macOS

How to properly sign .app and dmg for macOS?

Hello!
There is a cross-platform application written in Qt (5.9.6), works on Win, Mac and Ubuntu.
On mac, the application is built using Qt tools (no XCode).
The application has a 3d-party ffpmeg library (we do not compile it ourselves, we take a ready-made assembly https://ffmpeg.org/download.html#build-mac)
At the initial stage, the application is supposed to be distributed through the dmg image, later - through the AppStore.
dmg image is built with hdutil (not with macdelpoyqt).
We are trying to sign the .app file and dmg image with certificates from the Apple Developer Program, in particular:

• macOS -> Production -> Developer ID Sign versions of your Mac application, Mac kernel extension and Mac Installer Package for distribution outside of the Mac App Store -> Developer ID Installer This certificate is used to sign your app's Installer Package for distribution outside of the Mac App Store
  
• macOS -> Production -> Developer ID Sign versions of your Mac application, Mac kernel extension and Mac Installer Package for distribution outside of the Mac App Store -> Developer ID Application This certificate is used to code sign your app for distribution outside of the Mac App Store.
  

As far as I understand, these are the certificates for our case, distribution outside the AppStore. (but others have tried it from the developer console)
All certificates are correctly installed in the system and are visible in the "Keychain" We
sign manually, via codesign.
If you sign the Application.app file directly, the codesign replies that " code object is not signed at all ". Naturally, the application is not considered signed.
Then, we found out that it is necessary to sign all files inside the package ( https://habr.com/ru/company/istodo/blog/215971/)
We began to sign all files until the codesign on the app stops giving an error, something like this :

codesign -s 9509FE0B2EBCC89D9047541AC762418395FCB40E Application.app
Application.app/: code object is not signed at all
codesign -s 9509FE0B2EBCC89D9047541AC762418395FCB40E Application.app/Contents/Frameworks/libavcodec.58.dylib
# ffmpeg code at all otherwise
-
notsign code at all 9509FE0B2EBCC89D9047541AC762418395FCB40E Application.app/Contents/Frameworks/QtCore.framework
# Qt signing too
...
codesign -s 9509FE0B2EBCC89D9047541AC762418395FCB40E Application.app
Ok.

Then, when codesign seems to stop swearing at an incompletely signed package, we launch Application.app on our machine - everything is ok.
We launch it on another poppy - the result when opening the Application.app file: " The Application.app program is damaged and cannot be opened. Move the program to the trash. " It refuses to start even through the "hack" for untrusted applications (via Command) - apparently really corrupted...
An incompletely signed application on another poppy runs fine (but swears at an untrusted developer).

• Please tell me how to properly sign .app and dmg for MacOS?
  
• How to properly sign .app with 3rd-party libraries?
  
• Can you immediately choose another type of distribution, for example, not dmg, but pkg?
  
• How can I debug a package error?
  

Thank you!