OS X codesign failed: bundle format is ambiguous (could be app or framework)

This error can be caused by many things but I know about one more which I didn’t find anywhere else ;-).

In case you compile and deploy your app by using qtmacdeploy and sign your application immediately, everything will probably works fine. The problem occurs, when you need to copy your application to different location (for example during dmg building). In such cases, this error can occur:

bundle format is ambiguous (could be app or framework)

Althought codesign is executed as always, singing isn’t successful:

codesign --deep --force --verbose --sign "$SIGNNAME" ./Skipper.app
/path/Skipper.app/Contents/Frameworks/QtCore.framework: bundle format is ambiguous (could be app or framework)

The problem is, that during the copy it’s necessary to keep all symbolic links inside frameworks. Without this, singing will fail.

So instead of

cp -r ./Source ./Destination

it’s necessary to use

cp -R ./Source ./Destination

Code signing certificate for windows

We encounter several problems when we tried to deploy our new version of ORM Designer – Skipper to our new web site skipper18.com. Although new Skipper installer is very simmilar to ORM Designer installer, when downloading this exe-file from the new site  we are getting this error:

installer.exe is not commonly downloaded and could harm your computer

IE_No_Digital_Signature

 

The problem is somewhere in chrome/IE when evaluating downloaded file. Probably combination of new site, new executable and new name of product is the problem.

To fix this issue, we decided to sign-in installer and application executable by Code-signing certificate. There are a lot of certificate providers and the costs are very different. A lot of providers are selling these certificate for around $500/year. Fortunately it’s possible to found certificates also for $75 – $95/year. The cheapest one is from tucows.com but based on the site and additional tools I decided for ksoftware.net, The price $95/year isn’t so different but they offer also command line and GUI signing tool for their certificates called kSign.

Order process

Fill your company details, pay with paypal and wait until someone from Comodo will contact you with additional details. It’s necessary to have the same contact information on the domain registration as on certificate registration. It is also necessary to have company registered in one of publicly available lists with the same company information as on certificate registration.

Next step is a validation through phone call. It is a quick call when you confirm registration info through the call in order to verify your phone number. Phone call is the last necessary step and then you receive email with certificate:

Windows developer certificate

Usage

Signing of the application and installer is pretty easy. K-Software offers two applications for this purposes. The first one is with GUI, second one is command line based. Both applications need only few parameters like where the certificate is stored, certificate password, application description, link and executable location:

kSign

Command line application is executed through following command:

kSignCMD.exe /d "Skipper application" /du "http://www.skipper18.com" /f PATH\certificate.pfx /p PASSWORD PATH\Skipper.exe

And that’s all. Now if you checked your executable through properties in Windows explorer, you see that your application is correctly signed:

Signed application

External links

How to sign your Qt Mac OS X App for Gatekeeper

Starting from Mac os 10.8 apple applications requires certificate. Without that certificate (or without additional system tweaks described here on our product support page: http://support.orm-designer.com/5/macos-mountain-lion-10-8-unidentified-developer ) user will se following message:

"OrmDesigner2" can't be opened because it is from an unidentified developer.
MacOS unidentified developer in ORM Designer

Solution

To solve this error message it’s necessary to do following steps:

  1. Register in Apple developer program and pay $99 per year
  2. Download and install developer certificate
  3. Sign whole application
  4. Test it!

1) Register on Developer.apple.com

You need to create registration here: https://developer.apple.com/. It’s necessary to fill info about contact person and company. After that, your registration will be reviewed by apple team and if everything will be OK, your registration will be approved.

2) Use Apple site to generate certificates

Open https://developer.apple.com/account/overview.action ,choose Certificates,  Click Add. Than select certificate parameters suitable for your need. In my case it was Mac Development and  Developer ID.

Now you need to install this certificate to your developer machine. Simply double-click on certificate and let system to import it. You can check that certificate is imported in Go->Utilities->Keychain Access->login. Now search for “Developer ID Application: XXXX”

MacOS certificate

Note: In my case when I transfer certificate to several developer machines I need to migrate also other Apple certificates. Without that my certificate wasn’t a valid.

3) Sign your application

Now you need to sign your application including all plugins and frameworks inside app bundle. After you sing your app, you can’t do any changes in the bundle. So as first run your deploy as usual and as last step do app singing.

For ORM Designer sign script looks like this:

#go to deploy directory
cd $StarkDeploy.directory$/deploy

#sign app
codesign --force --verify --verbose --sign "Developer ID Application: Inventic s.r.o." ./OrmDesigner2.app

#sign all *.dylib files
find OrmDesigner2.app -name *.dylib | xargs -I $ codesign --force --verify --verbose --sign "Developer ID Application: Inventic s.r.o." $

#sign all Qt* frameworks
find OrmDesigner2.app -name Qt* -type f | xargs -I $ codesign --force --verify --verbose --sign "Developer ID Application: Inventic s.r.o." $

4) Test it!

As last step it’s necessary to test that sign process was successful. As first you can try following command line to validate  it:

codesign -vvv -d OrmDesigner2.app

#RESULT:
Executable=/OrmDesigner2/DeployFiles/macos64/deploy/OrmDesigner2.app/Contents/MacOS/OrmDesigner2
Identifier=com.orm-designer.OrmDesigner2
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20100 size=174478 flags=0x0(none) hashes=8717+3 location=embedded
Hash type=sha1 size=20
CDHash=5a491e16f7dcca15b44af4XXXX1a2d2dcc786518
Signature size=4237
Authority=Developer ID Application: Inventic s.r.o. (6BYV46LH6T)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Signed Time=6 Jun 2013 23:16:08
Info.plist entries=10
Sealed Resources rules=4 files=27
Internal requirements count=1 size=212

Now when you checked that App is correctly signed, it’s time to try it on clean computer where no security policy changes was made. Upload your app and execute it.

If you don’t see annoying screen “Can’t execute application from unidentified developer”, you win ;-).

External links

How to transfer certificate: 

How to import:

Apple links