macOS ARM64 DMG Build & Notarization — Fixed Workflow
After a lot of trial and error, here is the working process to build, sign, notarize and distribute QElectroTech as a proper macOS DMG for Apple Silicon (arm64).
Problems encountered
1. Gatekeeper blocking the app when downloaded via Chrome
The original script used ditto --sequesterRsrc to create the final ZIP. This flag places resource forks in a hidden __MACOSX/ folder which breaks extended attribute extraction in Chrome / Archive Utility, causing Gatekeeper to block the app with "Apple could not verify that this app is free of malware". Safari worked fine because it handles ZIP extraction differently.
2. All MacPorts dylibs were unsigned
macdeployqt copies third-party libraries (libsqlite3, libpng, libssl, libharfbuzz, etc.) from MacPorts into Contents/Frameworks/ without signing them. Using codesign --deep (now deprecated) missed these flat .dylib files. Apple's notarization service rejected the submission with "The binary is not signed with a valid Developer ID certificate" for every single one of them.
Fix: sign every binary explicitly in the correct order — all .dylib files in Frameworks/ first, then .framework bundles, then plugins, then the main executable, and finally the bundle itself.
3. hdiutil invalidating the bundle signature during DMG creation
After the .app was correctly signed and notarized, creating a DMG with hdiutil create copies the bundle and recalculates checksums, which invalidates the Sealed Resources signature. Submitting this DMG to notarytool resulted in "The signature of the binary is invalid".
Fix: create a writable DMG (UDRW format), mount it, re-sign all binaries inside the mounted volume, detach it, then convert to the final compressed read-only DMG (UDZO). This ensures the signature is valid after the conversion.
Final workflow
1. Build with qmake + macdeployqt
2. Copy elements, titleblocks, translations, fonts, lang, examples into the bundle
3. Sign all binaries (dylibs → frameworks → plugins → executable → bundle)
4. Submit a temporary ZIP to notarytool → wait for Apple approval
5. Staple the notarization ticket onto the .app
6. Create a staging folder with the .app + a symlink to /Applications
7. Create a writable UDRW DMG from the staging folder
8. Mount the UDRW DMG and re-sign all binaries inside
9. Detach and convert UDRW → UDZO (final compressed DMG)
10. Sign the DMG with codesign
11. Submit the DMG to notarytool → staple the ticket onto the DMG
12. Verify: spctl -a -vv → "accepted / Notarized Developer ID"
Result
The DMG now passes Gatekeeper correctly whether downloaded via Chrome or Safari. It includes a drag-and-drop Applications shortcut and is fully notarized and stapled.
Enjoy! 
"Le jour où tu découvres le Libre, tu sais que tu ne pourras jamais plus revenir en arrière..."Questions regarding QET belong in this forum and will NOT be answered via PM! – Les questions concernant QET doivent être posées sur ce forum et ne seront pas traitées par MP !
