)Hi All,
I'm a new developer taking over maintenance of a cross-platform application. I am trying to follow the notarization guidelines outlined here:
https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution
We have two versions of the software, one with bundled Python and another without. I am having issues with the Python bundled application. The one without Python bundle works just fine after notarization. The symptom of the bundled Python app is that even though all checks show the software is properly notarized and signed, when running it, I get the warning as if it has not been notarized at all! (" cannot be opened because the developer cannot be verified."
For the Python bundled version, I did the following:
- Sign all the binaries, .app bundle (via Developer ID cert)
- Sign all the Python binaries, dylib, Note, I did run into issues with the libraries not working after signing, so I added this entitlement when signing the Python binaries and DLLs: (via the same developer ID cert)
cat entitlements.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<!-- These are required for binaries built by PyInstaller -->
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
</dict>
</plist>
- Create dmg containing my own binaries and the Python distribution
- Sign dmg with same signing cert (Developer ID)
- Upload said dmg to Apple for notarization
- Upon receiving the successful notarization message, I stapled the notary receipt to the dmg for distribution.
After downloading the app from the internet, I manually verified that the notarization is still on the bundle and the dmg as follows:
spctl -a -t open --context context:primary-signature -v ~/Downloads/MyApp.dmg
/Users/blu/Downloads/MyApp.dmg: accepted
source=Notarized Developer ID
I also checked the .App bundle as well
spctl -vvv --assess --type exec MyApp.app
MyApp.app: accepted
source=Notarized Developer ID
origin=Developer ID Application: XXXXXXXXXXX
However, when I open the .App, I get the standard message as if the software has never been notarized " cannot be opened because the developer cannot be verified."
If I check the xattribute of the .App bundle, I see the following:
xattr -l MyApp.app
com.apple.quarantine: 0181;5ebac12e;Chrome;8368045F-15F1-4EBE-BD54-D51FA4C43C8C
Does anyone know what I did wrong? Is it simply impossible to bundle Python with my application?