Hi forum! I'm a n00b in apple development, so I apologise in advance if something is very wrong. I have a python app for MacOS that I am deploying with pyinstaller (thus I am NOT using Xcode). The app is to be deployed through github not through the app store. I could sign it and notarize it and it works. However, the app needs to run some external unsigned code (like a plugin). The hardened runtime blocks that, so I need to add entitlements. I've done it as it's explained in many other places with codesign. It seems to work but when I run the app, it crashes immediately with EXC_CRASH (Code signature invalid). The crash doesn't happen unless I add the entitlements. Now my questions: how do I make my situation work? Do I need a provisioning profile? The entitlements I am trying to add (hardened runtime-related) are not restricted AFAIK, so I don't think I do? If I need a provisioning profile, how can I add it to the app after it's bundled with pyinstaller? Thank you so much! Francesco