I've only started to learn about the notarization process within the past eight months. About every three weeks or so, after I've added features to a piece of software I'm writing, I check to make sure I can still get it notarized. Everything worked fine until today.
My workflow is the following (I'm running Mac 11.6.1)
-
My program is written in python using tkinter and converted to an .app using pyinstaller. It runs fine on my own machine. I'm not using XCode.
-
Build the package:
productbuild --component Desktop/dist/my_app.app Desktop/my_app.pkg
- Product sign the package:
productsign --force --deep --sign 'Developer ID Installer: MyName (XXXXXX7RBW)' /Users/Desktop/my_app.pkg /UsersDesktop/my_app_signed.pkg
- Check that code is signed.
pkgutil --check-signature Desktop/my_app_signed.pkg
-
Obtain an app specific password by visiting https://appleid.apple.com/account/manage
-
Submit for notarization:
xcrun altool --notarize-app -f Desktop/my_app_signed.pkg --primary-bundle-id XXXXXX7RBW -u my_email_address -p' @keychain: Developer ID Installer: MyName (XXXXXX7RBW)
Enter my app specific password when instructed to do so.
When things worked fine a few weeks ago, there was an extra step before completing step (2): For some reason I had problems signing and notarizing up to that time due to directory names containing periods. These were located in PyQt5 within the application bundle. I deleted these folders, notarization worked, and my program ran fine on a different Mac.
Now the notarization fails due to several executables inside Contents/MacOS/ , such as QtDesigner, QtMacExtras, QtNetwork, and a few others starting with Qt. One exception consists of the dylib file libz.1.2.11.dylib. The log yields the typical "lack of a valid time-stamp" or "lack of valid developer IT certificate" messages.
The only real difference in my package since I had it last notarized three weeks ago is that it now utilizes a python module, netgraph, which is likely using aspects of PyQt.
So, I'm seeking advice for how to address this error.
Am I correct that I will need to sign the problem executables individually? If so, what is the correct way to do so. For example, instead of creating my package and product signing, should I code sign the individual problem executables and then package them with the app?
Thanks