SIP 4.19.14 and newer breaks the macOS codesign on 10.9

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

SIP 4.19.14 and newer breaks the macOS codesign on 10.9

Tiger-222
SIP 4.19.14 and newer breaks the macOS codesign on macOS 10.9

Hello,

A long time ago I hit this issue: using SIP 4.19.13 and codesigning a .app
built with PyInstaller worked just fine.
But starting with SIP 4.19.14, it does not work anymore. I tried all newer
versions until 4.19.18.

Note that this works fine on macOS 10.14, but the issue I am targetting is
macOS 10.9 (used to build packages for a maximum compatibility).

This is a simple bash script that will show the issue (file
sip-codesign.sh):

    #!/bin/bash
    #
    # Setup
    #     python3 -m venv ven37
    #     . ./ven37/bin/activate
    #     python -m pip install pyinstaller==3.5
    # Then
    #     bash sip-codesign.sh  # (this script)
    #
    set -eu

    # TODO: replace with yous
    SIGNINGID=""

    for ver in 3 4 5 7 8; do
        version="4.19.1${ver}"

        # Install SIP
        python -m pip install "pyqt5-sip==${version}"

        # Create a test script to ensure we are targetting the good version
        cat <<EOF > test.py
    from PyQt5.sip import SIP_VERSION_STR

    print(SIP_VERSION_STR)
    assert SIP_VERSION_STR == '${version}'
    EOF

        # Test it
        python test.py

        # Create a bundle
        python -m PyInstaller --clean --noconfirm --noconsole test.py

        # Test it
        ./dist/test/test
        open dist/test.app  # Nothing displayed, but no error too (good)

        echo ">>> Signing the app"
        codesign --deep --sign "${SIGNINGID}" dist/test.app

        echo ">>> Checking app signature validity"
        codesign -dv dist/test.app
        codesign --verbose=4 --deep --strict dist/test.app
        spctl --assess -v dist/test.app
    done

When all works fine (SIP 4.19.13), the output is:

    (...)
    >>> Signing the app
    >>> Checking app signature validity
    Executable=*HOME/dist/test.app/Contents/MacOS/test
    Identifier=test
    Format=app bundle with Mach-O thin (x86_64)
    CodeDirectory v=20200 size=9700 flags=0x0(none) hashes=298+3
location=embedded
    Signature size=8908
    Timestamp=30 août 2019 15:59:54
    Info.plist entries=8
    TeamIdentifier=<SIGNINGID>
    Sealed Resources version=2 rules=12 files=47
    Internal requirements count=1 size=164
    ()...)
    --prepared:$HOME/dist/test.app/Contents/MacOS/PyQt5/sip.so
    --validated:$HOME/dist/test.app/Contents/MacOS/PyQt5/sip.so
    (...)
    dist/test.app: valid on disk
    dist/test.app: satisfies its Designated Requirement
    dist/test.app: accepted
    source=Developer ID

When it fails (SIP 4.19.14 and newer):

    (...)
    >>> Signing the app
   
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate:
object: $HOME/dist/test.app/Contents/MacOS/PyQt5/sip.so malformed object
(unknown load command 7)
    dist/test.app: the codesign_allocate helper tool cannot be found or used
    In subcomponent: $HOME/dist/test.app/Contents/MacOS/PyQt5/sip.so

It does not seem to be a PyInstaller issue as the only change is the SIP
version (it is using the same modules, Python version, etc.).

Do you have a clue? Is it already reported?

Thanks a lot!



-----
Mickaël Schoentgen.
[FR] Personal blog: http://www.tiger-222.fr 
--
Sent from: http://python.6.x6.nabble.com/PyQt-f1792048.html
_______________________________________________
PyQt mailing list    [hidden email]
https://www.riverbankcomputing.com/mailman/listinfo/pyqt
Mickaël Schoentgen.
[FR] Personal blog: http://www.tiger-222.fr
Reply | Threaded
Open this post in threaded view
|

Re: SIP 4.19.14 and newer breaks the macOS codesign on 10.9

Tiger-222
I am sorry for the mistake, the macOS version is 10.11 (10.11.6 exactly), not
10.9.

Phil, do you know such issue? I read the SIP changelog but I am not good
enough to view what can cause such error.
A broken codesign is really a no-go, and as latest PyQt5 versions need SIP
up-to-date; and for a better Mojave support, an up-to-date PyQt version is
needed ... You get the situation :)



-----
Mickaël Schoentgen.
[FR] Personal blog: http://www.tiger-222.fr 
--
Sent from: http://python.6.x6.nabble.com/PyQt-f1792048.html
_______________________________________________
PyQt mailing list    [hidden email]
https://www.riverbankcomputing.com/mailman/listinfo/pyqt
Mickaël Schoentgen.
[FR] Personal blog: http://www.tiger-222.fr
Reply | Threaded
Open this post in threaded view
|

Re: SIP 4.19.14 and newer breaks the macOS codesign on 10.9

Phil Thompson-5
On 07/10/2019 13:39, Tiger-222 wrote:

> I am sorry for the mistake, the macOS version is 10.11 (10.11.6
> exactly), not
> 10.9.
>
> Phil, do you know such issue? I read the SIP changelog but I am not
> good
> enough to view what can cause such error.
> A broken codesign is really a no-go, and as latest PyQt5 versions need
> SIP
> up-to-date; and for a better Mojave support, an up-to-date PyQt version
> is
> needed ... You get the situation :)

I've never (knowingly) used codesign.

Phil
_______________________________________________
PyQt mailing list    [hidden email]
https://www.riverbankcomputing.com/mailman/listinfo/pyqt
Reply | Threaded
Open this post in threaded view
|

Re: SIP 4.19.14 and newer breaks the macOS codesign on 10.9

michael h
In reply to this post by Tiger-222

I am sorry for the mistake, the macOS version is 10.11 (10.11.6 exactly), not
10.9.


Read this, I believe it will help you:


 

_______________________________________________
PyQt mailing list    [hidden email]
https://www.riverbankcomputing.com/mailman/listinfo/pyqt
Reply | Threaded
Open this post in threaded view
|

Re: SIP 4.19.14 and newer breaks the macOS codesign on 10.9

Tiger-222
In reply to this post by Phil Thompson-5
OK, so I finally workarounded the issue by upgrading to PyQt 5.13.1, SIP
12.7.0 and macOS 10.12.
Then codesigning is OK :)



-----
Mickaël Schoentgen.
[FR] Personal blog: http://www.tiger-222.fr 
--
Sent from: http://python.6.x6.nabble.com/PyQt-f1792048.html
_______________________________________________
PyQt mailing list    [hidden email]
https://www.riverbankcomputing.com/mailman/listinfo/pyqt
Mickaël Schoentgen.
[FR] Personal blog: http://www.tiger-222.fr