We are currently trying to have our app verified in order to distribute it outside of the app store. We are including OpenSceneGraph libraries as well as Qt frameworks in the app bundle.
This is how we did it so far:
- Signed executable in Contents/MacOS folder
- Signed libraries and Qt frameworks
- Signed App.app folder
- zipped .app and submitted for Notarization
The executable, libraries and frameworks signing is done manually with the codesign command, and to sign the whole .app we do the following:
codesign --force --verify --verbose=3 --options runtime --timestamp --entitlements App.entitlements -s "Developer ID Application: Our Dev Id" App.app
When we send the zipped .app to be notarized we usually get a quick reply informing us that the notarization was successful, but if we try to run "spctl --verbose --assess --type execute -v App.app" we get the following error:
App.app: rejected (unsealed contents present in the root directory of an embedded framework)
Also inspecting the json file with the notarization output we notice the same error, but it is marked as a warning and checking it with codesign no error is returned.
After a bit of digging we realized that the issue is related to the Qt frameworks: as a counterproof, we tried to submit the same app without the Qt frameworks and this time when the bundle was successfully notarized spctl accepted it too, so we eliminated the all symlinks in the root directory, moved the .prl files into the Resources/ folder, and created an alias to A/ in the Versions/ subfolder as suggested in several forum posts, but we have not been able to have spctl accept our bundle with the Qt frameworks. Now at the root of each framework there is just the Versions folder and nothing else (we checked with ls-lha to be sure)
What are we missing in this? Is there a way to at least get some hint on where is the unsealed content which is upsetting the verification tool?
Thank you in advance