Developer Blog - Inventic.eu
  • Skipper - The ORM Designer
  • VsBuilds - Parallel building
  • Pulpo - Free Skipper CLI

Tag: #certificate

OS X codesign failed: bundle format is ambiguous (could be app or framework)

This error can be caused by many things but I know about one more which I didn't find anywhere else ;-).

In case you compile and deploy your app by using qtmacdeploy and sign your application immediately, everything will probably works fine. The problem occurs, when you need to copy your application to different location (for example during dmg building). In such cases, this error can occur:

bundle format is ambiguous (could be app or framework)<br />

Althought codesign is executed as always, singing isn't successful:

codesign --deep --force --verbose --sign &quot;$SIGNNAME&quot; ./Skipper.app<br />
/path/Skipper.app/Contents/Frameworks/QtCore.framework: bundle format is ambiguous (could be app or framework)<br />

The problem is, that during the copy it's necessary to keep all symbolic links inside frameworks. Without this, singing will fail.

So instead of

cp -r ./Source ./Destination<br />

it's necessary to use

cp -R ./Source ./Destination<br />
05 Mar 2015

Posted by: ludek.vodicka

Mac OS #MacOs #certificate #codesign #singing

Codesign asking for credentials for on every usage

Apple OS X codesing

to fix that, it's sufficient to configure certificate to allow any application to use it without asking:

KeyChain - allow access (step 1)

KeyChain - step 2

 

External links

08 Feb 2015

Posted by: ludek.vodicka

Programming Mac OS #certificate #codesign

Code signing certificate for windows

We encounter several problems when we tried to deploy our new version of ORM Designer - Skipper to our new web site skipper18.com. Although new Skipper installer is very simmilar to ORM Designer installer, when downloading this exe-file from the new site  we are getting this error:

installer.exe is not commonly downloaded and could harm your computer<br />

IE_No_Digital_Signature

 

The problem is somewhere in chrome/IE when evaluating downloaded file. Probably combination of new site, new executable and new name of product is the problem.

To fix this issue, we decided to sign-in installer and application executable by **Code-signing certificate.** There are a lot of certificate providers and the costs are very different. A lot of providers are selling these certificate for around $500/year. Fortunately it's possible to found certificates also for $75 - $95/year. The cheapest one is from tucows.com but based on the site and additional tools I decided for ksoftware.net, The price $95/year isn't so different but they offer also command line and GUI signing tool for their certificates called kSign.

Order process

Fill your company details, pay with paypal and wait until someone from Comodo will contact you with additional details. It's necessary to have the same contact information on the domain registration as on certificate registration. It is also necessary to have company registered in one of publicly available lists with the same company information as on certificate registration.

Next step is a validation through phone call. It is a quick call when you confirm registration info through the call in order to verify your phone number. Phone call is the last necessary step and then you receive email with certificate:

Windows developer certificate

Usage

Signing of the application and installer is pretty easy. K-Software offers two applications for this purposes. The first one is with GUI, second one is command line based. Both applications need only few parameters like where the certificate is stored, certificate password, application description, link and executable location:

kSign

Command line application is executed through following command:

kSignCMD.exe /d &quot;Skipper application&quot; /du &quot;http://www.skipper18.com&quot; /f PATH\certificate.pfx /p PASSWORD PATH\Skipper.exe<br />

And that's all. Now if you checked your executable through properties in Windows explorer, you see that your application is correctly signed:

Signed application

External links

27 Jun 2014

How to sign your Qt Mac OS X App for Gatekeeper

Starting from Mac os 10.8 apple applications requires certificate. Without that certificate (or without additional system tweaks described here on our product support page: http://support.orm-designer.com/5/macos-mountain-lion-10-8-unidentified-developer ) user will se following message:

&quot;OrmDesigner2&quot; can't be opened because it is from an unidentified developer.<br />

[caption id="" align="aligncenter" width="435"] MacOS unidentified developer in ORM Designer[/caption]

Solution

To solve this error message it's necessary to do following steps:

  1. Register in Apple developer program and pay $99 per year
  2. Download and install developer certificate
  3. Sign whole application
  4. Test it!

1) Register on Developer.apple.com

You need to create registration here: https://developer.apple.com/. It's necessary to fill info about contact person and company. After that, your registration will be reviewed by apple team and if everything will be OK, your registration will be approved.

**2) Use Apple site to generate certificates**

Open https://developer.apple.com/account/overview.action ,choose **Certificates, ** Click Add. Than select certificate parameters suitable for your need. In my case it was **Mac Development** and ** Developer ID.**

Now you need to install this certificate to your developer machine. Simply double-click on certificate and let system to import it. You can check that certificate is imported in **Go->Utilities->Keychain Access->login. **Now search for "Developer ID Application: XXXX"

MacOS certificate

**Note: **In my case when I transfer certificate to several developer machines I need to migrate also other Apple certificates. Without that my certificate wasn't a valid.

**3) Sign your application**

Now you need to sign your application including all plugins and frameworks inside app bundle. **After you sing your app, you can't do any changes in the bundle.** So as first run your deploy as usual and as **last step **do app singing.

For ORM Designer sign script looks like this:

#go to deploy directory<br />
cd $StarkDeploy.directory$/deploy</p>
<p>#sign app<br />
codesign --force --verify --verbose --sign &quot;Developer ID Application: Inventic s.r.o.&quot; ./OrmDesigner2.app</p>
<p>#sign all *.dylib files<br />
find OrmDesigner2.app -name *.dylib | xargs -I $ codesign --force --verify --verbose --sign &quot;Developer ID Application: Inventic s.r.o.&quot; $</p>
<p>#sign all Qt* frameworks<br />
find OrmDesigner2.app -name Qt* -type f | xargs -I $ codesign --force --verify --verbose --sign &quot;Developer ID Application: Inventic s.r.o.&quot; $<br />

4) Test it!

As last step it's necessary to test that sign process was successful. As first you can try following command line to validate  it:

codesign -vvv -d OrmDesigner2.app</p>
<p>#RESULT:<br />
Executable=/OrmDesigner2/DeployFiles/macos64/deploy/OrmDesigner2.app/Contents/MacOS/OrmDesigner2<br />
Identifier=com.orm-designer.OrmDesigner2<br />
Format=bundle with Mach-O thin (x86_64)<br />
CodeDirectory v=20100 size=174478 flags=0x0(none) hashes=8717+3 location=embedded<br />
Hash type=sha1 size=20<br />
CDHash=5a491e16f7dcca15b44af4XXXX1a2d2dcc786518<br />
Signature size=4237<br />
Authority=Developer ID Application: Inventic s.r.o. (6BYV46LH6T)<br />
Authority=Developer ID Certification Authority<br />
Authority=Apple Root CA<br />
Signed Time=6 Jun 2013 23:16:08<br />
Info.plist entries=10<br />
Sealed Resources rules=4 files=27<br />
Internal requirements count=1 size=212<br />

Now when you checked that App is correctly signed, it's time to try it on clean computer where no security policy changes was made. Upload your app and execute it.

If you don't see annoying screen "Can't execute application from unidentified developer", **you win** ;-).

External links

**How to transfer certificate: **

**How to import:**

**Apple links**

07 Jun 2013

Posted by: ludek.vodicka

Qt Mac OS #MacOs #certificate #developer