I'm trying to distribute my PyInstaller-bundled application to other Mac users outside the app store in a manner in which they don't need to have admin access to allow the application to run. This, of course, requires code signing. Very good instructions for this are given on https://github.com/pyinstaller/pyinstaller/wiki/Recipe-OSX-Code-Signing.
However, per https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution, "Beginning in macOS 10.14.5, software signed with a new Developer ID certificate and all new or updated kernel extensions must be notarized to run. Beginning in macOS 10.15, all software built after June 1, 2019, and distributed with Developer ID must be notarized." To get notarized, per https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution, one must "Enable the Hardened Runtime capability for your app and command line targets." This would mean that instead of doing `codesign --deep -s "Code Signing Test" MyAppName.app`, one would have to do `codesign --deep -o runtime -s "Code Signing Test" MyAppName.app`. Here comes the problem. For some Python codes, this works fine, but for other, it doesn't allow the PyInstaller-generated bundle to run. At least in one example script, I was able to isolate the difference that caused this discrepancy to importing NumPy. At the bottom of this email is the Python script test.py which shows a simple PySide2-enabled GUI. With the `import numpy as np` line commented out, code signing with Hardened Runtime allows the PyInstaller-bundled application to run. After uncommenting the line, running the app generates the following error: ``` $ ./MyAppName.app/Contents/MacOS/MyAppName Traceback (most recent call last): File "PyInstaller/loader/pyiboot01_bootstrap.py", line 122, in <module> File "<frozen importlib._bootstrap>", line 983, in _find_and_load File "<frozen importlib._bootstrap>", line 967, in _find_and_load_unlocked File "<frozen importlib._bootstrap>", line 677, in _load_unlocked File "/Users/edbraun/Documents/xslide-git-repos/xslide-desktop/release/release_venv/lib/python3.7/site-packages/PyInstaller/loader/pyimod03_importers.py", line 493, in exec_module File "ctypes/__init__.py", line 551, in <module> File "ctypes/__init__.py", line 273, in _reset_cache MemoryError [3273] Failed to execute script pyiboot01_bootstrap ``` I figured that an entitlement might be needed as per https://developer.apple.com/documentation/security/hardened_runtime, so I tried adding to Info.plist a few of the entitlements listed (e.g., com.apple.security.cs.allow-unsigned-executable-memory), and I tried signing with `codesign --deep -o runtime --entitlements MyAppName.app/Contents/Info.plist -s "Code Signing Test" MyAppName.app`. The stack trace shown above no longer appears, but launching the application immediately results in `zsh: killed` being shown to the terminal, and the app doesn't launch. (This occurs regardless of any edits to the Info.plist file.) Does anyone have any other ideas for how to code sign the PyInstaller-bundled application with Hardened Runtime in a way that will allow the NumPy application to run? I'm using PyInstaller 4.1, Python 3.7.10, macOS Catalina 10.15.7, PySide2 5.15.2, and NumPy 1.19.4. I generate the PyInstaller-bundled application with `pyinstaller --name="MyAppName" --windowed test.py`. test.py is below: ``` import sys #import numpy as np from PySide2.QtWidgets import * class MainWindow(QMainWindow): def __init__(self, *args, **kwargs): super(MainWindow, self).__init__(*args, **kwargs) self.setWindowTitle("My Awesome App") label = QLabel("This is a PySide2 window!") self.setCentralWidget(label) app = QApplication(sys.argv) window = MainWindow() window.show() app.exec_() ``` -- You received this message because you are subscribed to the Google Groups "PyInstaller" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/pyinstaller/91edec0c-2717-4781-abe6-8676d0a48965n%40googlegroups.com.
