User Profile

Context : I'm developing a python app with Tkinter GUI on a 2020 M1 Macbook Air. I have already built, signed, and notarized the app successfully on the native arm64 architecture - so far so good. Now I am trying to do the same for x86_64, on the same machine. I've built a conda environment for x86_64, built the app with pyinstaller, and verified that it runs when I double-click on AppName.app. So far so good. The problem happens when I sign it. After signing with the same command I used for the arm64 version: codesign -s "Developer ID Application: MY_CERTIFICATE_NAME" -v --deep --timestamp --entitlements entitlements.plist -o runtime "dist/MyAppName.app" --force Entitlements file just sets com.apple.security.cs.allow-unsigned-executable-memory to true - apparently necessary for python programs. The app now crashes when I double-click. The crash-log contains the line: Termination Reason: Namespace ROSETTA, Code 0 rosetta error: unable to mmap __TEXT: 1 /var/db/*/libffi.8.dylib.aot When I try to run from command line with ./projects/eagle_eyes_video_scanner/dist/EagleEyesScan.app/Contents/MacOS/main I get another error: rosetta error: unable to mmap __TEXT: 1   /var/db/oah/ffdfb26a8f1f835406614fae08b99665733faafa40599b6bc0aace0981564015/4893345e2743c970aa1c71f137e03f8e791c82b6b7354da038bebfac5673be73/libffi.8.dylib.aotzsh: abort   ./projects/eagle_eyes_video_scanner/dist/EagleEyesScan.app/Contents/MacOS/mai I don't know if this libffi is central to the problem or just the first thing to fail. So, how can I sign my app without breaking it?

I've built a working MacOS app from python, using Tkinter as GUI, and pyinstaller to build. I've successfully signed it using codesign with a "Developer ID Application" certificate. codesign -s "Developer ID Application: MY_CERIFICICATE_NAME" -v --deep --timestamp --entitlements entitlements.plist -o runtime "dist/MyApp.app" --force Where entitlements.plist is <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <key>com.apple.security.cs.allow-unsigned-executable-memory</key> <true/> <key>com.apple.security.cs.disable-library-validation</key> <true/> </dict> </plist> Checking with codesign -vvv --deep --strict dist/MyApp.app seems to indicate that it's happy dist/MyApp.app: valid on disk dist/MyApp.app: satisfies its Designated Requirement However, when I zip it, and notarize, with xcrun notarytool submit path/to/project/dist/AppName.zip --apple-id MY_APPLE_ID --password MY_APP_SPECIFIC_PASSWORD --team-id MY_TEAM_ID --wait It fails with Processing complete id: SOME_HASH_CODE status: Invalid When I check why it failed with xcrun notarytool log SOME_HASH_CODE --apple-id MY_APPLE_ID --team-id=MY_TEAM_ID I get that all the dylib files in MyApp.app/Contents/Resources were unsigned, e.g. { "severity": "error", "code": null, "path": "MyApp.zip/MyApp.app/Contents/Resources/libopenblas.0.dylib", "message": "The binary is not signed with a valid Developer ID certificate.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721", "architecture": "arm64" }, { "severity": "error", "code": null, "path": "MyApp.zip/MyApp.app/Contents/Resources/libopenblas.0.dylib", "message": "The signature does not include a secure timestamp.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733", "architecture": "arm64" } Indeed when I check my code-sign with codesign -vvv --deep --strict dist/EagleEyesScan.app I see that none of the dylib files in MyApp.app/Contents/Resources are listed. Main question is - What do I have to do to pass notartization? Sub-question is Why are the dylib files in MyApp.app/Contents/Resources not being signed?

I've got a Developer ID Application certificate - however when I open the details in KeyChain it tells me "Developer ID Application XXXXXXX certificate is not trusted" When I try signing my code with this certificate, using codesign -s MY_CERTIFICATE_NAME -v --deep --timestamp --entitlements entitlements.plist -o runtime "path/to/MyApp.app" --force I get Warning: unable to build chain to self-signed root for signer MY_CERTIFICATE_NAME It does work when I use another certificate - one that is trusted (however with that other certificate, I get problems in notartizing, apparently because it is an "Apple Development" certificate and not a "Developer ID Application" certificate). How can I make my certificate trusted? All online advice I can find online doesn't help: Find any other certificates and change their trust settings from "Always Trusted" to "Use System Defaults" (however they all are on "Use System Defaults" already). Adding intermediate signing certificates to KeyChain as in - https://stackoverflow.com/a/66083449/851699 - I've tried this, and my problem persists.

I have created my AppName.app using pyinstaller, and verified that it runs. I have signed up for an Apple Developer account and paid the fees. Now, I just need to notarize. I would like to avoid having to delete 20GB of files just so I can download XCode. I've read this thread which suggests you can use the version of altool packaged with Transporter.app. However I cannot find altool in Transporter.app and besides apparently altool is old and has been replaced by notarytool. Is it really the case that the only way to notarize an app is to install the 40GB XCode *****?