Notarization of app built with Python and Pyinstaller fails due to PyQt dylib files not being signed or not including a valid time stamp

My app was created outside of Xcode but using Python with Pyinstaller. I received no error messages when signing, although the output did mention that

signed app bundle with Mach-O thin

Then I entered the following:

     xcrun altool --notarize-app -f /Users/fishbacp/Desktop/Python_May_2021/dist/My_Application_10_7.zip --primary-bundle-id MyID -u fishback.paul@gmail.com -p "@keychain:Python Notarization"

where I've covered up my ID. The file is uploaded correctly but notarization fails. The LogFileURL produces 24 error messages, all indicating a binary was not signed or the signature does not contain a valid timestamp. Here are two examples:

     {"severity": "error",
  "code": null,
  "path": "My_Application.zip/My_Application.app/Contents/Resources/PyQt5/Qt/qml/QtQuick.2/libqtquick2plugin.dylib",
  "message": "The binary is not signed.",
  "docUrl": null,
  "architecture": "x86_64"
},

and

     {"severity": "error",
  "code": null,
  "path": "My_Application_10_7.zip/My_Application_10_7.app/Contents/Resources/PyQt5/Qt/qml/QtQml/WorkerScript.2/libworkerscriptplugin.dylib",
  "message": "The signature does not include a secure timestamp.",
  "docUrl": null,
  "architecture": "x86_64"
}

What's common about all the errors is that the dylib resides in a subdirectory of PyQt5 whose name contains a period. Ben Hagen describes how such a presence of periods can prevent signing and provides a workaround script at https://github.com/pyinstaller/pyinstaller/wiki/Recipe-OSX-Code-Signing-Qt. I used this tool to sign my app. But somehow I need to do something more prior to uploading for notarization.

You haven’t given us any info about how you signed your app. My guess is that you’re trying to use --deep, which is never a good idea. See --deep Considered Harmful.

Rather, you need to sign each code item separately, from the inside out. See Signing a Mac Product For Distribution for the gory details.

Beyond that, it’s clear that you have serious nested code problems, that is, the third-party products you’re using don’t follow the rules documented in the Nested Code section of Technote 2206 macOS Code Signing In Depth. In some situations you can get away with this but it is a common source of code signing and distribution issues.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Yes, I did use --deep. Here's what I tried:

codesign -s "PaulF (MyID)" -v --deep --timestamp --entitlements /Users/fishbacp/Desktop/entitlements.plist -o runtime /Users/fishbacp/Desktop/dist/My_Application.app

Because I did this using Pyinstaller and have no Xcode experience, I tried to follow the steps outlined at https://haim.dev/posts/2020-08-08-python-macos-app/, where the author explains why the entitlements.plist is added as an option.

When we say "sign each code item separately, from the inside out," I'm a bit overwhelmed. My app contains a Contents directory, within which are located folders named Frameworks, MacOS, Resources and the info.plist file. Frameworks is empty, but MacOS and Resources contain tons of folders, many having to do with Python packages, e.g., numpy, pandas, PyQt5, sklearn, etc. All of my "problematic" folders are contained in PyQt5 and sklearn. The first of these has folder names with periods. The second has a hidden file.

Can I get away with what I've been doing but just sign PyQt5 and sklearn separately, or do I need to sign everything from the inside out using a tool such as that you've provided at the bottom of https://developer.apple.com/forums/thread/130855 ?

Notarization of app built with Python and Pyinstaller fails due to PyQt dylib files not being signed or not including a valid time stamp
 
 
Q