Let’s walk through how to track down the root cause of this permission error—it’s almost always tied to code signing issues, Gatekeeper restrictions, or incomplete app bundling when distributing Qt apps to other Macs. Here’s a step-by-step debugging plan:

1. Verify Your Code Signature Is Actually Valid #

Just because codesign didn’t throw an error doesn’t mean the signature is fully valid. Run these commands to inspect the signature details for your app/setup installer:

For your setup_MYAPP.app (from Process 1):

codesign -dv --verbose=4 setup_MYAPP.app

For your MYAPP.app (from Process 2):

codesign -dv --verbose=4 MYAPP.app

Look for these critical lines in the output:

• Valid on disk: YES
• Satisfies its Designated Requirement: YES
• Authority: Apple Distribution: Your Name/Organization (TEAMID)

If any of these are missing or show NO, your signature is invalid. Common issues here include:

• Mismatched bundle ID between your app and provisioning profile
• Expired provisioning profile
• Missing entitlements (e.g., if your app needs specific permissions like network access, check the Entitlements section in the output)

2. Check Nested Code Signatures (For Process 1) #

When using binarycreator to build an installer app, the nested MYAPP.app inside setup_MYAPP.app must also be properly signed. Run this to check:

codesign -dv --verbose=4 setup_MYAPP.app/Contents/MacOS/MYAPP.app

If this nested app isn’t signed, Gatekeeper will block the entire installer. You’ll need to sign MYAPP.app first before packaging it with binarycreator.

3. Validate Framework Signatures (For Process 2) #

macdeployqt bundles Qt frameworks into your app, but if these frameworks aren’t signed correctly, the entire app’s signature will fail. Check each framework:

codesign -dv --verbose=4 MYAPP.app/Contents/Frameworks/*.framework

All frameworks should show the same valid signature details as your main app. If any are unsigned, re-run macdeployqt with the -codesign flag to ensure it signs all bundled components.

4. Test Gatekeeper Compliance #

macOS’s Gatekeeper blocks apps that aren’t notarized (even if signed). Run this command on your dmg/app to see if it passes Gatekeeper checks:

spctl --assess -v MYAPP.dmg
# Or for the app directly:
spctl --assess -v MYAPP.app

If the output says rejected or invalid, your app needs to be notarized by Apple. Here’s how to fix that:

1. Submit your dmg for notarization:

   xcrun altool --notarize-app --primary-bundle-id "com.yourcompany.MYAPP" --username "your-apple-id@example.com" --password "your-app-specific-password" --file MYAPP.dmg
   

2. Check the notarization status using the Request UUID returned:

   xcrun altool --notarization-info <RequestUUID> --username "your-apple-id@example.com" --password "your-app-specific-password"
   

3. Once approved, staple the notarization ticket to your dmg:

   xcrun stapler staple MYAPP.dmg
   

5. Inspect File Permissions #

Incorrect file permissions inside the .app bundle can also cause permission errors. Run this to check:

ls -lR MYAPP.app | grep -E "(^-|^d)"

Ensure the main executable (in MYAPP.app/Contents/MacOS/) has the executable permission (-rwxr-xr-x). If not, fix it with:

chmod +x MYAPP.app/Contents/MacOS/MYAPP

6. Check Console Logs for Detailed Errors #

The generic "no permission" message hides specific details. On the test MacBook, open the Console app, search for MYAPP, and look for logs tagged with codesign or Gatekeeper. These logs will tell you exactly why the app was blocked (e.g., "code signature invalid", "missing entitlement", "unnotarized app").

7. Test Deployment Workflow Edge Cases #

• Right-click vs Double-click: Sometimes double-clicking triggers stricter Gatekeeper checks—ask your testers to try right-clicking the app and selecting "Open".
• System Version Compatibility: Ensure the test MacBook is running a macOS version supported by your Qt build (check Qt’s documentation for compatibility). Older versions might have different signature requirements.

Final Notes for Your Two Processes #

Process 1 (binarycreator) #

• Sign MYAPP.app first before running binarycreator
• Sign the resulting setup_MYAPP.app
• Notarize and staple the final .dmg

Process 2 (macdeployqt) #

• Ensure macdeployqt is using the correct Qt version (match your build environment)
• The -appstore-compliant flag adds strict entitlements—make sure your app doesn’t require any additional entitlements not included here
• Always notarize the final .dmg after generation

内容的提问来源于stack exchange，提问作者parvus