How to sign macOS app with bundled frameworks for TestFlight

Hi,

I have a Qt app (https://www.qt.io/) which contains the main app executable file, Qt frameworks, and Qt plugins bundled.

Signing the app this way works fine and the app is successfully published on the Mac App Store (the "deep" flag is only used for testing):

codesign --deep -f -s "Apple Distribution" -v --entitlements "MyApp.entitlements" "MyApp.app"

Entitlements:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.security.files.user-selected.read-write</key>
	<true/>
	<key>com.apple.security.network.client</key>
	<true/>
    <key>com.apple.security.network.server</key>
    <true/>
    <key>com.apple.security.files.downloads.read-write</key>
	<true/>
	<key>com.apple.security.device.audio-input</key>
	<true/>
	<key>com.apple.security.device.serial</key>
	<true/>
	<key>com.apple.security.files.bookmarks.app-scope</key>
	<true/>
	<key>com.apple.security.personal-information.location</key>
	<true/>
	<key>com.apple.security.app-sandbox</key>
	<true/>
</dict>
</plist>

But as soon as I change the entitlements file as follows, the app crashes with a "Code signature invalid" error:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.security.files.user-selected.read-write</key>
	<true/>
	<key>com.apple.security.network.client</key>
	<true/>
    <key>com.apple.security.network.server</key>
    <true/>
    <key>com.apple.security.files.downloads.read-write</key>
	<true/>
	<key>com.apple.security.device.audio-input</key>
	<true/>
	<key>com.apple.security.device.serial</key>
	<true/>
	<key>com.apple.security.files.bookmarks.app-scope</key>
	<true/>
	<key>com.apple.security.personal-information.location</key>
	<true/>
	<key>com.apple.security.app-sandbox</key>
	<true/>
	<key>com.apple.application-identifier</key>
	<string>TEAM_ID.com.myapp</string>
	<key>com.apple.developer.team-identifier</key>
	<string>TEAM_ID</string>
</dict>
</plist>

Running codesign -dvvv --entitlement :- ./MyApp.app on the signed app packages shows the correct entitlement. I can upload both app versions to the Mac App Store without problems.

The modified entitlements file is required for enabling TestFlight testing in iTunes Connect. What could be the reason for the crash when using the modified entitlements file?

Regards,

Answered by HMoc in 698417022

After spending more than a day with this I finally found the reason: https://github.com/microsoft/vscode/issues/113720

In short: the crash is expected but the app will work when installed via TestFlight.

Accepted Answer

After spending more than a day with this I finally found the reason: https://github.com/microsoft/vscode/issues/113720

In short: the crash is expected but the app will work when installed via TestFlight.

How to sign macOS app with bundled frameworks for TestFlight
 
 
Q