190d68d567891e3f8c534]
/Users/me/qt-src-5.9.3/qtbase/lib/QtGui.framework/Versions/5/QtGui_debug

Then in your Mac application's Xcode project settings (or rather Xcode "target" settings to be more precise), make sure that the "Sign" checkbox is not set for the individual Qt frameworks just to avoid Xcode attempting to resign those frameworks when it is embedding the frameworks into your app bundle.

Of course you have to do that for every Qt framework bundle you are using with your application.

And that's it. Works for me now this way.

I have the impression that the codesign binary is a bit buggy right now. I mean that the Qt framework structure is no longer en par with the Mac's latest framework policies is one thing. But fact is that codesign is currently spitting out error messages which are simply not true, misleading and not helpful to resolve the code signing issues.

2