macOS: Tk and PySide2, potentially others cannot be signed

[kayhayen]

There are two folders "http1.0" and "opt0.4" which should be renamed in the folder "tcl" of an app.

In the folder "/Library/Frameworks/Python.framework/Versions/3.10/lib/tcl8.6/" on macOS, I renamed "http1.0" to "http1_0" and renamed "opt0.4" to "opt0_4". They are copied to the folder of an app during Nuitka compiles the app. Now without "--onefile" but with "--enable-plugin=tk-inter --macos-create-app-bundle" the app can be successfully signed with a developer cert.

Similar things happen with PySide2, maybe we can find workarounds for these by renaming files.

[yikejiang]

It does not need to rename a folder, but just needs to enter a folder firstly and then run codesign for the files in the folder.

[yikejiang]

Well, it seems that signing an .app package is different from signing a command-line program. For a command-line program, we can enter the program's folders and sign the files. But for an .app package, it seems to be unavoidable to sign the .app itself. And if the .app includes a folder which name has a dot, the error will be unavoidable.

[kayhayen]

Yes, that's correct, with the dot. I am not sure what you mean with "command-line program", that's entirely separate from being an app in my understanding. Some packages will not work outside of apps.

What might be wrong is that Nuitka doesn't use the place that it is supposed to use for data files. The Tcl files are probably data files, and there is something for that in apps. I assume dots maybe are not an issue there. Once I find the time, I will try and change the tk-inter plugin to use better values for TCL_LIBRARY and TK_LIBRARY that point to there. That should be easy, and even if it doesn't work, it's kind of a cleanup.

However, package data will not necessarily work well with that in the general case, but maybe it's good enough. For the Qt bindings, I am not sure, what folder was to blame, but it might be one where code and data is mixed, but i am not sure of that anymore.

[kayhayen]

This should be done for 1.1 now that it is released, trying out moving the TCL files to a proper folder should not be too hard. Also, right that I have read it, I wonder, how CPython gets away with it for Tk at least, that is shipped by them too, and I believe also signed, is it not?

[kayhayen]

I just verified, indeed CPython has the directory http1.0 signed as is. There must be something that we are missing. I will try and find the codesign call in CPython repo now.

[kayhayen]

@kbrowser stupid question, but looking at the code, do you convert the app to a DMG file by chance? it seems that while Python builds a framework, it never signs it, and instead uses hdiutil to create a virtual disk out of the framework folder, adds icons to there, etc. and then productsign is used. Is that anything like your workflow?

[kayhayen]

Unsure now how DMG and PKG files relate to each other.

[kayhayen]

This is sliding to 1.3

[kayhayen]

No commercial interest in this it seems, so it's moved to 1.5, want to do it eventually, but other things are more important right now. Having my own M2 mini now surely will help.

[kayhayen]

Pushing this back to 1.6, don't think I want to delay 1.5 with 3.11 support due to it.

[kayhayen]

For tkinter, I have successfully done this:

python3.10 bin/nuitka-run --macos-create --noinclude-data-file=tcl/opt0.4 --noinclude-data-file=tcl/http1.0 tests/standalone/TkInterUsing.py

While deleting the files in the installation might be worthwhile, it seems some things work that way, and code signing goes through. It might be good enough to just ignore these in the tkinter plugin and that's it.

[kayhayen]

So, it seems that PySide2 and PyQt5 both got enhanced and do not trigger the signing issues anymore, so Nuitka was insisting on --onefile for them with no real point. And the change mentioned means that 1.8.4 can do it for tkinter, which obviously is never going to be changed retroactively.

[kayhayen]

Ah, I forgot to enable qml which is what actually causes the issue, it's still there of course, and no easy workaround in sight, we really need to force DMG files in these cases indeed.

[laggykiller]

While it is great that we can just --noinclude-data-file, this might not work if other package has directory with dot in it, or user wants to include a directory with dot in it.

From this SOF comment, would it be a good idea to copy all user data files, and at the very least offending packages into Contents/Resources/, then symlink back to Contents/MacOS?

We can also learn from pyinstaller, which they seem to replace the . with __dot__ in directory, then create a symlink to it. For example .dylibs/ become __dot__dylibs/, then create symlink .dylibs -> __dot__dylibs