Thanks for that. The results from the above commands are:
% codesign -v -vvv path/to/myapp.app
path/to/myapp.app: valid on disk
path/to/myapp.app: satisfies its Designated Requirement
% codesign -d --entitlements :- path/to/myapp.app
Executable=/path/to/myapp.app/Contents/MacOS/myapp
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key> com.apple.security.device.usb</key>
<true/>
</dict>
</plist>
The app has been built using PyInstaller and I'm manually signing it like this:
codesign --entitlements entitlements.plist --options=runtime -f -vvv -s "Developer ID Application: *** (XXXXXXXXX)" /path/to/myapp.app/Contents/MacOS/Python
codesign --deep --entitlements entitlements.plist --options=runtime -f -vvv -s "Developer ID Application: *** (XXXXXXXXX)" /path/to/myapp.app
This was based on https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html
I don't have an embedded provisioning profile as it's not mentioned in the above procedures. Do I need one? As far as I can tell I possibly need the sandbox capability because I'm using com.apple.security.device.usb but when I try to create a profile in "Certificates, Identifiers & Profiles" the sandbox capability is not in the list. Also, given that it's been working up until very recently I assume it's not required. Is that correct?
Post
Replies
Boosts
Views
Activity
I got it to work by removing the com.apple.security.device.usb key from entitlements.plist.
For some reason I thought that was required when using the hardened runtime, but apparently not.