Py2AppSigner Version 2.0

Introduction

This document is an update to the 1.0 version of the utility describedhereand implemented in thisGitHubRepository. Theprevious version of this utility was written as a set of bash scripts.As such, in order to update them for current Python versions theyrequired separate scripts.

I abandoned that approach and instead implemented them as Pythonscripts that could at runtime be notified of the current Python versionand other runtime options. These scripts are meant to be installed in aPython virtual environment ascommand lineutilities.

Steps Necessary to sign Py2App Applications

I observed that thePy2Appapplication does signing of some of the libraries and components whenyou build a Python application. My experience has been that this isinsufficient. Therefore, these set of signing utilities make an effortto overwrite all necessary components with the signing developer’snotarization.

These scripts still depend on the developer generating the signedcertificates, importing them into their Apple keychain, and setting theappropriate IDENTITY environment variable as described in theoriginaldocument.

Installation

As mentioned before these utilities arePython CLIScripts.They are published topypi.Install them in your virtual environment as follows:

pip install py2appsigner

Environment Variables

These scripts depend on the following environment variables:

PROJECTS_BASE – The local directory where the python projects are basedPROJECT – The name of the project; It should be a directory nameIDENTITY – Your Apple Developer ID

Signing Steps

You must build your application prior to using these utilities.

There are four mandatory steps to sign your application and two optionalsteps.

Mandatory

The mandatory steps are:

  • Signing the internal application zip file

  • Signing the application itself

  • Notarizing the application

  • Stapling the application

Optional

The optional steps are:

  • Verifying application signing

  • Viewing the notarization details

Environment Variables

The easiest way to use the utilities is to pre-specify the followingenvironment varaibles:

  • PROJECTS_BASE – The developer’s project base directory. This is afully qualified directory name.

  • PROJECT – This is just the simple project directory name located inthe PROJECTS_BASE directory

  • IDENTITY -The developer’s Apple code signing identity (Apple must betithed). As described in thisdocumentpre-specify the environment variable for code signing simplicity.For code signing, a digital identity must be stored in a keychainthat is on the calling user’s keychain search list.

The py2appsign command line has 2 sub-commands that the developer needsto execute

  • zipsign

  • appsign

I’ll describe them in the following 2 sections.

Sign the internal zip file

Assuming you have defined the above environment variables you can usethe simple command line. The command line supports both long and shortnames for the options. This document uses them interchangeably as a wayto showcase their use.

py2appSign --python-version 3.11 --application-name Pyut --verbosezipsign

In the above example we are doing the following:

  • Specified that the project was built using Python 3.11.x

  • The application name is Pyut. This is in\${PROJECTS_BASE}/\${PROJECT}/dist/Pyut.app

Sign the Application

Again, assuming you have defined the environment variables as specifiedin section 5.3, you can use the following simple command line.

py2appSign -p 3.11 -a Pyut -v appsign

The appsign sub-command uses the same options as the zipsign command.Notice that in this example we used the short form of the option names.

Notarize the Application

This is the critical step. In this step, the utilities contact the Applecode signing servers and submit the application for a final baptism bythe ultimate high priests at the holiest of holies. At this command’scompletion it provides a submission id. Be sure to stash this id in caseyou need to query the details of the notarization process.

appNotarize -d pyut -a Pyut --verbose

Staple the Application

Once notarization successfully completes, we staple the application viathe following command.

appStaple -d pyut -a Pyut --verbose

Verify Application Signing

For the sake of developer sanity run a final verification. If this stepfails use the command in section 5.9, to investigate the root cause ofthe failure.

appVerify -d pyut -a Pyut --verbose

View the Notarization Details

Use this command to inspect the notarization details.

notaryTool information -i {submission id}

Appendix

This section is an update to the 1.0 version of this document section 4

Updated instructions to generate notarization tool APP ID

In order to run the notarization tool, you need an Application ID (APPID in Apple parlance) associated with your Apple ID.

  1. Log in to your Apple ID account page. This is not the Appledeveloper site

  2. Click on theApp-Specific Passwords link

  3. Click on the + sign

  4. Use a memorable name

  5. ClickCreate (You may have to re-login depending on your securityconfiguration)

  6. Save the generated application id for use in the next step

Save the application ID in your keychain

The command to save you application ID has changed with recent update tothe XCode SDK. The new command is

xcrun notarytool store-credentials APP_PASSWORD --apple-id {your apple ID} --password {the generated application id}--team-id {your apple developer team id}

Unknown's avatar

Published byHumberto

A place for random technology thoughts

Leave a commentCancel reply