Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-101696

Consider dependencies that start with @loader_path for code signing when using -executable option

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Reported
    • Priority: P2: Important
    • Resolution: Unresolved
    • Affects Version/s: 6.3.0 Beta2
    • Fix Version/s: None
    • Labels:
      None

      Description

      Currently when running macdeployqt with one more -executable options and -codesign, it will embed @loader_path prefixed rpaths instead of @executable_path prefixed ones.

      https://github.com/qt/qtbase/blob/dev/src/tools/macdeployqt/shared/shared.cpp#L1058
      https://github.com/qt/qtbase/blob/dev/src/tools/macdeployqt/shared/shared.cpp#L961

      Unfortunately this means that the copied Qt framework libraries will not be code-signed anymore, because the code skips signing libraries that start with @loader_path
      https://github.com/qt/qtbase/blob/dev/src/tools/macdeployqt/shared/shared.cpp#L617

      This can lead to issues on arm mac machines if the copied libraries have previously been signed, because macdeloyqt will call install_name_tool to modify the rpaths of the libs, and thus invalidate the previous signature.

      This happens with the Qt libraries distributed by Homebrew, which are explicitly signed, albeit with an ad-hoc signature '-', which is not a linker ad-hoc signature!
      See QTBUG-101695 and https://github.com/Homebrew/brew/issues/9082

      We should consider signing all libraries that are copied into the bundle, regardless of whether their install name starts with @rpath @executable_path or @loader_path

      Note this is distinct from QTBUG-100686 where macdeployqt does not copy libraries to the bundle. The current issue is about signing only.

        Attachments

          Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            Activity

              People

              Assignee:
              sorvig Morten Sørvig
              Reporter:
              alexandru.croitor Alexandru Croitor
              Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:

                  Gerrit Reviews

                  There are no open Gerrit changes