Error loading python lib after notarizing MacOS application

Question

My compiled python pyqt5 application does not work after being notarized by Apple systems. I am running Big Sur 11.4.

[8181] Error loading Python lib '/var/folders/v4/55fs66d13_zgjry5v8vpbbb40000gn/T/_MEIchDPs9/Python': dlopen: dlopen(/var/folders/v4/55fs66d13_zgjry5v8vpbbb40000gn/T/_MEIchDPs9/Python, 10): no suitable image found.  Did find:
    /var/folders/v4/55fs66d13_zgjry5v8vpbbb40000gn/T/_MEIchDPs9/Python: code signature in (/var/folders/v4/55fs66d13_zgjry5v8vpbbb40000gn/T/_MEIchDPs9/Python) not valid for use in process using Library Validation: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.
    /var/folders/v4/55fs66d13_zgjry5v8vpbbb40000gn/T/_MEIchDPs9/Python: stat() failed with errno=1

It says it fails to find the python library.

I have tried, with no luck:

• Python 3.9.5
• Python 3.7.8
• Python 3.7.6 with pyinstaller 4.0

Making a non notarized executable works fine. There are two files in the app bundle. The pyqt5 application executable and a bash script. After the notarization the bash script works completely fine.

pyinstaller config:

pyinstaller --noconfirm --onefile --noconsole --icon ... --name ... --add-data ... main.py

Extra parameters added in the .spec file:

app = BUNDLE(exe,
             name='Application.app',
             icon='/Users/rokas/Desktop/USB_IoS/resources/icon.ico',
             bundle_identifier='com.application.upgrade.tool',
             info_plist={
               'CFBundleName': 'Application',
               'CFBundleDisplayName': 'Application',
               'CFBundleVersion': '1.0',
               'CFBundleShortVersionString': '1.0',
               'NSRequiresAquaSystemAppearance': 'No',
               'NSHighResolutionCapable': 'True',
             },
)

These are the entitlements I am giving to my application:

    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>

My application is supposed to open the shell script to do some functionality. But that is only a small part of functionality for it.

The code signing process is advised to be done inside out, but the application is a single file application so there is not much to sign. The sign command I use is.

codesign -s "Developer id certificate" -v --deep --timestamp --entitlements entitlements.plist -o runtime "application.app"

Answer 1

I am going to answer my own question because I solved the problem. The problem was with the entitlements I was giving my application.

It can very clearly be seen in one of the lines in the error message:

... not valid for use in process using Library Validation: ...

Because the app was calling a script that is in the app bundle it needed the one extra entitlement.

com.apple.security.cs.allow-unsigned-executable-memory

The guide I followed to notarize the MacOS application can be found here: https://haim.dev/posts/2020-08-08-python-macos-app/