MantisBT - CMake |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0015507 | CMake | CMake | public | 2015-04-08 18:28 | 2016-06-10 14:21 |
|
| Reporter | Eric Wing | |
| Assigned To | Brad King | |
| Priority | normal | Severity | minor | Reproducibility | have not tried |
| Status | closed | Resolution | fixed | |
| Platform | OS X | OS | OS X | OS Version | 10.10 |
| Product Version | CMake 3.0 | |
| Target Version | CMake 3.6 | Fixed in Version | CMake 3.6 | |
|
| Summary | 0015507: CMake.App bundle is malformed which prevents code signing it |
| Description | CMake should be code signable so somebody can potentially sign it for Mac deployment. When it is not code signed, Apple's GateKeeper will block it by default. (I'm actually distributing it internally, and wanted to code sign it with my own key just to avoid headaches.)
CMake.app's internals have a few flaws which prevent code signing. The majority are not in CMake itself, but in the embedded Qt frameworks. |
| Steps To Reproduce | This will fail with errors.
codesign --force --verbose --sign "Developer ID" --deep CMake.app
|
| Additional Information | I tested with CMake 3.0, but not the latest, but I suspect the issue still exists in the latest.
The flaws are as follows:
- QtCore and QtGui must have an Info.plist in Versions/4/Resources directory
- There should be a Current symlink to the 4 directory
- QtGui puts the Resources directory in the wrong place
- In my copy of CMake, there are two executables in Contents/MacOS instead of just one, which confuses the code signing. The second is an executable with a version number in the name. That shouldn't exist. (But you can manually code sign both to make the overall code sign work.)
Below is my script that basically works around the problems. Ideally, the underlying flaws would be fixed instead of worked around.
#!/bin/zsh
# gets the script path
# script_path=${0:a}
# gets the directory in which the script resides
SCRIPT_DIR=${0:a:h}
CODE_SIGN_IDENTITY="Developer ID"
if [ -z $1 ]; then
echo "Usage: codesign_cmake /path/CMake.app"
exit 1
fi
CMAKE_DIR=$1
# Hack to fix mangled frameworks:
mkdir "$CMAKE_DIR"/Contents/Frameworks/QtCore.framework/Versions/4/Resources
mkdir "$CMAKE_DIR"/Contents/Frameworks/QtGui.framework/Versions/4/Resources
cp "$SCRIPT_DIR/QtCore.Info.plist" "$CMAKE_DIR"/Contents/Frameworks/QtCore.framework/Versions/4/Resources/Info.plist
cp "$SCRIPT_DIR/QtGui.Info.plist" "$CMAKE_DIR"/Contents/Frameworks/QtGui.framework/Versions/4/Resources/Info.plist
(cd "$CMAKE_DIR"/Contents/Frameworks/QtCore.framework/Versions
ln -s 4 Current
)
(cd "$CMAKE_DIR"/Contents/Frameworks/QtGui.framework/Versions
ln -s 4 Current
)
(cd "$CMAKE_DIR"/Contents/Frameworks/QtGui.framework
mv Resources/* Versions/4/Resources/
rmdir Resources
ln -s Versions/Current/Resources Resources
)
codesign --force --verbose --sign "$CODE_SIGN_IDENTITY" "$CMAKE_DIR"/Contents/Frameworks/QtCore.framework/Versions/4/QtCore
codesign --force --verbose --sign "$CODE_SIGN_IDENTITY" "$CMAKE_DIR"/Contents/Frameworks/QtGui.framework/Versions/4/QtGui
find "$CMAKE_DIR"/Contents/bin -type f -exec codesign --force --verbose --sign "$CODE_SIGN_IDENTITY" {} \;
find "$CMAKE_DIR"/Contents/MacOS -type f -exec codesign --force --verbose --sign "$CODE_SIGN_IDENTITY" {} \;
codesign --force --verbose --sign "$CODE_SIGN_IDENTITY" "$CMAKE_DIR"
|
| Tags | No tags attached. |
| Relationships | | related to | 0013532 | closed | Kitware Robot | kitware-provided CMake installer/executables should be codesigned with 'Developer ID' for GateKeeper on OS X |
|
| Attached Files | |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2015-04-08 18:28 | Eric Wing | New Issue | |
| 2015-04-08 18:34 | Sean McBride | Note Added: 0038483 | |
| 2015-04-09 10:16 | Brad King | Note Added: 0038484 | |
| 2015-04-09 10:20 | Brad King | Relationship added | related to 0013532 |
| 2015-04-20 12:26 | Eric Wing | Note Added: 0038555 | |
| 2015-04-20 12:35 | Brad King | Status | new => resolved |
| 2015-04-20 12:35 | Brad King | Resolution | open => fixed |
| 2015-04-20 12:35 | Brad King | Fixed in Version | => CMake 3.1 |
| 2015-11-02 09:13 | Robert Maynard | Note Added: 0039782 | |
| 2015-11-02 09:13 | Robert Maynard | Status | resolved => closed |
| 2016-02-12 21:32 | Eric Wing | Note Added: 0040481 | |
| 2016-02-12 21:32 | Eric Wing | Status | closed => feedback |
| 2016-02-12 21:32 | Eric Wing | Resolution | fixed => reopened |
| 2016-02-24 09:42 | Brad King | Note Added: 0040530 | |
| 2016-02-28 00:40 | Eric Wing | Note Added: 0040567 | |
| 2016-02-28 00:40 | Eric Wing | Status | feedback => new |
| 2016-02-29 10:48 | Brad King | Note Added: 0040581 | |
| 2016-02-29 10:49 | Brad King | Note Edited: 0040581 | bug_revision_view_page.php?bugnote_id=40581#r2047 |
| 2016-03-01 17:40 | Clinton Stimpson | Note Added: 0040585 | |
| 2016-03-01 17:56 | Clinton Stimpson | Note Added: 0040586 | |
| 2016-03-01 17:57 | Clinton Stimpson | Note Edited: 0040585 | bug_revision_view_page.php?bugnote_id=40585#r2049 |
| 2016-03-07 09:32 | Brad King | Note Added: 0040634 | |
| 2016-03-08 10:12 | Brad King | Note Added: 0040648 | |
| 2016-03-09 07:30 | Eric Wing | Note Added: 0040652 | |
| 2016-03-09 08:27 | Brad King | Note Added: 0040653 | |
| 2016-03-09 08:27 | Brad King | Assigned To | => Brad King |
| 2016-03-09 08:27 | Brad King | Status | new => resolved |
| 2016-03-09 08:27 | Brad King | Resolution | reopened => fixed |
| 2016-03-09 08:27 | Brad King | Fixed in Version | CMake 3.1 => CMake 3.6 |
| 2016-03-09 08:27 | Brad King | Target Version | => CMake 3.6 |
| 2016-06-10 14:21 | Kitware Robot | Note Added: 0041231 | |
| 2016-06-10 14:21 | Kitware Robot | Status | resolved => closed |
|
Notes |
|
|
(0038483)
|
|
Sean McBride
|
|
2015-04-08 18:34
|
|
|
|
|
(0038484)
|
|
Brad King
|
|
2015-04-09 10:16
|
|
|
|
|
(0038555)
|
|
Eric Wing
|
|
2015-04-20 12:26
|
|
Tried 3.2.2 and the malformed Qt frameworks seem fixed and the secondary executable in Contents/MacOS is gone.
Tricks still need to be used for code signing due to Apple's broken handling of embedded stuff, but this bug can be closed, and I'll comment directly on the other thread. |
|
|
|
(0039782)
|
|
Robert Maynard
|
|
2015-11-02 09:13
|
|
|
Closing resolved issues that have not been updated in more than 4 months. |
|
|
|
(0040481)
|
|
Eric Wing
|
|
2016-02-12 21:32
|
|
I'm reopening this because it is still a problem, and the situation has gotten worse.
Somewhere in the 10.9 timeframe, Apple tightened up the codesigning process. Among the changes are that improperly formed .framework bundles will cause an app to fail to be codesigned.
The Qt frameworks are malformed. The workaround I posted no longer works.
Qt 5.4 had the same problem. Various scripts around the net couldn't solve my Qt 5.4 problems and I had to upgrade to 5.5.1.
CMake is in a worse position since it is 4 based.
I'm not sure yet how to fix this. |
|
|
|
(0040530)
|
|
Brad King
|
|
2016-02-24 09:42
|
|
|
|
|
(0040567)
|
|
Eric Wing
|
|
2016-02-28 00:40
|
|
I just tried 3.5.20160225.
The frameworks are even more malformed. They are just executables with no extensions and no framework structure. Signing failed.
find CMake.app/Contents/Frameworks -type f
CMake.app/Contents/Frameworks/QtCore
CMake.app/Contents/Frameworks/QtGui
CMake.app/Contents/Frameworks/QtPrintSupport
CMake.app/Contents/Frameworks/QtWidgets
CMake.app/Contents/Frameworks/Resources/Info.plist
My own Qt app has properly structured frameworks. I'm not sure what you did to get those. |
|
|
|
(0040581)
|
|
Brad King
|
2016-02-29 10:48
(edited on: 2016-02-29 10:49) |
|
Re 0015507:0040567: That is what is produced by BundleUtilities for Qt5 on CMake. Try a local build with it if you want to debug that. Using the Qt upstream 5.5.1 binaries:
cmake ../CMake -DCMAKE_PREFIX_PATH=/path/to/Qt/5.5.1/5.5/clang_64 -DBUILD_QtDialog=ON -DCMAKE_INSTALL_PREFIX=/ -DCMake_NO_CXX_STANDARD=1 -DCMake_NO_C_STANDARD=1 -DCMake_INSTALL_DEPENDENCIES=1 -DCMake_GUI_DISTRIBUTE_WITH_Qt_LGPL=TRUE -DCMAKE_BUILD_TYPE=Release -DCMAKE_SKIP_RPATH=1 -DCMAKE_CXX_FLAGS=-stdlib=libc++
make
bin/cpack -G DragNDrop
|
|
|
|
(0040585)
|
|
Clinton Stimpson
|
2016-03-01 17:40
(edited on: 2016-03-01 17:57) |
|
Brad, commit e422f738e4eb27dbf24a0b45d56e0f21a1d45cbc introduced a regression as shown above.
If I revert the commit, then the results I have are:
$ find CMake.app/Contents/Frameworks -type f
CMake.app/Contents/Frameworks/QtCore.framework/Versions/5/QtCore
CMake.app/Contents/Frameworks/QtCore.framework/Versions/5/Resources/Info.plist
CMake.app/Contents/Frameworks/QtDBus.framework/Versions/5/QtDBus
CMake.app/Contents/Frameworks/QtDBus.framework/Versions/5/Resources/Info.plist
CMake.app/Contents/Frameworks/QtGui.framework/Versions/5/QtGui
CMake.app/Contents/Frameworks/QtGui.framework/Versions/5/Resources/Info.plist
CMake.app/Contents/Frameworks/QtPrintSupport.framework/Versions/5/QtPrintSupport
CMake.app/Contents/Frameworks/QtPrintSupport.framework/Versions/5/Resources/Info.plist
CMake.app/Contents/Frameworks/QtWidgets.framework/Versions/5/QtWidgets
CMake.app/Contents/Frameworks/QtWidgets.framework/Versions/5/Resources/Info.plist
|
|
|
|
(0040586)
|
|
Clinton Stimpson
|
|
2016-03-01 17:56
|
|
|
|
|
(0040634)
|
|
Brad King
|
|
2016-03-07 09:32
|
|
|
|
|
(0040648)
|
|
Brad King
|
|
2016-03-08 10:12
|
|
|
|
|
(0040652)
|
|
Eric Wing
|
|
2016-03-09 07:30
|
|
Thanks, that worked!
Here is my new signing script in case anybody needs this in the future.
#!/bin/zsh
# gets the script path
# script_path=${0:a}
# gets the directory in which the script resides
SCRIPT_DIR=${0:a:h}
CODE_SIGN_IDENTITY="Developer ID"
if [ -z $1 ]; then
echo "Usage: codesign_cmake /path/CMake.app"
exit 1
fi
CMAKE_DIR=$1
#codesign --force --verbose --sign "$CODE_SIGN_IDENTITY"
#"$CMAKE_DIR"/Contents/Frameworks/QtCore.framework/Versions/4/QtCore
#codesign --force --verbose --sign "$CODE_SIGN_IDENTITY"
#"$CMAKE_DIR"/Contents/Frameworks/QtGui.framework/Versions/4/QtGui
find "$CMAKE_DIR"/Contents/Frameworks -type f -exec codesign --force --verbose --sign "$CODE_SIGN_IDENTITY" {} \;
find "$CMAKE_DIR"/Contents/bin -type f -exec codesign --force --verbose --sign "$CODE_SIGN_IDENTITY" {} \;
find "$CMAKE_DIR"/Contents/MacOS -type f -exec codesign --force --verbose --sign "$CODE_SIGN_IDENTITY" {} \;
# for CMake.app//Contents/PlugIns/platforms/libqcocoa.dylib
find "$CMAKE_DIR"/Contents/PlugIns -name "*.dylib" -exec codesign --force --verbose --sign "$CODE_SIGN_IDENTITY" {} \;
codesign --force --verbose --sign "$CODE_SIGN_IDENTITY" "$CMAKE_DIR"
echo "Verifying..."
# To test, download Apple's Signature Check tool
#/Volumes/Signature\ Check/check-signature BlurrrGenProj.app/
##(c) 2014 Apple Inc. All rights reserved.
##YES
# Also can try:
spctl -a -t exec -vv "$CMAKE_DIR" |
|
|
|
(0040653)
|
|
Brad King
|
|
2016-03-09 08:27
|
|
Re 0015507:0040652: Great! The build environment currently used for the nightly binaries will be used for the CMake 3.6 release.
|
|
|
|
(0041231)
|
|
Kitware Robot
|
|
2016-06-10 14:21
|
|
|
This issue tracker is no longer used. Further discussion of this issue may take place in the current CMake Issues page linked in the banner at the top of this page. |
|