MacOs executable signed incorrectly

[gabefair]

qBittorrent & operating system versions

qBittorrent version: 4.5.2 (64-bit) OS: Mac Ventana 13.2.1 (22D68) Arch: Apple Silicon M2

What is the problem?

When I run qbittorrent I'm getting an error about a incorrectly signed certificate. I searched the closed tickets and didn't see this mentioned

Steps to reproduce

Download Software Install on Mac

Additional context

Warning Message: "The code signature of the process has a formal error. This probably indicates that somebody is trying to pretend a valid code signature, or that the developer used inappropriate, non-standard tools to create the signature."

Log(s) & preferences file(s)

SHAsum 256: ff45669f6baeb0f3afd7945f06ffdd32b8081d640746b63013d3ae6656521e8d

[sledgehammer999]

I have been self-signing the last few releases as a method to fix issues like https://github.com/qbittorrent/qBittorrent/issues/16728

I hadn't encountered the message you show above. But again, I am not a frequent macOS user either.

PS: I am not going to give money for proper codesigning certificate for macOS.

[ghost]

@sledgehammer999 I don't think many non-developers can understand the connection between having to pay for a codesigning certificate and this popup.

There are at least two "issues" related to this behavior on macOS that are now Open. It seems someone could just put something in the FAQ for new macOS users to educate and avoid more? Maybe it's there already I didn't check.

PS: That notification looks like it comes from the third party application, Little Snitch.

@gabefair Here is the same "issue" on these forums. Essentially Apple is telling you any application where its developer hasn't paid for an Apple Developer Certificate, and signed their software using that certificate, should be allowed only if you trust it - it's on you not Apple to know it's safe.

[ackerthehacker2]

I have a script called "mysign" that does the self signing stuff ...

sudo xattr -cr "$1" sudo xattr -dr com.apple.quarantine "$1" sudo codesign --force --deep --sign - "$1"

[ackerthehacker2]

@sledgehammer999 - I have an Apple Developer Certificate ...maybe we can talk offline ...

[sledgehammer999]

@ackerthehacker2 send me an email to sledgehammer999 (at) qbittorrent (dot) org

[manishbajpai]

I don't know how to upvote or sponsor this issue but as a mac user, I support the idea to get the app signed properly. It addresses one worry in this crazy world where security is always a nightmare.

[luzpaz]

Would be great to sort this out before the next release

[luzpaz]

missing project management tag

[ciaplant]

I am willing to buy an apple dev license if we can get this sorted

[globart]

@sledgehammer999 have you connected with some of the guys from here regarding developer certificate/license, so the app can be properly signed? Because recently MDM policy on my work laptop was tightened to not allow apps without a cert to run, so I had to resort to installing it through MacPorts for it to work again

[MentalPower]

I have plenty of working knowledge on how to setup a secure signing infrastructure for this project if @sledgehammer999 is interested.

[sledgehammer999]

@MentalPower can you do the same as in https://github.com/qbittorrent/qBittorrent/issues/18847#issuecomment-1548762193 ?

[globart]

In the mean time, I've found that I can do xattr -c path/to/app, and after this I can successfully use the app. Another solution, although harder and longer one, is to compile the app yourself, that way xattr won't be required