
我开发了一个使用Qt5的Mac应用程序,所以在 Xcode之外.我希望GateKeeper允许我的应用程序在客户端的计算机上运行,​​而不是发出“无法打开,因为开发人员的身份无法确认”警告.



$codesign --verify --deep --verbose=2 MyApp.app


MyApp.app: valid on disk
MyApp.app: satisfies its Designated Requirement


$codesign -v --verbose=4 --display MyApp.app

Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=12461 flags=0x0(none) hashes=616+3 location=embedded
Hash type=sha1 size=20
Signature size=8532
Authority=Developer ID Application: XXXXX
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=29 jul. 2015 12;04:40
Info.plist entries=8
Sealed Resources version=2 rules=12 files=10
Internal requirements count=1 size=180



$spctl -a -t exec -vv MyApp.app


MyApp.app: accepted
source=Developer ID
origin=Developer ID Application: XXXX



$./check-signature /Users/xxx/trunk/yyy/release/MyApp.app


我想我已经找到了这个问题.我不知道这是一个功能还是OSX的错误.我被stackoverflow question 19551298帮助了很多.




如果扩展属性删除(xattr -d),应用程序将运行,不是签名.


Apple Support Documentation的基础上,我预计GateKeeper在双击下载的应用程序时可能会有更好的行为(或许文档已经过时了,或者我误读了):

>如果应用程序没有使用单个OK按钮和文本“Unidentified developer etc ..”签名MessageBox.



我终于解决了我的问题.第一个信用:(i)我的另一个stackoverflow question的答案是非常有用的,(ii)通过提交所谓的技术支持事件(TSI),我得到了官方苹果开发商的非常好的(有偿的)建议.


Goal: After having developed a Mac app outside Xcode to have GateKeeper issuing the warning “Downloaded from the Internet …” with three buttons,one of which is “open”.

Failure: When GateKeeper issues a warning with either the text “.. unidentified developer..” or the text “.. unconfirmed developer .. ” with – in both cases – a messageBox with a single OK button.


    @H_301_113@Make your app standalone with no unacceptable external dependencies. The only acceptable external dependences are system libraries. All other dependencies should have been copied to your MyApp.app folder. GateKeeper rejects any app that has non-system external dependencies @H_301_113@Binaries should not be located at illegal positions inside the MyApp.app folder. Libraries go into MyApp/Contents/Frameworks and the executable goes into MyApp/Contents/MacOS @H_301_113@All binaries inside MyApp should be digitally signed. Then the MyApp.app folder should be signed. For this signing an Apple “Developer ID Application …” certificate is necessary

我们的食谱是自动的.所有的工作都是由一个脚本完成的.在Qt Creator的情况下,我们使用一个qmake脚本,我们通过$$system命令访问系统shell.当使用(Xcode)系统命令中的任何一个(xcode)系统命令,code,spctl或check-signature时,我们假定您已经将stderr重定向到stdout,如answer to question所示.否则,在运行这些实用程序时,您将无法捕获系统响应.在下面我们将不会显式地显示重定向.


A. Making the app stand-alone:

    @H_301_113@copy (with a script) all the needed binaries to the MyApp.folder @H_301_113@run (with a script) install_name_tool -change and install_name_tool -id such that all dependences inside the app are of the relative type @executable_path/../MacOS.. or @executable_path/../Frameworks @H_301_113@run (with a script) otool -L on all binaries inside the MyApp.app folder and flag any illegal dependence,like “@rpath…” or absolute file paths not being system paths. Note that otool -L is not guaranteed to find all dependencies. Plugins are often beyond the horizon of otool. That is why you need the next check. @H_301_113@start a terminal at the location “MyApp.app/Contents/MacOS”. Run export DYLD_PRINT_LIBRARIES=1. Then run inside the same terminal window ./MyApp. Your terminal will fill up with over hundred loaded libraries. Check this list again for forbidden libraries (libraries present on your computer,but not on the computer of your customers). @H_301_113@proof of the pudding is in the eating. We use the 07002 and check whether or not our app runs there. Alternative solution could be the Mac of a relative who is not a developer. Or you could also create a new user (“test”) on your own Mac and copy the app to its Download (or Desktop folder,or …). In the latter case you must temporarily rename the root folder of your IDE as otherwise the user “test” will find the missing binaries there.

B Signing the app

    @H_301_113@Signing: With our script we run codesign --force --verify --verbose --sign \"Developer ID Application: ....\" \"/path/to/binary\" on all the binaries in the app and then on the app folder itself. In each case the system response is caught. It should contain in each case the string “signed Mach-O thin”. @H_301_113@Verification: Run (with a script) command codesign --verify --verbose \"/path/to/binary\" on each binary in your app and on the app itself and catch the system response. It should in each case contain the strings “valid on disk” and “satisfies its Designated Requirement”. @H_301_113@GateKeeper check: Run (with a script) spctl -a -t exec -vv /path/to/binary\" on each binary and on the app folder itself. The system response is caught. It should contain in all cases the string “accepted source”. @H_301_113@check-signature: Run (with a script) check-signature \"/path/to/banary\" on each binary and on the app folder itself. The system response is caught. It should contain the string “YES” in each case.

C External check


    zip your app into a single zip file. Upload to one of your cloud servers


    GateKeepers keeps a long list (typically hundreds of items) of exceptions on its general gate-keeper role. Your app must not be in that list if you want to test GateKeeper. Rather than editing this list a much simpler trick is creating a new user on your Mac. Log in to that user and download the zip file from the Internet cloud server. Finder will automatically uncompress it. Click on it. If GateKeeper tells you that it can open the application but it warns you at the same time that it is downloaded from the Internet,it is time to grab a (white) beer.



我做了大量的安装和签名,没有明确地检查每个二进制文件的结果.之后,我将使用otool -L在一些二进制文件,但不是所有.我错过了从早期的Qt版本升级到Qt 5.5的二进制libqminimal.dylib已经获得了额外的依赖关系,即:QtDBus.我没有注意到,但是GateKeeper做了.


