Yes, I did use --deep. Here's what I tried:
codesign -s "PaulF (MyID)" -v --deep --timestamp --entitlements /Users/fishbacp/Desktop/entitlements.plist -o runtime /Users/fishbacp/Desktop/dist/My_Application.app
Because I did this using Pyinstaller and have no Xcode experience, I tried to follow the steps outlined at https://haim.dev/posts/2020-08-08-python-macos-app/, where the author explains why the entitlements.plist is added as an option.
When we say "sign each code item separately, from the inside out," I'm a bit overwhelmed. My app contains a Contents directory, within which are located folders named Frameworks, MacOS, Resources and the info.plist file. Frameworks is empty, but MacOS and Resources contain tons of folders, many having to do with Python packages, e.g., numpy, pandas, PyQt5, sklearn, etc. All of my "problematic" folders are contained in PyQt5 and sklearn. The first of these has folder names with periods. The second has a hidden file.
Can I get away with what I've been doing but just sign PyQt5 and sklearn separately, or do I need to sign everything from the inside out using a tool such as that you've provided at the bottom of
https://developer.apple.com/forums/thread/130855 ?
Post
Replies
Boosts
Views
Activity
I see from https://developer.apple.com/forums/thread/665901 that my developer ID is for code signing and not for signing a package. I don't see a way for removing my question above; perhaps the moderator may wish to do so.
I neglected to generate an app-specific password by visiting https://appleid.apple.com/ and using that password when uploading for notarization.
I was able to get things to work, but only by signing the app first with --deep, which I understand to be ill-advised. Then I built my installer, which was notarized successfully. (I tried to staple, which yielded an error message as described at https://developer.apple.com/forums/thread/120351. The proposed work-around didn't work for me.) I have yet to see if this prevents things from opening on a new machine.
I'd be very appreciative if anyone can guide me through the process of successfully notarizing a package like mine without using --deep.
In particular, am I correct that if the two problematic executables above were code-signed individually before the package as a whole was product signed, then things should work out?
What exactly is the syntax for signing the executables, and should I use my developer ID application for signing them?
Thanks.
I'm building my installer package using productbuild at the command line. After I code sign the app, I type
productbuild --sign 'Developer ID Installer: My Name (XXXXXX7RBW)' --component /Users/fishbacp/Desktop/dist/My\ App.app /Applications /Users/fishbacp/Desktop\ My\ App_unsigned.pkg
The \ is just to force the space in the app and pkg names. Perhaps I should place the path names within quotation marks instead?
I then sign the package:
productsign --sign 'Developer ID Installer: My Name (XXXXXX7RBW)' /Users/fishbacp/Desktop/My\ App_unsigned.pkg /Users/fishbacp/Desktop/My\ App.pkg
@nk_kennedy: Thanks for your suggestion. Unfortunately, unless I misunderstood your directions, I wasn't able to resolve my problem.
I added the --timestamp option to my product build. As for my code signing the app, I did this using the following:
codesign -f -o runtime -v --deep --timestamp --entitlements /Users/fishbacp/Desktop/entitlements.plist -s "Developer ID Application: My Name (XXXXXX7RBW)" /Users/fishbacp/Desktop/dist/My\ App.app
I assume that -o runtime is what ensures the code signing is done with a hardened run time?
As for my entitlements.plist, I discovered a while back that I needed to use this (for reasons I don't understand) to get the app running since my .app was built using pyinstaller. The relevant line from it is as follows:
<plist version="1.0"> <dict> <key>com.apple.security.cs.allow-unsigned-executable-memory</key> <true/> </dict> </plist>
Hi--did you ever get this issue resolved? I'm facing a similar problem.
Thanks for your suggestions. I'll be honest that I really have no experience using Xcode and have been developing all my apps from Python and Pyinstaller. Before I dive into learning Xcode in an attempt to "tease" the two installers (Pyinstaller and Apple Installer) as you suggest, perhaps I should ask the following, which I think is really at the heart of my misunderstanding.
My app is a small "toy example" called Determinant Calculator.app, and I'll assume it's stored on my desktop in a directory named dist
I found from my notarization log that, without including --deep in my code-sign, many items were not being signed with valid time-stamped signatures. A couple listed examples were
"Determinant Calculator.app/Contents/MacOS/libtcl8.6.dylib"
"Determinant_Calculator.pkg/Determinant%20Calculator.pkg Contents/Payload/Applications/Determinant Calculator.app/Contents/MacOS/QtQml"
All messages involved dynamic libraries or various directories, whose names began with Qt.
I understand from the "inside out" approach, which is what I was trying to avoid by using --deep, that I need for these to be signed separately, before I sign the application itself. For example, I just code-signed the above dylib using
codesign -f -o runtime -v --timestamp --entitlements /Users/fishbacp/Desktop/determinants/entitlements.plist -s "Developer ID Application: My Name (XXXXXX7RBW)" "/Users/fishbacp/Desktop/dist/Determinant Calculator.app/Contents/MacOS/libtcl8.6.dylib"
For the QtQml, I used
codesign -f -o runtime -v --timestamp --entitlements /Users/fishbacp/Desktop/determinants/entitlements.plist -s "Developer ID Application: My Name (XXXXXX7RBW)" "/Users/fishbacp/Desktop/dist/Determinant Calculator.app/Contents/MacOS/QtQml"
Question 1: Is my understanding correct that all such items need to be signed separately before signing the application?
Question 2: Is it possible to write a shortcut that will automate the process if I give it the list of all directories in the notarization log? If there is such a shortcut, can you point me to a link where I could find such an example? (Or is this just a matter of me writing a shell script?)
Thanks for all your help.