How to deal with signing of app which changes its contents

I have an application which has .py files inside it (it's a developer tool and the python executable must be provided by the user).

This means that when the user executes the application .pyc files are generated inside it (it's not possible to pre-generate those because the user can select the python interpreter he wants to use and having the .pyc for all existing python interpreters is unwieldy).

So, I can sign and execute the application and all works well initially, but after the user executes code the notarization is no longer valid due to the pycache and .pyc files generated internally.

Is there a way out to make the notarization work in this scenario?

Up vote post of fabioz Down vote post of fabioz
499 views
Posted by
fabioz
Reply
Add a Comment

Accepted Reply

> Is there a way out to make the notarization work in this scenario?

No. App bundles are intended to be immutable. All of our platforms enforce that except macOS. Even on macOS, there are plenty of situations where an app will be unable to change its own contents, and that trend is likely to continue in the future.

For more on this, see Embedding nonstandard code structures in a bundle. Indeed, it uses .pyc and .pyo as an example of this problem.

My understanding is that it’s possible to configure the Python runtime to generate these files in some other location, and I encourage you to research and implement that option.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

> Is there a way out to make the notarization work in this scenario?

No. App bundles are intended to be immutable. All of our platforms enforce that except macOS. Even on macOS, there are plenty of situations where an app will be unable to change its own contents, and that trend is likely to continue in the future.

For more on this, see Embedding nonstandard code structures in a bundle. Indeed, it uses .pyc and .pyo as an example of this problem.

My understanding is that it’s possible to configure the Python runtime to generate these files in some other location, and I encourage you to research and implement that option.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Thank you very much.

For anyone interested, my solution to this was pre-creating the __pycache__ folders on directories that contained .py source code and making that a read-only directory (so, python will try to write the .pyc and will silently fail and everything will work as usual -- it has a minor slowdown due to not having .pyc files, but in general it's not a big problem).

Best regards,

Fabio

Posted by
fabioz
Post not yet marked as solved Up vote reply of fabioz Down vote reply of fabioz
Add a Comment