I got it to work by removing the com.apple.security.device.usb key from entitlements.plist. For some reason I thought that was required when using the hardened runtime, but apparently not.

Thanks for that. The results from the above commands are: % codesign -v -vvv path/to/myapp.app path/to/myapp.app: valid on disk path/to/myapp.app: satisfies its Designated Requirement % codesign -d --entitlements :- path/to/myapp.app Executable=/path/to/myapp.app/Contents/MacOS/myapp <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.cs.allow-unsigned-executable-memory</key> <true/> <key> com.apple.security.device.usb</key> <true/> </dict> </plist> The app has been built using PyInstaller and I'm manually signing it like this: codesign --entitlements entitlements.plist --options=runtime -f -vvv -s "Developer ID Application: *** (XXXXXXXXX)" /path/to/myapp.app/Contents/MacOS/Python codesign --deep --entitlements entitlements.plist --options=runtime -f -vvv -s "Developer ID Application: *** (XXXXXXXXX)" /path/to/myapp.app This was based on https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html I don't have an embedded provisioning profile as it's not mentioned in the above procedures. Do I need one? As far as I can tell I possibly need the sandbox capability because I'm using com.apple.security.device.usb but when I try to create a profile in "Certificates, Identifiers & Profiles" the sandbox capability is not in the list. Also, given that it's been working up until very recently I assume it's not required. Is that correct?