QGIS 3.34 macOS Code Signature Issue

[uurazzle]

What is the bug or the crash?

Code Signature Issue

Steps to reproduce the issue

Run the following command to verify the QGIS 3.34. application code signature:

spctl -a -vv /Volumes/QGIS.app/QGIS.app 
/Volumes/QGIS.app/QGIS.app: rejected (invalid destination for symbolic link in bundle)
origin=Developer ID Application: Open Source Geospatial Foundation (4F7N4UDA22)

Versions

3.34

Supported QGIS version

• I'm running a supported QGIS version according to the roadmap.

New profile

• I tried with a new QGIS profile

Additional context

Here is some interesting general information to checkout and share with your macOS developer on resolving Gatekeeper problems on macOS.

Resolving Gatekeeper Problems | Apple Developer Forums:

The post titled "Resolving Gatekeeper Problems" on the Apple Developer Forums, written by Quinn "The Eskimo!" from Developer Technical Support at Apple is a comprehensive guide addressing common issues related to Gatekeeper on macOS. Gatekeeper is a security feature designed to ensure that only trusted software runs on a user's Mac, and the post focuses on helping developers troubleshoot and resolve issues that may arise in this context.
The post identifies four common Gatekeeper problems that developers may encounter:

1. App blocked by a dangling load command path.
2. Broken code signature.
3. Lack of notarization.
4. Command-line tool blocked by Gatekeeper.

For each of these issues, the post provides detailed steps and guidance on how developers can resolve them. The emphasis is on the importance of passing Gatekeeper checks to maintain customer trust and avoid potential loss of customers.
Key points covered in the post include:

• Verification of Code Signature: Developers are advised to use the codesign tool to verify that their code is signed correctly. The post provides examples of command-line usage to check for issues such as missing or invalid sealed resources.
• Notarization Issues: Gatekeeper requires that apps be notarized, and the post guides developers on how to identify and resolve notarization problems. It includes information on checking system logs for specific entries related to notarization issues.
• Hash Mismatch: In cases where there's a hash mismatch, the post provides guidance based on the file type (e.g., zip archive, signed disk image, installer package) and recommends specific actions to address the problem.
• Command-line Tool Blocking Bug: A known bug in macOS is acknowledged, where double-clicking a command-line tool in Finder may lead to it being blocked by Gatekeeper. Workarounds, such as embedding the tool in an application or using an installer package, are suggested.

Throughout the post, there are references to Apple's documentation and resources related to code signing and notarization, providing developers with additional information for a deeper understanding.

https://forums.developer.apple.com/forums/thread/706379

[kentr]

I'm also getting this on 3.34 and 3.38. Both are installed with Homebrew.

Standard attempts to open in the Finder result in the well-known dialog warning that the developer can't be verified.

I searched for invalid symlinks with find /Applications/QGIS.app -type l -exec test ! -e {} \;. Nothing turned up.

[uurazzle]

I would recommend the QGIS developers check the Apple developer forum posts for best practices, etc:

https://forums.developer.apple.com/forums/thread/706379

Try the GUI utility called Apparency, which was written by a former Apple Engineer for reference/review.

https://mothersruin.com/software/Apparency/

For example, the QGIS version 3.38.0 has the following issues, "unnotarized developer", "no signature" on applications and components, etc.

[agiudiceandrea]

Hi @jef-n, have you seen this issue report?

[jef-n]

Hi @jef-n, have you seen this issue report?

No, I'm not in charge of mac packaging.

Might relate to the expired certificate - although according to https://download.qgis.org//downloads/macos/qgis-macos-pr.latest.log the signing did work.

I just try to keep the build afloat as nobody else seems to care - with next to no mac knowledge and marginal personal interest in the platform.

[uurazzle]

Hi:

Ok, understand if the developers don't think this is a priority, but In macOS Sequoia, users can no longer override Gatekeeper by Control-clicking to open unsigned or non-notarized software; instead, they must review and permit such software through System Settings > Privacy & Security. To ensure smooth distribution of software outside the Mac App Store, it's recommended to submit it for notarization, which involves Apple's security checks and helps users run the software with confidence.

developer.apple.com

Here is Apple Developer documentation on how to notarize software;
https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution

[nyalldawson]

@uurazzle

understand if the developers don't think this is a priority

That's not the case. It's definitely seen as a priority, but there's no one active in the qgis developer community who has the skills and knowledge necessary to resolve this. 🤷‍♂️

[marcelpogorzelski]

A workaround after moving QGIS to Applications folder:

1. Open Terminal
2. sudo xattr -r -d com.apple.quarantine "/Applications/QGIS.app"

This removes the quarantine flag and Gatekeeper no longer blocks QGIS.

[marcelpogorzelski]

Running the xattr command reveals two problematic symlink:
/Applications % sudo xattr -r -d com.apple.quarantine "/Applications/QGIS.app"
xattr: No such file: /Applications/QGIS.app/Contents/Resources/kb-layouts
xattr: No such file: /Applications/QGIS.app/Contents/Resources/color-schemes

Here are what the to point to:
color-schemes -> ./grass/qtermwidget/color-schemes
kb-layouts -> ./grass/qtermwidget/kb-layouts

Can you guys remove this to symlinks on Mac an see if that helps with Notorization.