yikejiang
commented
2 years ago It does not need to rename a folder, but just needs to enter a folder firstly and then run codesign for the files in the folder.
Open kayhayen opened 2 years ago
yikejiang
commented
2 years ago It does not need to rename a folder, but just needs to enter a folder firstly and then run codesign for the files in the folder.
yikejiang
commented
2 years ago Well, it seems that signing an .app package is different from signing a command-line program. For a command-line program, we can enter the program's folders and sign the files. But for an .app package, it seems to be unavoidable to sign the .app itself. And if the .app includes a folder which name has a dot, the error will be unavoidable.
kayhayen
commented
2 years ago Yes, that's correct, with the dot. I am not sure what you mean with "command-line program", that's entirely separate from being an app in my understanding. Some packages will not work outside of apps.
What might be wrong is that Nuitka doesn't use the place that it is supposed to use for data files. The Tcl files are probably data files, and there is something for that in apps. I assume dots maybe are not an issue there. Once I find the time, I will try and change the tk-inter plugin to use better values for TCL_LIBRARY and TK_LIBRARY that point to there. That should be easy, and even if it doesn't work, it's kind of a cleanup.
However, package data will not necessarily work well with that in the general case, but maybe it's good enough. For the Qt bindings, I am not sure, what folder was to blame, but it might be one where code and data is mixed, but i am not sure of that anymore.
kayhayen
commented
2 years ago This should be done for 1.1 now that it is released, trying out moving the TCL files to a proper folder should not be too hard. Also, right that I have read it, I wonder, how CPython gets away with it for Tk at least, that is shipped by them too, and I believe also signed, is it not?
kayhayen
commented
2 years ago I just verified, indeed CPython has the directory http1.0 signed as is. There must be something that we are missing. I will try and find the codesign call in CPython repo now.
kayhayen
commented
2 years ago @kbrowser stupid question, but looking at the code, do you convert the app to a DMG file by chance? it seems that while Python builds a framework, it never signs it, and instead uses hdiutil to create a virtual disk out of the framework folder, adds icons to there, etc. and then productsign is used. Is that anything like your workflow?
kayhayen
commented
2 years ago Unsure now how DMG and PKG files relate to each other.
kayhayen
commented
1 year ago This is sliding to 1.3
kayhayen
commented
1 year ago No commercial interest in this it seems, so it's moved to 1.5, want to do it eventually, but other things are more important right now. Having my own M2 mini now surely will help.
kayhayen
commented
1 year ago Pushing this back to 1.6, don't think I want to delay 1.5 with 3.11 support due to it.
kayhayen
commented
1 year ago For tkinter, I have successfully done this:
python3.10 bin/nuitka-run --macos-create --noinclude-data-file=tcl/opt0.4 --noinclude-data-file=tcl/http1.0 tests/standalone/TkInterUsing.py
While deleting the files in the installation might be worthwhile, it seems some things work that way, and code signing goes through. It might be good enough to just ignore these in the tkinter plugin and that's it.
kayhayen
commented
1 year ago So, it seems that PySide2 and PyQt5 both got enhanced and do not trigger the signing issues anymore, so Nuitka was insisting on --onefile for them with no real point. And the change mentioned means that 1.8.4 can do it for tkinter, which obviously is never going to be changed retroactively.
kayhayen
commented
1 year ago Ah, I forgot to enable qml which is what actually causes the issue, it's still there of course, and no easy workaround in sight, we really need to force DMG files in these cases indeed.
laggykiller
commented
1 year ago While it is great that we can just --noinclude-data-file, this might not work if other package has directory with dot in it, or user wants to include a directory with dot in it.
From this SOF comment, would it be a good idea to copy all user data files, and at the very least offending packages into Contents/Resources/, then symlink back to Contents/MacOS?
We can also learn from pyinstaller, which they seem to replace the . with __dot__ in directory, then create a symlink to it. For example .dylibs/ become __dot__dylibs/, then create symlink .dylibs -> __dot__dylibs
There are two folders "http1.0" and "opt0.4" which should be renamed in the folder "tcl" of an app.
In the folder "/Library/Frameworks/Python.framework/Versions/3.10/lib/tcl8.6/" on macOS, I renamed "http1.0" to "http1_0" and renamed "opt0.4" to "opt0_4". They are copied to the folder of an app during Nuitka compiles the app. Now without "--onefile" but with "--enable-plugin=tk-inter --macos-create-app-bundle" the app can be successfully signed with a developer cert.
Similar things happen with PySide2, maybe we can find workarounds for these by renaming files.