How to sign macOS app with bundled frameworks for TestFlight

Hi,

I have a Qt app (https://www.qt.io/) which contains the main app executable file, Qt frameworks, and Qt plugins bundled.

Signing the app this way works fine and the app is successfully published on the Mac App Store (the "deep" flag is only used for testing):

codesign --deep -f -s "Apple Distribution" -v --entitlements "MyApp.entitlements" "MyApp.app"

Entitlements:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.security.files.user-selected.read-write</key>
	<true/>
	<key>com.apple.security.network.client</key>
	<true/>
    <key>com.apple.security.network.server</key>
    <true/>
    <key>com.apple.security.files.downloads.read-write</key>
	<true/>
	<key>com.apple.security.device.audio-input</key>
	<true/>
	<key>com.apple.security.device.serial</key>
	<true/>
	<key>com.apple.security.files.bookmarks.app-scope</key>
	<true/>
	<key>com.apple.security.personal-information.location</key>
	<true/>
	<key>com.apple.security.app-sandbox</key>
	<true/>
</dict>
</plist>

But as soon as I change the entitlements file as follows, the app crashes with a "Code signature invalid" error:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.security.files.user-selected.read-write</key>
	<true/>
	<key>com.apple.security.network.client</key>
	<true/>
    <key>com.apple.security.network.server</key>
    <true/>
    <key>com.apple.security.files.downloads.read-write</key>
	<true/>
	<key>com.apple.security.device.audio-input</key>
	<true/>
	<key>com.apple.security.device.serial</key>
	<true/>
	<key>com.apple.security.files.bookmarks.app-scope</key>
	<true/>
	<key>com.apple.security.personal-information.location</key>
	<true/>
	<key>com.apple.security.app-sandbox</key>
	<true/>
	<key>com.apple.application-identifier</key>
	<string>TEAM_ID.com.myapp</string>
	<key>com.apple.developer.team-identifier</key>
	<string>TEAM_ID</string>
</dict>
</plist>

Running codesign -dvvv --entitlement :- ./MyApp.app on the signed app packages shows the correct entitlement. I can upload both app versions to the Mac App Store without problems.

The modified entitlements file is required for enabling TestFlight testing in iTunes Connect. What could be the reason for the crash when using the modified entitlements file?

Regards,

Up vote post of HMoc Down vote post of HMoc
974 views
Posted by
HMoc
Reply
Add a Comment

Accepted Reply

After spending more than a day with this I finally found the reason: https://github.com/microsoft/vscode/issues/113720

In short: the crash is expected but the app will work when installed via TestFlight.

Posted by
HMoc
Up vote reply of HMoc Down vote reply of HMoc
Post marked as solved
Add a Comment

Replies

After spending more than a day with this I finally found the reason: https://github.com/microsoft/vscode/issues/113720

In short: the crash is expected but the app will work when installed via TestFlight.

Posted by
HMoc
Up vote reply of HMoc Down vote reply of HMoc
Post marked as solved
Add a Comment