Thanks for the reply, eskimo! There is no “Open anyway” button on modern Gatekeeper alerts, which suggests you’re either working on a very old system or paraphrasing. I suspect it’s the latter. It’d really help if you were precise here, because the devil is in the details. Correct, I was paraphrasing. Sorry about that :) As I've continued to research this, I've discovered that this is a product of App Translocation/Gatekeeper Path Randomization. So the app is able to talk to resources outside of itself, but it can't find the CONFIG folder because it is running from a randomized path. To provide a bit of additional context on how the app works: I distribute the signed and notarized app to my client They edit the CONFIG folder (fonts, media, etc.), zip up the parent folder and send it to their client I don't expect my (non-developer) clients to sign and notarize the app before distribution, so putting it inside the app bundle is not an option. I'll look into the FileManager solution - it sounds like if I can use that method to determine the URL for the app's untranslocated location that I'll be in business?

Thanks again, Eskimo! In your proposed solution they would be distributing an unsigned/notarized DMG (unless they registered as developers themselves). It's probably the correct approach nonetheless. Appreciate your input :)

Edit (where did the edit button go for my post? lol): I've now observed the same problem on machines running 12.5.1 - so I think the macOS version could be a red herring. There's some other variable I'm missing, but it works on some machines running Big Sur, but many others fail with the errors outlined above.

Thanks for the reply, @eskimo! Everything is included within the app bundle, there are no additional dependencies required of the user. To summarize: The app doesn't work on any devices without disabling library validation via entitlements Disabling library validation only fixes it on certain machines (I have two machines on 12.5.1, and it works on one but not the other) Side note - your top ten list is 14 items long? It's like you turned it up to 11 and just... kept going :)

OK, then you should run with library validation enabled because a) it’s better for security, and b) disabling library validation makes it harder to pass Gatekeeper. For this to work you have to sign all code that you ship with your signing identity. That’s what you should be doing anyway. Agreed, I only disabled library validation to confirm the problem. As far as I can tell (as verified by Apple's recommended codesign -vvv --deep --strict) everything is properly signed, notarized, and stapled. The weird thing is the temporary directory paths showing up in the error messages. This suggests that something with your process is copying libraries around. I’ve seen this sort of thing in other apps. For example, the app might have a library within a compressed archive and then unarchives it to the temporary directory and tries to run it from there. That never ends well. That was my thought as well, there is a zip folder inside the app bundle (/Contents/Resources/lib/python39.zip) but I couldn't find any library files (searching for .so and .dylib extensions). It's mostly pyc files. When this fails, what is the actual failure mode? Does your app crash on launch? Or does it get to main and then fail later on? Funny thing is, the app doesn't actually crash/exit. I can check that the process is running via ps | grep myApp - it just never displays anything or prints anything to stdout.

Update: I stumbled across this thread (https://gitlab.com/inkscape/inkscape/-/issues/2299) which discusses the entitlements that python uses when installed directly (via Python.org or Homebrew, etc.) It seems that Python.org uses the following entitlements: sh-3.2# codesign -d --entitlements - /usr/local/bin/python Executable=/Library/Frameworks/Python.framework/Versions/3.10/bin/python3.10 [Dict] [Key] com.apple.security.automation.apple-events [Value] [Bool] true [Key] com.apple.security.cs.allow-dyld-environment-variables [Value] [Bool] true [Key] com.apple.security.cs.disable-executable-page-protection [Value] [Bool] true [Key] com.apple.security.cs.disable-library-validation [Value] [Bool] true If I mimic this for my application, it works on machines where it was previously failing. If I can find a way to make this work without disabling validation, great - but I've signed everything I can find, and apparently Python.org doesn't even have a better solution...

Thanks for the input, Eskimo! I may take you up on that.