> On 28 Oct 2018, at 19:20, Glyph <gl...@twistedmatrix.com> wrote: > > > >>> >>> Curiously, this is the same traceback that comes from >>> https://forum.kodi.tv/showthread.php?tid=329171 >>> <https://forum.kodi.tv/showthread.php?tid=329171>, which suggests it's >>> something fundamental to strict shared-library sandboxing that ctypes trips >>> over when trying to initialize itself. >>> >>> Does anyone have experience with this, or ideas about what to do? >> >> I’m afraid not. I currently get away with not signing apps at all, although >> properly supporting signing is on my way too long wish list for py2app. > > The ability to distribute unsigned apps is not-so-slowly going away; even the > ability to distribute non-notarized apps has a very limited shelf-life at > this point. So this ought to be an alarming development for everyone - > having Python apps effectively banned from macOS distribution is a big > potential problem :-\.
Yup. That’s something that worries me as well, and not just for Python apps. Not being able to run your own code without paying Apple for the privilege is not something I look forward to. I’m still hoping that the option to run unsigned code doesn’t go away. > > The good news here is that aside from having to write a little for loop in > shell (shown below) getting the app codesigned previously was easy, and my > app *did* pass notarization, so nothing that py2app is doing is breaking > things on apple's end. It's just a matter of a ctypes bug. > > As I see it, there's 2 problems here: > > py2app's __boot__.py should fail more gracefully if initializing ctypes > doesn't work, since not everybody needs ctypes. Shall I file this on the > tracker? Yes please. I’d prefer a solution that doesn’t involve ignoring errors, but that’s probably the easiest fix for now. What’s the exception you’re getting? Tweaking the code in py2app/bootstrap/ctypes_setup.py to ignore that exception would be trivial. > ctypes itself should address whatever eldritch hideousness is causing this; > in addition to the windows security layer stuff I found, grsecurity TPE > causes the same traceback: https://bugs.python.org/issue28429 > <https://bugs.python.org/issue28429> >> With some luck there’s some entitlement or code signing option that causes >> this problem. What is the output of "codesign --display --verbose=4” for >> the application? Both with and without notarisation? > > Sorry, my original message was not clear. App notarization itself is not the > problem, it's the "stricter requirements" that I ambiguously referenced. The > requirement in question is the '--options runtime' flag passed to 'codesign'. > So you can just codesign an app (even with an ad-hoc identity, you > technically could do this without even having a valid cert, although the way > one generates one of those escapes me) with the 'runtime' option, you can > reproduce this. > > So if I sign my app like this: > > #!/bin/bash > find "${NAME}.app" -iname '*.so' -or -iname '*.dylib' | > while read libfile; do > codesign --sign "${IDENTITY}" \ > --deep "${libfile}" \ > --force \ > --options runtime; > done; > > codesign --sign "${IDENTITY}" \ > --deep "${NAME}.app" \ > --force \ > --options runtime; > > and then run it as "./${NAME}.app/Contents/MacOS/${NAME}". I immediately get > the traceback given above. Great. That should make it easier for me to reproduce the issue. Ronald
_______________________________________________ Pythonmac-SIG maillist - Pythonmac-SIG@python.org https://mail.python.org/mailman/listinfo/pythonmac-sig unsubscribe: https://mail.python.org/mailman/options/Pythonmac-SIG