macOS binaries crash if codesigned with hardened runtime enabled #4629
Comments
|
Solved it! The solution is to enabled hardened runtime, but give the app specific entitlements that are required for binaries built with PyInstaller. To do this, make an <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<!-- These are required for binaries built by PyInstaller -->
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
</dict>
</plist>And when you codesign the app, give it these entitlements: |
This solution solved the issue for me to. Thanks heaps micahflee! |
|
It turns out |
|
So is this issue fixed? Can it be closed? |
|
I'm still having issues with this, unfortunately. The error I'm getting in the console when I try to run a codesigned app that has the above mentioned entitlements is as follows:
|
|
I found the solution for that - Apparently you also need to add |
|
Solved then? |
|
Yes I think it's solved. It might be useful to document this somewhere though, since it's required now for macOS. |
|
@micahflee you mean apple dists need to be signed - it's mandatory now? If so, this is important to know. |
|
Yeah it's required now. You can't notarize the app if it's not hardened runtime. $%#%#% Apple. |
|
Yeah and you can't distribute the app to Catalina users if it's not notarized. Grrrrr... |
|
I feel you. My personal opinion is that apple's OSes are a beautiful work of art, but too restrictive. I prefer windows and linux. |
|
Yeah same. Also the consumer market for macOS is decent if you make games or other apps (mac app store) -- it's not hard to make a little revenue from their platform.. but yeah. I feel the exact same as you about it. |
Yup. As @cculianu said, apps that don't have hardened runtime enabled can't be notarized, and apps that aren't notarized won't run in macOS Catalina. It's definitely important for the PyInstaller project to pay attention to. |
|
@micahflee @cculianu This is very important. Could one of you open a new issue about this? Specifically the need to sign executables. I'd do it, but I don't run any apple, and you'll have more details than me. I'll tag the issue when it's opened. |
|
FTR using the plist file from that comment works like a charm for Nuxeo Drive. |
See pyinstaller/pyinstaller#4629, the app was crashing at startup: Traceback (most recent call last): File "site-packages/PyInstaller/loader/pyiboot01_bootstrap.py", line 129, in <module> File "<frozen importlib._bootstrap>", line 983, in _find_and_load File "<frozen importlib._bootstrap>", line 967, in _find_and_load_unlocked File "<frozen importlib._bootstrap>", line 677, in _load_unlocked File ".../PyInstaller/loader/pyimod03_importers.py", line 623, in exec_module exec(bytecode, module.__dict__) File "ctypes/__init__.py", line 551, in <module> File "ctypes/__init__.py", line 273, in _reset_cache MemoryError [6159] Failed to execute script pyiboot01_bootstrap
See pyinstaller/pyinstaller#4629, the app was crashing at startup: Traceback (most recent call last): File "site-packages/PyInstaller/loader/pyiboot01_bootstrap.py", line 129, in <module> File "<frozen importlib._bootstrap>", line 983, in _find_and_load File "<frozen importlib._bootstrap>", line 967, in _find_and_load_unlocked File "<frozen importlib._bootstrap>", line 677, in _load_unlocked File ".../PyInstaller/loader/pyimod03_importers.py", line 623, in exec_module exec(bytecode, module.__dict__) File "ctypes/__init__.py", line 551, in <module> File "ctypes/__init__.py", line 273, in _reset_cache MemoryError [6159] Failed to execute script pyiboot01_bootstrap
This file is to be used for manually re-signing the built app using hardened runtime. See: pyinstaller/pyinstaller#4629 We will add logic to the build script to automate this process at a later time -- but that logic will need this file anyway. For now we codesign the build binary again using hardened runtime and specifying this plist file.
This file is to be used for manually re-signing the built app using hardened runtime. See: pyinstaller/pyinstaller#4629 We will add logic to the build script to automate this process at a later time -- but that logic will need this file anyway. For now we codesign the build binary again using hardened runtime and specifying this plist file.
|
I'm having a problem notarizing and distributing app packaged from pyinstaller to Catalina. In my entitlements.plist, I set com.apple.security.cs.allow-jit and com.apple.security.cs.allow-unsigned-executable-memory to true. I also tried setting com.apple.security.cs.disable-library-validation. However, if I do that, I can't even open it. It just asks me to trash it. Here's my command for code signing. When I open, I get this. Any help would be appreciated. Thanks! |
|
I also tried to codesign libpython3.7m.dylib before running pyinstaller, but then I got "Killed: 9" when I run the app. It works fine if I don't codesign and allow it to run from system preference > security. I'd like to be able to distribute normally without users having to do that though. |
|
Man Apple creates such a burden on its developers. They actually cost people like me money every time they modify their increasingly restrictive security model. I wish they would have the good sense to fund projects such as this one. |
This commit fixes the loading of compiled python module by enabling the "allow-unsigned-executable-memory" hardened runtime exception. See https://developer.apple.com/documentation/security/hardened_runtime This fix is based on solution discussed in these posts: * https://haim.dev/posts/2020-08-08-python-macos-app/ * pyinstaller/pyinstaller#4629
* remove version number from release folder created, we'll need to hard-code the path_name in `gon.config.hcl` file later for notarization * add notarization step * pin pyinstaller version used * add entitlements file (required for pyinstaller binary notarization) https://developer.apple.com/forums/thread/695989 pyinstaller/pyinstaller#4629 * Improve maintainability of the workflow * pin pyinstaller in `build-crosscompile` step the same version that is in the workflow
+++ ONLY TEXT +++ DO NOT POST IMAGES +++
Description of the issue
Apple now requires all apps to get signed by their notary service before they can get run in macOS Catalina. The notary service ensures that every binary in the app has security features enabled, including that they're codesigned and that they have the Hardened Runtime capability enabled. As of January 2020, Apple's notary service won't sign any apps that don't have Hardened Runtime: https://developer.apple.com/news/?id=09032019a
I can successfully build an app bundle with PyInstaller that executes without codesigning it. I can also codesign it (but without enabled Hardened Runtime), and the app runs fine:
But when I codesign and enable hardened runtime, the app crashes.
This is what happens when I try running the hardened runtime version of the app:
After doing some searching, it appears that this project had the exact same issue, and choose to not use hardened runtime: metabrainz/picard#1340 (comment)
However, Mac binaries built after January 2020 now require this if they're going to run in macOS Catalina, so not using hardened runtime isn't an option.
Context information (for bug reports)
pyinstaller --version: 3.6Stacktrace / full error message
As shown above:
Please also see https://github.com/pyinstaller/pyinstaller/wiki/How-to-Report-Bugs
for more about what would use to solve the issue.
The text was updated successfully, but these errors were encountered: