Post not yet marked as solved
Context : I'm developing a python app with Tkinter GUI on a 2020 M1 Macbook Air.
I have already built, signed, and notarized the app successfully on the native arm64 architecture - so far so good.
Now I am trying to do the same for x86_64, on the same machine. I've built a conda environment for x86_64, built the app with pyinstaller, and verified that it runs when I double-click on AppName.app. So far so good.
The problem happens when I sign it. After signing with the same command I used for the arm64 version:
codesign -s "Developer ID Application: MY_CERTIFICATE_NAME" -v --deep --timestamp --entitlements entitlements.plist -o runtime "dist/MyAppName.app" --force
Entitlements file just sets com.apple.security.cs.allow-unsigned-executable-memory to true - apparently necessary for python programs.
The app now crashes when I double-click. The crash-log contains the line:
Termination Reason: Namespace ROSETTA, Code 0
rosetta error: unable to mmap __TEXT: 1
/var/db/*/libffi.8.dylib.aot
When I try to run from command line with
./projects/eagle_eyes_video_scanner/dist/EagleEyesScan.app/Contents/MacOS/main
I get another error:
rosetta error: unable to mmap __TEXT: 1
/var/db/oah/ffdfb26a8f1f835406614fae08b99665733faafa40599b6bc0aace0981564015/4893345e2743c970aa1c71f137e03f8e791c82b6b7354da038bebfac5673be73/libffi.8.dylib.aotzsh: abort ./projects/eagle_eyes_video_scanner/dist/EagleEyesScan.app/Contents/MacOS/mai
I don't know if this libffi is central to the problem or just the first thing to fail.
So, how can I sign my app without breaking it?
Post not yet marked as solved
I've built a working MacOS app from python, using Tkinter as GUI, and pyinstaller to build.
I've successfully signed it using codesign with a "Developer ID Application" certificate.
codesign -s "Developer ID Application: MY_CERIFICICATE_NAME" -v --deep --timestamp --entitlements entitlements.plist -o runtime "dist/MyApp.app" --force
Where entitlements.plist is
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
</dict>
</plist>
Checking with codesign -vvv --deep --strict dist/MyApp.app seems to indicate that it's happy
dist/MyApp.app: valid on disk
dist/MyApp.app: satisfies its Designated Requirement
However, when I zip it, and notarize, with
xcrun notarytool submit path/to/project/dist/AppName.zip --apple-id MY_APPLE_ID --password MY_APP_SPECIFIC_PASSWORD --team-id MY_TEAM_ID --wait
It fails with
Processing complete
id: SOME_HASH_CODE
status: Invalid
When I check why it failed with
xcrun notarytool log SOME_HASH_CODE --apple-id MY_APPLE_ID --team-id=MY_TEAM_ID
I get that all the dylib files in MyApp.app/Contents/Resources were unsigned, e.g.
{
"severity": "error",
"code": null,
"path": "MyApp.zip/MyApp.app/Contents/Resources/libopenblas.0.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "MyApp.zip/MyApp.app/Contents/Resources/libopenblas.0.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
}
Indeed when I check my code-sign with
codesign -vvv --deep --strict dist/EagleEyesScan.app
I see that none of the dylib files in MyApp.app/Contents/Resources are listed.
Main question is - What do I have to do to pass notartization?
Sub-question is Why are the dylib files in MyApp.app/Contents/Resources not being signed?
Post not yet marked as solved
I've got a Developer ID Application certificate - however when I open the details in KeyChain it tells me "Developer ID Application XXXXXXX certificate is not trusted"
When I try signing my code with this certificate, using
codesign -s MY_CERTIFICATE_NAME -v --deep --timestamp --entitlements entitlements.plist -o runtime "path/to/MyApp.app" --force
I get
Warning: unable to build chain to self-signed root for signer MY_CERTIFICATE_NAME
It does work when I use another certificate - one that is trusted (however with that other certificate, I get problems in notartizing, apparently because it is an "Apple Development" certificate and not a "Developer ID Application" certificate).
How can I make my certificate trusted?
All online advice I can find online doesn't help:
Find any other certificates and change their trust settings from "Always Trusted" to "Use System Defaults" (however they all are on "Use System Defaults" already).
Adding intermediate signing certificates to KeyChain as in - https://stackoverflow.com/a/66083449/851699 - I've tried this, and my problem persists.
Post not yet marked as solved
I have created my AppName.app using pyinstaller, and verified that it runs.
I have signed up for an Apple Developer account and paid the fees.
Now, I just need to notarize. I would like to avoid having to delete 20GB of files just so I can download XCode.
I've read this thread which suggests you can use the version of altool packaged with Transporter.app. However I cannot find altool in Transporter.app and besides apparently altool is old and has been replaced by notarytool.
Is it really the case that the only way to notarize an app is to install the 40GB XCode *****?