codesign - edited signature

Question

dreisicht OP

Created Apr ’25

Replies 2

Boosts 0

Participants 2

Hey all!

I'm building a Python based app with PySide6-deploy. This gives me a .app directory with all the necessary things already in it. To be able to distribute this I provided just the .app path to the codesign looking like this:

codesign -s "My Name" --keychain "keychain" -f --deep RenderRob.app

If I try to check or sign the package, it looks promising:

codesign --verify ...
RenderRob.app: valid on disk
RenderRob.app: satisfies its Designated Requirement

Unfortunately this signed package does not work when checking with spctl.

spctl --assess --verbose RenderRob.app/Contents/MacOS/libcrypto.3.dylib
RenderRob.app/Contents/MacOS/libcrypto.3.dylib: rejected

If I look in the log of the notarizing, I saw that something is off with signature of the binary dependencies. Then I checked the binary dependencies, it turns out it complains about an edited signature:

codesign -dv -verbose=4 RenderRob.app/Contents/MacOS/libcrypto.3.dylib
RenderRob.app/Contents/MacOS/libcrypto.3.dylib: edited signature Mach-O thin (arm64) [com.dreisicht.renderrob]

I then also tried to move this into RendeRob.app/Contents/Frameworks, but there it's also having the same issue. Any idea what this could be?

Answered by DTS Engineer in 833868022

There are a number of potential issues here. First:

codesign -s "My Name" --keychain "keychain" -f --deep …

Don’t use --deep when signing code. See --deep Considered Harmful for an explanation as to why not.

As to what you should do, I’ll come back to that below.

Unfortunately this signed package does not work when checking with spctl.

It’s generally best to avoid spctl for this sort of thing. If you want to test whether something will pass Gatekeeper, use the process described in Testing a Notarised Product.

codesign -dv -veurbose=4 RenderRob.app/Contents/MacOS/libcrypto.3.dylib

That definitely belongs in Contents/Frameworks. See Placing Content in a Bundle.

Coming back to how you should sign your code, there’s a general process for that described in:

My experience is that Python apps tend to run into problems with this because Python app bundling tools don’t follow the results in Placing Content in a Bundle. If you discover that’s the case here, reply here with the details and I can offer further advice.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Apr ’25

Recommended

There are a number of potential issues here. First:

codesign -s "My Name" --keychain "keychain" -f --deep …

Don’t use --deep when signing code. See --deep Considered Harmful for an explanation as to why not.

As to what you should do, I’ll come back to that below.

Unfortunately this signed package does not work when checking with spctl.

It’s generally best to avoid spctl for this sort of thing. If you want to test whether something will pass Gatekeeper, use the process described in Testing a Notarised Product.

codesign -dv -veurbose=4 RenderRob.app/Contents/MacOS/libcrypto.3.dylib

That definitely belongs in Contents/Frameworks. See Placing Content in a Bundle.

Coming back to how you should sign your code, there’s a general process for that described in:

My experience is that Python apps tend to run into problems with this because Python app bundling tools don’t follow the results in Placing Content in a Bundle. If you discover that’s the case here, reply here with the details and I can offer further advice.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

dreisicht OP

Apr ’25

Thank you for the helpful reply!

I was trying to build my application with PySide6-deploy, which is putting all files into the MacOS subdirectory. After researching I ended up using Py2App, which follows the required folder structure. Providing only the top level MyApp.app/ directory path did not work, after getting a myriad of complaints of the notarization. Do I have to sign now every file individually?

And is there a generally preferred tool for packaing Python based apps?

0