Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-101696

Consider dependencies that start with @loader_path for code signing when using -executable option

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • P2: Important
    • None
    • 6.3.0 Beta2
    • Build tools: macdeployqt
    • None

    Description

      Currently when running macdeployqt with one more -executable options and -codesign, it will embed @loader_path prefixed rpaths instead of @executable_path prefixed ones.

      https://github.com/qt/qtbase/blob/dev/src/tools/macdeployqt/shared/shared.cpp#L1058
      https://github.com/qt/qtbase/blob/dev/src/tools/macdeployqt/shared/shared.cpp#L961

      Unfortunately this means that the copied Qt framework libraries will not be code-signed anymore, because the code skips signing libraries that start with @loader_path
      https://github.com/qt/qtbase/blob/dev/src/tools/macdeployqt/shared/shared.cpp#L617

      This can lead to issues on arm mac machines if the copied libraries have previously been signed, because macdeloyqt will call install_name_tool to modify the rpaths of the libs, and thus invalidate the previous signature.

      This happens with the Qt libraries distributed by Homebrew, which are explicitly signed, albeit with an ad-hoc signature '-', which is not a linker ad-hoc signature!
      See QTBUG-101695 and https://github.com/Homebrew/brew/issues/9082

      We should consider signing all libraries that are copied into the bundle, regardless of whether their install name starts with @rpath @executable_path or @loader_path

      Note this is distinct from QTBUG-100686 where macdeployqt does not copy libraries to the bundle. The current issue is about signing only.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-100686 macdeployqt misses some libraries

          • P1: Critical - Urgent and Important, will STOP the release if matched with set FixVersion field. This includes regressions from the last version that are not edge cases; Data loss; Build issues; All but the most unlikely crashes/lockups/hanging; Serious usability issues and embarrassing bugs & Bugs critical to a deliverable. This is the highest possible priority for requirements.
          • Reported

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-36245 macdeployqt works for app bundles, but not for plugin bundles

          • P3: Somewhat important - Should be fixed, but doesn't affect the release in any way.
          • Reported

          Task - A task that needs to be done. QTBUG-101695 Detect overriding of an existing signature and exit early saying to use -codesign

          • P3: Somewhat important - Should be fixed, but doesn't affect the release in any way.
          • Reported
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              sorvig Morten Sørvig
              alexandru.croitor Alexandru Croitor
              Votes:
              4 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:

                Gerrit Reviews

                  There are no open Gerrit changes