codesign
Provides code signing support. More...
| Since: | Qbs 1.19 |
Properties
- certificatePassword : string
- certificatePath : string
- codesignFlags : stringList
- codesignName : string
- codesignPath : string
- crossCertificatePath : string
- enableCodeSigning : bool
- hashAlgorithm : string
- keyAlias : string
- keyPassword : string
- keystorePassword : string
- keystorePath : string
- provisioningProfile : string
- provisioningProfilesPath : path
- rootSubjectName : string
- signingIdentity : string
- signingTimestamp : string
- signingType : string
- subjectName : string
- teamIdentifier : string
- timestampAlgorithm : string
- useApksigner : bool
Detailed Description
The codesign module contains properties and rules for code signing on Apple, Android, and Windows platforms.
The tool used to sign Windows artifacts (applications, libraries, and installers) depends on the host operating system:
- On Windows hosts, signing is performed with the
signtoolutility from the Windows SDK. The signing certificate may be selected from the Windows certificate store (via subjectName) or supplied as a PKCS#12 (PFX) file. - On non-Windows hosts, signing is performed with osslsigncode version 2.0 or later. By default it is located in the
PATH, but its location can be set explicitly via codesignPath. This makes it possible to sign a cross-compiled binary or an NSIS or Inno Setup installer that was built on Linux or macOS. The certificate must be supplied as a PKCS#12 (PFX) file. Available since Qbs 3.4.
Because the two backends are different tools, they do not accept the same set of properties. certificatePath, certificatePassword, hashAlgorithm, and signingTimestamp are honored by both signtool and osslsigncode. The subjectName, rootSubjectName, timestampAlgorithm, and crossCertificatePath properties apply to signtool only and are ignored by osslsigncode. To pass an option that has no dedicated property to the underlying tool, use codesignFlags.
Relevant File Tags
| Tag | Auto-tagged File Names | Since | Description |
|---|---|---|---|
"codesign.entitlements" | *.entitlements | 1.19.0 | Xcode entitlements |
"codesign.provisioningprofile" | *.mobileprovision, *.provisionprofile | 1.19.0 | Xcode provisioning profiles |
"codesign.signed_artifact" | n/a | 1.19.0 | This tag is attached to all signed artifacts such as applications or libraries |
Property Documentation
[since Qbs 1.19] certificatePassword : string |
Specifies the password to use when opening a signing certificate file (*.pfx).
This property is also used when signing with osslsigncode on non-Windows hosts.
Default: undefined
This property is specific to Windows.
This property was introduced in Qbs 1.19.
[since Qbs 1.19] certificatePath : string |
Specifies the full path to the signing certificate file (*.pfx).
This property is also used when signing with osslsigncode on non-Windows hosts, where a PKCS#12 (PFX) certificate is required.
Default: undefined
This property is specific to Windows.
This property was introduced in Qbs 1.19.
[since Qbs 1.19] codesignFlags : stringList |
Additional command-line flags passed to the underlying code signing tool (for example, codesign on Apple, or signtool and osslsigncode for Windows artifacts). Use this to set options that do not have a dedicated property.
Default: Undefined
This property was introduced in Qbs 1.19.
[since Qbs 1.19] codesignName : string |
The name of the codesign binary.
Default: Determined automatically
This property was introduced in Qbs 1.19.
[since Qbs 1.19] codesignPath : string |
Path to the codesign tool.
Default: Determined automatically
This property was introduced in Qbs 1.19.
[since Qbs 1.19] crossCertificatePath : string |
Specifies the full path to the additional certificate file (*.cer).
Default: undefined
This property is specific to Windows.
This property was introduced in Qbs 1.19.
[since Qbs 1.19] enableCodeSigning : bool |
Whether to actually perform code signing.
Default: false
This property was introduced in Qbs 1.19.
[since Qbs 1.19] hashAlgorithm : string |
Specifies the default hash algorithm used on the signing certificate. The possible values are sha1, sha256, sha384, and sha512.
Note: Only available in Windows 10 kit builds 20236 and later.
Default: undefined
This property is specific to Windows.
This property was introduced in Qbs 1.19.
[since Qbs 1.19] keyAlias : string |
The key alias.
Default: "androiddebugkey"
This property is specific to Android platforms.
This property was introduced in Qbs 1.19.
[since Qbs 1.19] keyPassword : string |
The key password.
Default: "android"
This property is specific to Android platforms.
This property was introduced in Qbs 1.19.
[since Qbs 1.19] keystorePassword : string |
The keystore password.
Default: "android"
This property is specific to Android platforms.
This property was introduced in Qbs 1.19.
[since Qbs 1.19] keystorePath : string |
The absolute path to the keystore file.
Default: "${HOME}/.android/debug.keystore"
This property is specific to Android platforms.
This property was introduced in Qbs 1.19.
[since Qbs 1.19] provisioningProfile : string |
Name or UUID of the provisioning profile to embed in the product. Typically this should be left blank to allow Qbs to use automatic provisioning.
Default: undefined
This property is specific to Apple platforms.
This property was introduced in Qbs 1.19.
[since Qbs 1.19] provisioningProfilesPath : path |
Path to directory containing provisioning profiles installed on the system. This should not normally need to be changed.
Default: "~/Library/MobileDevice/Provisioning Profiles"
This property is specific to Apple platforms.
This property was introduced in Qbs 1.19.
[since Qbs 1.19] rootSubjectName : string |
Specifies the name of the subject of the root certificate that the signing certificate must chain to. This value may be a substring of the entire subject name of the root certificate.
Default: undefined
This property is specific to Windows.
This property was introduced in Qbs 1.19.
[since Qbs 1.19] signingIdentity : string |
Search string used to find the certificate to sign the product. This does not have to be a full certificate name like "Mac Developer: John Doe (XXXXXXXXXX)", and can instead be a partial string like "Mac Developer" or the certificate's SHA1 fingerprint. The search string should generally be one of the following:
- 3rd Party Mac Developer Application
- 3rd Party Mac Developer Installer
- Developer ID Application
- Developer ID Installer
- iPhone Developer
- iPhone Distribution
- Mac Developer
It is also possible to use the special "-" value to use the ad-hoc signing.
See Maintaining Your Signing Identities and Certificates for complete documentation on the existing certificate types. In general you should use signingType instead.
Default: Determined by signingType
This property is specific to Apple platforms.
This property was introduced in Qbs 1.19.
[since Qbs 1.19] signingTimestamp : string |
URL of the timestamp authority RFC 3161 server to be contacted to authenticate code signing. undefined or empty indicates that a system-specific default should be used; "none" explicitly disables the use of timestamp services on Apple platforms.
Default: "none" on Apple, undefined otherwise
This property was introduced in Qbs 1.19.
[since Qbs 1.19] signingType : string |
Type of code signing to use. This should generally be used in preference to an explicit signing identity like "Mac Developer: John Doe (XXXXXXXXXX)" since it is not user specific and can be set in a project file. Possible values include: "app-store", "apple-id", "ad-hoc", which sign for the App Store or Mac App Store, Developer ID, and Ad-hoc code signing, respectively.
Relation between the signingType and signingIdentity
The following table shows how the signingIdentity's default value is calculated.
qbs.targetOS | codesign.signingType | qbs.buildVariant | codesign.signingIdentity |
|---|---|---|---|
"macos" | "ad-hoc" | any | "-" |
"app-store" | "debug", "profiling" | "Mac Developer" | |
"release" | "3rd Party Mac Developer Application" | ||
"apple-id" | any | "Developer ID Application" | |
"ios", "tvos", "watchos" | "app-store" | "debug", "profiling" | "iPhone Developer" |
"release" | "iPhone Distribution" |
Default: Determined automatically
This property is specific to Apple platforms.
This property was introduced in Qbs 1.19.
[since Qbs 1.19] subjectName : string |
Specifies the name of the subject of the signing certificate. This value can be a substring of the entire subject name.
Default: undefined
This property is specific to Windows.
This property was introduced in Qbs 1.19.
[since Qbs 1.19] teamIdentifier : string |
Human readable name or 10-digit identifier of the Apple development team that the signing identity belongs to. This is used to disambiguate between multiple certificates of the same type in different teams. Typically this can be left blank if the development machine is only signed in to a single development team, and should be set in a profile otherwise.
Default: undefined
This property is specific to Apple platforms.
This property was introduced in Qbs 1.19.
[since Qbs 1.19.2] timestampAlgorithm : string |
Specifies the default timestamp algorithm used together with the signingTimestamp property. The possible values are sha1, sha256.
Note: If this value is not set, then the default sha1 algorithm will be used.
Default: undefined
This property is specific to Windows.
This property was introduced in Qbs 1.19.2.
[since Qbs 1.19] useApksigner : bool |
If true, the package is signed using apksignerFilePath binary. Set this property to false to use the jarsignerFilePath one. Set by the Android.sdk module.
Default: true
This property is specific to Android platforms.
This property was introduced in Qbs 1.19.
© 2022 The Qt Company Ltd. Documentation contributions included herein are the copyrights of their respective owners. The documentation provided herein is licensed under the terms of the GNU Free Documentation License version 1.3 as published by the Free Software Foundation. Qt and respective logos are trademarks of The Qt Company Ltd in Finland and/or other countries worldwide. All other trademarks are property of their respective owners.
