Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-101696

Consider dependencies that start with @loader_path for code signing when using -executable option

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: P2: Important P2: Important
    • None
    • 6.3.0 Beta2
    • None

      Currently when running macdeployqt with one more -executable options and -codesign, it will embed @loader_path prefixed rpaths instead of @executable_path prefixed ones.

      https://github.com/qt/qtbase/blob/dev/src/tools/macdeployqt/shared/shared.cpp#L1058
      https://github.com/qt/qtbase/blob/dev/src/tools/macdeployqt/shared/shared.cpp#L961

      Unfortunately this means that the copied Qt framework libraries will not be code-signed anymore, because the code skips signing libraries that start with @loader_path
      https://github.com/qt/qtbase/blob/dev/src/tools/macdeployqt/shared/shared.cpp#L617

      This can lead to issues on arm mac machines if the copied libraries have previously been signed, because macdeloyqt will call install_name_tool to modify the rpaths of the libs, and thus invalidate the previous signature.

      This happens with the Qt libraries distributed by Homebrew, which are explicitly signed, albeit with an ad-hoc signature '-', which is not a linker ad-hoc signature!
      See QTBUG-101695 and https://github.com/Homebrew/brew/issues/9082

      We should consider signing all libraries that are copied into the bundle, regardless of whether their install name starts with @rpath @executable_path or @loader_path

      Note this is distinct from QTBUG-100686 where macdeployqt does not copy libraries to the bundle. The current issue is about signing only.

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            vestbo Tor Arne Vestbø
            alexandru.croitor Alexandru Croitor
            Votes:
            4 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:

                There are no open Gerrit changes