Hej Michael and all, thanks for the feedback in this context !
>> I just ran into similar using 6.9.3. I too moved signing out of separate >> step with “--deep” enabled and into >>macdeployqt6 without the deep option. This enabled me to successfully notarize After updating to Qt6.10.0 I just tried the same with *only* running macdeployqt6 my.app and then checked it via: codesign --verify --deep --strict --verbose=2 ./my.app leading to: ./my.app: valid on disk ./my.app: satisfies its Designated Requirement but then notirising it via: xcrun notarytool submit app.zip --keychain-profile myProfile --wait leads to: status: Invalid In fact I received a couple of private mails with suggestions for further action and workarounds but is this really the way the process should be ? Best Alex Von: Nelson, Michael <[email protected]> Datum: Donnerstag, 2. Oktober 2025 um 23:28 An: [email protected] <[email protected]>, [email protected] <[email protected]> Betreff: RE: [Interest] Fw: Aw: Re: codesign issue with Qt6.9.1 Hello, I just ran into similar using 6.9.3. I too moved signing out of separate step with “--deep” enabled and into macdeployqt6 without the deep option. This enabled me to successfully notarize. My understanding is that “--deep" is to be avoided generally, as it can lead to unexpected/unneeded outcomes. Google/Copilot suggests it is known to break Apple notarization because “Apple's notarization process expects a specific structure and signing order. --deep can violate these expectations”. Perhaps you need --deep nevertheless but thought I’d point out my experience here. Best regards, [cid:[email protected]] MICHAEL NELSON | Sr. Software Engineer T +1 (703) 406-2800, 341 [email protected]<mailto:[email protected]> | www.otthydromet.com<http://www.otthydromet.com/> Confidential - Company Proprietary From: Interest <[email protected]> On Behalf Of alexander_carot--- via Interest Sent: Thursday, October 2, 2025 4:24 PM To: [email protected] Subject: [Interest] Fw: Aw: Re: codesign issue with Qt6.9.1 Hi all, see subject – with Qt6. 9. 1 now I sign this way: macdeployqt my. app -codesign="myAccount" and then codesign --options=runtime --entitlements ./deployment/entitlements. xml —force ./my. app -s "myAccount" checking this via codesign --verify Hi all, see subject – with Qt6.9.1 now I sign this way: macdeployqt my.app -codesign="myAccount" and then codesign --options=runtime --entitlements ./deployment/entitlements.xml —force ./my.app -s "myAccount" checking this via codesign --verify --deep --strict --verbose=2 ./myApp.app it says "valid on disc" - so all is fine. However, now a new issue comes up: When I zip it and load it up to notarise it via: xcrun notarytool submit myApp.zip --keychain-profile MYKEYCHAIN --wait then it eventually fails with: status: invalid Thus, I went back to Qt6.5.3 and signed in the same way and also received the INVALID status at the very end. Deploying and Signing via: macdeployqt my.app codesign --options=runtime --entitlements ./deployment/entitlements.xml —deep ./my.app -s "myAccount" does work out and leads to valid status but unfortunately this does not work out wiqht Qt6.9.1 because it refuses to take the --deep statement. Can anyone advise how to achieve VALID status with the above structure using Qt6.9 ? Thanks and best Alex -- http://www.carot.de<https://urldefense.com/v3/__http:/www.carot.de__;!!AC-Zr9Eh!IQrdmsFVAjbe1lxw20zIHc67BeI8b3kxTuRe4zlnWI6fFzc8UjIcp6c9z88_Rk8Yv5haM7aIBhwAp-32Lv4DfeTmHGck8Q$> Email : [email protected]<mailto:[email protected]> Tel.: +49 (0)177 5719797 Gesendet: Donnerstag, 18. September 2025 um 20:49 Von: "Alexander Carôt" <[email protected]<mailto:[email protected]>> An: [email protected]<mailto:[email protected]>, [email protected]<mailto:[email protected]>, [email protected]<mailto:[email protected]> Betreff: Aw: Re: [Interest] codesign issue with Qt6.9.1 Hello Kai, >>Any reason you don’t use macdeployqt -codesign=“My dev account” ? This should >>do deep signing... when I do this and I check the result via codesign --verify --deep --strict --verbose=2 ./myApp.app it looks fine: ./myApp.app: valid on disk ./myApp.app: satisfies its Designated Requirement but indeed I need to include the entitlements: --entitlements ./deployment/entitlements.xml which seems to not work when combining it via macdeployqt or am I mistaken on this ? Any further help appeciated, thanks beforehand and best Alex -- http://www.carot.de<https://urldefense.com/v3/__http:/www.carot.de__;!!AC-Zr9Eh!IQrdmsFVAjbe1lxw20zIHc67BeI8b3kxTuRe4zlnWI6fFzc8UjIcp6c9z88_Rk8Yv5haM7aIBhwAp-32Lv4DfeTmHGck8Q$> Email : [email protected]<mailto:[email protected]> Tel.: +49 (0)177 5719797 Gesendet: Donnerstag, 18. September 2025 um 17:44 Von: "Kai Köhne via Interest" <[email protected]<mailto:[email protected]>> An: "Hamish Moffatt" <[email protected]<mailto:[email protected]>>, "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Betreff: Re: [Interest] codesign issue with Qt6.9.1 Confidential >On 17/09/2025 8:31 pm, Alexander Carôt via Interest wrote: >> Hello all, >> >> I just upgraded from Qt6.5.3 to Qt 6.9.1 – it's all fine except that now the >> codesigning fails. I typically do: >> >> macdeployqt My.app >> >> codesign --options=runtime --entitlements ./deployment/entitlements.xml >> --deep ./My.app -s "My dev account" > > According to the manual, --deep is deprecated - probably because it’s > unreliable. You're expected to recurse all of the frameworks yourself, I > think. Any reason you don’t use macdeployqt -codesign=“My dev account” ? This should do deep signing... >I don't know why codesign is so bad. But also I'm surprised that Qt is > still shipping the official binaries unsigned. Huh, they are signed? Regards Kai _______________________________________________ Interest mailing list [email protected]<mailto:[email protected]> https://lists.qt-project.org/listinfo/interest<https://urldefense.com/v3/__https:/lists.qt-project.org/listinfo/interest__;!!AC-Zr9Eh!IQrdmsFVAjbe1lxw20zIHc67BeI8b3kxTuRe4zlnWI6fFzc8UjIcp6c9z88_Rk8Yv5haM7aIBhwAp-32Lv4DfeRQOMjutA$> Please be advised that this email may contain confidential information. If you are not the intended recipient, please notify us by email by replying to the sender and delete this message. The sender disclaims that the content of this email constitutes an offer to enter into, or the acceptance of, any agreement; provided that the foregoing does not invalidate the binding effect of any digital or other electronic reproduction of a manual signature that is included in any attachment. [0xC3D2]
_______________________________________________ Interest mailing list [email protected] https://lists.qt-project.org/listinfo/interest
