| View Issue Details [ Jump to Notes ] | [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
| 0015507 | CMake | CMake | public | 2015-04-08 18:28 | 2016-06-10 14:21 | ||||
| Reporter | Eric Wing | ||||||||
| Assigned To | Brad King | ||||||||
| Priority | normal | Severity | minor | Reproducibility | have not tried | ||||
| Status | closed | Resolution | fixed | ||||||
| Platform | OS X | OS | OS X | OS Version | 10.10 | ||||
| Product Version | CMake 3.0 | ||||||||
| Target Version | CMake 3.6 | Fixed in Version | CMake 3.6 | ||||||
| Summary | 0015507: CMake.App bundle is malformed which prevents code signing it | ||||||||
| Description | CMake should be code signable so somebody can potentially sign it for Mac deployment. When it is not code signed, Apple's GateKeeper will block it by default. (I'm actually distributing it internally, and wanted to code sign it with my own key just to avoid headaches.) CMake.app's internals have a few flaws which prevent code signing. The majority are not in CMake itself, but in the embedded Qt frameworks. | ||||||||
| Steps To Reproduce | This will fail with errors. codesign --force --verbose --sign "Developer ID" --deep CMake.app | ||||||||
| Additional Information | I tested with CMake 3.0, but not the latest, but I suspect the issue still exists in the latest. The flaws are as follows: - QtCore and QtGui must have an Info.plist in Versions/4/Resources directory - There should be a Current symlink to the 4 directory - QtGui puts the Resources directory in the wrong place - In my copy of CMake, there are two executables in Contents/MacOS instead of just one, which confuses the code signing. The second is an executable with a version number in the name. That shouldn't exist. (But you can manually code sign both to make the overall code sign work.) Below is my script that basically works around the problems. Ideally, the underlying flaws would be fixed instead of worked around. #!/bin/zsh # gets the script path # script_path=${0:a} # gets the directory in which the script resides SCRIPT_DIR=${0:a:h} CODE_SIGN_IDENTITY="Developer ID" if [ -z $1 ]; then echo "Usage: codesign_cmake /path/CMake.app" exit 1 fi CMAKE_DIR=$1 # Hack to fix mangled frameworks: mkdir "$CMAKE_DIR"/Contents/Frameworks/QtCore.framework/Versions/4/Resources mkdir "$CMAKE_DIR"/Contents/Frameworks/QtGui.framework/Versions/4/Resources cp "$SCRIPT_DIR/QtCore.Info.plist" "$CMAKE_DIR"/Contents/Frameworks/QtCore.framework/Versions/4/Resources/Info.plist cp "$SCRIPT_DIR/QtGui.Info.plist" "$CMAKE_DIR"/Contents/Frameworks/QtGui.framework/Versions/4/Resources/Info.plist (cd "$CMAKE_DIR"/Contents/Frameworks/QtCore.framework/Versions ln -s 4 Current ) (cd "$CMAKE_DIR"/Contents/Frameworks/QtGui.framework/Versions ln -s 4 Current ) (cd "$CMAKE_DIR"/Contents/Frameworks/QtGui.framework mv Resources/* Versions/4/Resources/ rmdir Resources ln -s Versions/Current/Resources Resources ) codesign --force --verbose --sign "$CODE_SIGN_IDENTITY" "$CMAKE_DIR"/Contents/Frameworks/QtCore.framework/Versions/4/QtCore codesign --force --verbose --sign "$CODE_SIGN_IDENTITY" "$CMAKE_DIR"/Contents/Frameworks/QtGui.framework/Versions/4/QtGui find "$CMAKE_DIR"/Contents/bin -type f -exec codesign --force --verbose --sign "$CODE_SIGN_IDENTITY" {} \; find "$CMAKE_DIR"/Contents/MacOS -type f -exec codesign --force --verbose --sign "$CODE_SIGN_IDENTITY" {} \; codesign --force --verbose --sign "$CODE_SIGN_IDENTITY" "$CMAKE_DIR" | ||||||||
| Tags | No tags attached. | ||||||||
| Attached Files | |||||||||
| Relationships | ||||||
|
||||||
| Relationships |
| Notes | |
|
(0038483) Sean McBride (reporter) 2015-04-08 18:34 |
See also 0013532. |
|
(0038484) Brad King (manager) 2015-04-09 10:16 |
Please try with CMake 3.1 or higher, which has this fix: BundleUtilities: Framework codesign Resources/Info.plist & Current http://cmake.org/gitweb?p=cmake.git;a=commitdiff;h=83a06bb4 [^] |
|
(0038555) Eric Wing (reporter) 2015-04-20 12:26 |
Tried 3.2.2 and the malformed Qt frameworks seem fixed and the secondary executable in Contents/MacOS is gone. Tricks still need to be used for code signing due to Apple's broken handling of embedded stuff, but this bug can be closed, and I'll comment directly on the other thread. |
|
(0039782) Robert Maynard (manager) 2015-11-02 09:13 |
Closing resolved issues that have not been updated in more than 4 months. |
|
(0040481) Eric Wing (reporter) 2016-02-12 21:32 |
I'm reopening this because it is still a problem, and the situation has gotten worse. Somewhere in the 10.9 timeframe, Apple tightened up the codesigning process. Among the changes are that improperly formed .framework bundles will cause an app to fail to be codesigned. The Qt frameworks are malformed. The workaround I posted no longer works. Qt 5.4 had the same problem. Various scripts around the net couldn't solve my Qt 5.4 problems and I had to upgrade to 5.5.1. CMake is in a worse position since it is 4 based. I'm not sure yet how to fix this. |
|
(0040530) Brad King (manager) 2016-02-24 09:42 |
Re 0015507:0040481: I've switched the nightly binaries to try building with Qt 5.5.1. Please try a .dmg from here: https://cmake.org/files/dev/?C=M;O=D [^] |
|
(0040567) Eric Wing (reporter) 2016-02-28 00:40 |
I just tried 3.5.20160225. The frameworks are even more malformed. They are just executables with no extensions and no framework structure. Signing failed. find CMake.app/Contents/Frameworks -type f CMake.app/Contents/Frameworks/QtCore CMake.app/Contents/Frameworks/QtGui CMake.app/Contents/Frameworks/QtPrintSupport CMake.app/Contents/Frameworks/QtWidgets CMake.app/Contents/Frameworks/Resources/Info.plist My own Qt app has properly structured frameworks. I'm not sure what you did to get those. |
|
(0040581) Brad King (manager) 2016-02-29 10:48 edited on: 2016-02-29 10:49 |
Re 0015507:0040567: That is what is produced by BundleUtilities for Qt5 on CMake. Try a local build with it if you want to debug that. Using the Qt upstream 5.5.1 binaries: cmake ../CMake -DCMAKE_PREFIX_PATH=/path/to/Qt/5.5.1/5.5/clang_64 -DBUILD_QtDialog=ON -DCMAKE_INSTALL_PREFIX=/ -DCMake_NO_CXX_STANDARD=1 -DCMake_NO_C_STANDARD=1 -DCMake_INSTALL_DEPENDENCIES=1 -DCMake_GUI_DISTRIBUTE_WITH_Qt_LGPL=TRUE -DCMAKE_BUILD_TYPE=Release -DCMAKE_SKIP_RPATH=1 -DCMAKE_CXX_FLAGS=-stdlib=libc++ make bin/cpack -G DragNDrop |
|
(0040585) Clinton Stimpson (developer) 2016-03-01 17:40 edited on: 2016-03-01 17:57 |
Brad, commit e422f738e4eb27dbf24a0b45d56e0f21a1d45cbc introduced a regression as shown above. If I revert the commit, then the results I have are: $ find CMake.app/Contents/Frameworks -type f CMake.app/Contents/Frameworks/QtCore.framework/Versions/5/QtCore CMake.app/Contents/Frameworks/QtCore.framework/Versions/5/Resources/Info.plist CMake.app/Contents/Frameworks/QtDBus.framework/Versions/5/QtDBus CMake.app/Contents/Frameworks/QtDBus.framework/Versions/5/Resources/Info.plist CMake.app/Contents/Frameworks/QtGui.framework/Versions/5/QtGui CMake.app/Contents/Frameworks/QtGui.framework/Versions/5/Resources/Info.plist CMake.app/Contents/Frameworks/QtPrintSupport.framework/Versions/5/QtPrintSupport CMake.app/Contents/Frameworks/QtPrintSupport.framework/Versions/5/Resources/Info.plist CMake.app/Contents/Frameworks/QtWidgets.framework/Versions/5/QtWidgets CMake.app/Contents/Frameworks/QtWidgets.framework/Versions/5/Resources/Info.plist |
|
(0040586) Clinton Stimpson (developer) 2016-03-01 17:56 |
Here is a fix for the framework regression https://cmake.org/gitweb?p=cmake.git;a=commit;h=53dbbaa [^] |
|
(0040634) Brad King (manager) 2016-03-07 09:32 |
Re 0015507:0040586: Thanks. I rebased the fix back on the original change: BundleUtilities: Fix regression handling frameworks https://cmake.org/gitweb?p=cmake.git;a=commitdiff;h=3906ca5a [^] |
|
(0040648) Brad King (manager) 2016-03-08 10:12 |
Re 0015507:0040567: Eric, please try with a new nightly build after the fix in 0015507:0040634. |
|
(0040652) Eric Wing (reporter) 2016-03-09 07:30 |
Thanks, that worked! Here is my new signing script in case anybody needs this in the future. #!/bin/zsh # gets the script path # script_path=${0:a} # gets the directory in which the script resides SCRIPT_DIR=${0:a:h} CODE_SIGN_IDENTITY="Developer ID" if [ -z $1 ]; then echo "Usage: codesign_cmake /path/CMake.app" exit 1 fi CMAKE_DIR=$1 #codesign --force --verbose --sign "$CODE_SIGN_IDENTITY" #"$CMAKE_DIR"/Contents/Frameworks/QtCore.framework/Versions/4/QtCore #codesign --force --verbose --sign "$CODE_SIGN_IDENTITY" #"$CMAKE_DIR"/Contents/Frameworks/QtGui.framework/Versions/4/QtGui find "$CMAKE_DIR"/Contents/Frameworks -type f -exec codesign --force --verbose --sign "$CODE_SIGN_IDENTITY" {} \; find "$CMAKE_DIR"/Contents/bin -type f -exec codesign --force --verbose --sign "$CODE_SIGN_IDENTITY" {} \; find "$CMAKE_DIR"/Contents/MacOS -type f -exec codesign --force --verbose --sign "$CODE_SIGN_IDENTITY" {} \; # for CMake.app//Contents/PlugIns/platforms/libqcocoa.dylib find "$CMAKE_DIR"/Contents/PlugIns -name "*.dylib" -exec codesign --force --verbose --sign "$CODE_SIGN_IDENTITY" {} \; codesign --force --verbose --sign "$CODE_SIGN_IDENTITY" "$CMAKE_DIR" echo "Verifying..." # To test, download Apple's Signature Check tool #/Volumes/Signature\ Check/check-signature BlurrrGenProj.app/ ##(c) 2014 Apple Inc. All rights reserved. ##YES # Also can try: spctl -a -t exec -vv "$CMAKE_DIR" |
|
(0040653) Brad King (manager) 2016-03-09 08:27 |
Re 0015507:0040652: Great! The build environment currently used for the nightly binaries will be used for the CMake 3.6 release. |
|
(0041231) Kitware Robot (administrator) 2016-06-10 14:21 |
This issue tracker is no longer used. Further discussion of this issue may take place in the current CMake Issues page linked in the banner at the top of this page. |
| Notes |
| Issue History | |||
| Date Modified | Username | Field | Change |
| 2015-04-08 18:28 | Eric Wing | New Issue | |
| 2015-04-08 18:34 | Sean McBride | Note Added: 0038483 | |
| 2015-04-09 10:16 | Brad King | Note Added: 0038484 | |
| 2015-04-09 10:20 | Brad King | Relationship added | related to 0013532 |
| 2015-04-20 12:26 | Eric Wing | Note Added: 0038555 | |
| 2015-04-20 12:35 | Brad King | Status | new => resolved |
| 2015-04-20 12:35 | Brad King | Resolution | open => fixed |
| 2015-04-20 12:35 | Brad King | Fixed in Version | => CMake 3.1 |
| 2015-11-02 09:13 | Robert Maynard | Note Added: 0039782 | |
| 2015-11-02 09:13 | Robert Maynard | Status | resolved => closed |
| 2016-02-12 21:32 | Eric Wing | Note Added: 0040481 | |
| 2016-02-12 21:32 | Eric Wing | Status | closed => feedback |
| 2016-02-12 21:32 | Eric Wing | Resolution | fixed => reopened |
| 2016-02-24 09:42 | Brad King | Note Added: 0040530 | |
| 2016-02-28 00:40 | Eric Wing | Note Added: 0040567 | |
| 2016-02-28 00:40 | Eric Wing | Status | feedback => new |
| 2016-02-29 10:48 | Brad King | Note Added: 0040581 | |
| 2016-02-29 10:49 | Brad King | Note Edited: 0040581 | |
| 2016-03-01 17:40 | Clinton Stimpson | Note Added: 0040585 | |
| 2016-03-01 17:56 | Clinton Stimpson | Note Added: 0040586 | |
| 2016-03-01 17:57 | Clinton Stimpson | Note Edited: 0040585 | |
| 2016-03-07 09:32 | Brad King | Note Added: 0040634 | |
| 2016-03-08 10:12 | Brad King | Note Added: 0040648 | |
| 2016-03-09 07:30 | Eric Wing | Note Added: 0040652 | |
| 2016-03-09 08:27 | Brad King | Note Added: 0040653 | |
| 2016-03-09 08:27 | Brad King | Assigned To | => Brad King |
| 2016-03-09 08:27 | Brad King | Status | new => resolved |
| 2016-03-09 08:27 | Brad King | Resolution | reopened => fixed |
| 2016-03-09 08:27 | Brad King | Fixed in Version | CMake 3.1 => CMake 3.6 |
| 2016-03-09 08:27 | Brad King | Target Version | => CMake 3.6 |
| 2016-06-10 14:21 | Kitware Robot | Note Added: 0041231 | |
| 2016-06-10 14:21 | Kitware Robot | Status | resolved => closed |
| Issue History |
| Copyright © 2000 - 2018 MantisBT Team |