Executables QtWebSockets and QtQmlModels prevent notarization

I've created a package from an app using productbuild and signed it using

productsign --sign 'Developer ID Installer: MyName (XXXXXX7RBW)' /Users/Desktop/my_app.pkg /Users/Desktop/my_app_signed.pkg

I then checked the signature via

pkgutil --check-signature /Users/Desktop/my_appsigned.pkg

I uploaded the package for notarization, which subsequently failed. The error log indicated two binaries were not signed with a valid developer ID certificate. The names were QtWebSockets and QtQmlModels.

While I've encountered similar obstacles in the past, they usually arose when folder names contained periods. I simply deleted the folders from the package, which seemed to have no effect on its functionality.

This error is altogether new for me though.

I was able to get things to work, but only by signing the app first with --deep, which I understand to be ill-advised. Then I built my installer, which was notarized successfully. (I tried to staple, which yielded an error message as described at https://developer.apple.com/forums/thread/120351. The proposed work-around didn't work for me.) I have yet to see if this prevents things from opening on a new machine.

I'd be very appreciative if anyone can guide me through the process of successfully notarizing a package like mine without using --deep.

In particular, am I correct that if the two problematic executables above were code-signed individually before the package as a whole was product signed, then things should work out?What exactly is the syntax for signing the executables, and should I use my developer ID application for signing them?

Thanks.

but only by signing the app first with --deep, which I understand to be ill-advised.

Indeed. See --deep Considered Harmful for an explanation as to why.

I have yet to see if this prevents things from opening on a new machine.

See Testing a Notarised Product for advice on how to test your notarised package.

I'd be very appreciative if anyone can guide me through the process of successfully notarizing a package like mine

See this pair of posts:

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Executables QtWebSockets and QtQmlModels prevent notarization
 
 
Q