Code Signing Error

[somehitDev]

Describe the bug

I'm using macbook pro 13inch(M1) with sonoma.

When using QtWebEngineCore with briefcase, code signing failed.
I fixed manually line 538 of brieacase/platforms/macOS/__init__.py like below, and worked fine.

I think we need additional option for --deep or just add into process_command.

Steps to reproduce

1. run build command

briefcase dev

2. raise exception(copy all log into logs section)

Expected behavior

build complete and no other exceptions

Screenshots

No response

Environment

• Operating System: Mac M1(Sonoma)
• Python version: Python 3.11
• Software versions:
  • Briefcase: 0.3.19
  • PySide6: 6.7.2

Logs

│ /Volumes/Dev/04_study_test/01_TEST/python/pyside6_webview_svelte/env/lib/python3.11/site-packages/briefcase/platforms/macOS/__init__.py:573 in sign_file                         │
│                                                                                                                                                                                  │
│    570 │   │   │   │   )                                                                                                                                                         │
│    571 │   │   │   │   return                                                                                                                                                    │
│    572 │   │   │   else:                                                                                                                                                         │
│ ❱  573 │   │   │   │   raise BriefcaseCommandError(f"Unable to code sign {path}.")                                                                                               │
│    574 │                                                                                                                                                                         │
│    575 │   def sign_app(self, app: AppConfig, identity: SigningIdentity):                                                                                                        │
│    576 │   │   """Sign an entire app with a specific identity.                                                                                                                   │
│                                                                                                                                                                                  │
│ ╭─────────────────────────────────────────────────────────────────────────────────── locals ───────────────────────────────────────────────────────────────────────────────────╮ │
│ │    entitlements = PosixPath('/Volumes/Dev/00_ongoing/SHLEE/templates/pyside6-svelte-template/build/pyside6-svelte-template/macos/app/Entitlements.plist')                    │ │
│ │          errors = '/Volumes/Dev/00_ongoing/SHLEE/templates/pyside6-svelte-template/build/pyside6-sv'+715                                                                     │ │
│ │        identity = <AdhocSigningIdentity>                                                                                                                                     │ │
│ │         options = None                                                                                                                                                       │ │
│ │            path = PosixPath('/Volumes/Dev/00_ongoing/SHLEE/templates/pyside6-svelte-template/build/pyside6-svelte-template/macos/app/PySide6 Webview                         │ │
│ │                   Template.app/Contents/Resources/app_packages/PySide6/Qt/lib/QtWebEngineCore.framework/Versions/A/QtWebEngineCore')                                         │ │
│ │ process_command = [                                                                                                                                                          │ │
│ │                   │   'codesign',                                                                                                                                            │ │
│ │                   │   PosixPath('/Volumes/Dev/00_ongoing/SHLEE/templates/pyside6-svelte-template/build/pyside6-svelte-template/macos/app/PySide6 Webview                     │ │
│ │                   Template.app/Contents/Resources/app_packages/PySide6/Qt/lib/QtWebEngineCore.framework/Versions/A/QtWebEngineCore'),                                        │ │
│ │                   │   '--sign',                                                                                                                                              │ │
│ │                   │   '-',                                                                                                                                                   │ │
│ │                   │   '--force',                                                                                                                                             │ │
│ │                   │   '--entitlements',                                                                                                                                      │ │
│ │                   │   PosixPath('/Volumes/Dev/00_ongoing/SHLEE/templates/pyside6-svelte-template/build/pyside6-svelte-template/macos/app/Entitlements.plist')                │ │
│ │                   ]                                                                                                                                                          │ │
│ │            self = <briefcase.platforms.macOS.app.macOSAppBuildCommand object at 0x106362190>                                                                                 │ │
│ ╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
BriefcaseCommandError: Unable to code sign /Volumes/Dev/00_ongoing/SHLEE/templates/pyside6-svelte-template/build/pyside6-svelte-template/macos/app/PySide6 Webview Template.app/Contents/Resources/app_packages/PySide6/Qt/lib/QtWebEngineCore.framework/Versions/A/QtWebEngineCore.

Additional context

No response

[rmartin16]

I was able to reproduce this error. Be sure that PySide-Addons is being packaged.

briefcase.2024_06_30-10_13_00.package.log

[freakboy3742]

Regarding the specific suggestion: Briefcase had support for the --deep option; however, that option is officially deprecated by macOS, so it was removed recently (see #1221).

It would be interesting to see if moving the frameworks from the Resources folder to the Frameworks folder (which is where Frameworks should live) resolves the issue. If it does, a macOS processing step that moves frameworks wouldn't be too difficult to add.

Another possibility is to explicitly not sign Frameworks (on the basis that they should already be signed by the original distributor).

[somehitDev]

I was able to reproduce this error. Be sure that PySide-Addons is being packaged.

briefcase.2024_06_30-10_13_00.package.log

I added full requirements in pyproject.toml like below,

and check PySide6-Addons, PySide6-Esentials in app_packages directory,

I think all fine, but same result.
Is anything wrong from my configures?

[rmartin16]

Is anything wrong from my configures?

That's the correct configuration. I only mentioned PySide-Addons since it isn't installed, by default, when Briefcase creates a PySide app but it must be installed to recreate the error.

[freakboy3742]

The issue appears to be related to the order of signing.

Inside the PySide6 package is an embedded framework named QtWebEngineCore.framework. It contains 5 signable files; in the current code, they are signed in this order:

Versions/A/QtWebEngineCore
Versions/A/Helpers/QtWebEngineProcess.app/Contents/MacOS/QtWebEngineProcess
Versions/A/Helpers/QtWebEngineProcess.app
Helpers/QtWebEngineProcess.app/Contents/MacOS/QtWebEngineProcess
Helpers/QtWebEngineProcess.app

If you sign in this order, you get the error:

In subcomponent: <redacted>/QtWebEngineCore.framework/Versions/A/Helpers/QtWebEngineProcess.app

However, if you sign QtWebEngine Core last:

Versions/A/Helpers/QtWebEngineProcess.app/Contents/MacOS/QtWebEngineProcess
Versions/A/Helpers/QtWebEngineProcess.app
Helpers/QtWebEngineProcess.app/Contents/MacOS/QtWebEngineProcess
Helpers/QtWebEngineProcess.app
Versions/A/QtWebEngineCore

The signing process succeeds.

It appears this is the only part of the Qt library that has this problem - if you manually do this signing sequence, then re-build (which re-signs everything), the signing of the app succeeds.

Signing is currently done by grouping on the parent directory after sorting in reverse order, then signing everything in that directory in parallel. However, because the file name QtWebEngineCore sorts lexically after the folder Helpers, the file is signed before all the sub folders. We need to modify this sort order so that all the subfolders in a directory are signed before any file in that directory is signed.

[somehitDev]

it solved!

• remove dist-info
• rerun with dev
• and build success with code-sign

thx, all of your help!