Fix macOS ad-hoc backend library-validation (runs off the build host)#164
Merged
Merged
Conversation
…he build host
The PyInstaller onefile backend extracts its bundled libpython at runtime and
dlopen()s it; that dylib's code-signature Team ID differs from the ad-hoc-signed exe,
so macOS library validation refuses it ("different Team IDs") and the backend fails to
start ("did not start within 30s") on any mac other than the one that built it.
Ad-hoc builds now: build the .app only (Tauri deletes the .app right after the DMG and
signs the sidecar without the needed entitlement), re-sign the taskpaw-backend sidecar
with com.apple.security.cs.disable-library-validation (+ allow-dyld-env /
allow-unsigned-executable-memory for CPython), re-seal the app (non-deep, so the
entitlement survives), then build the DMG via hdiutil. Select the app by role
productName (--bundles app leaves both roles' .app in place). Developer-ID/notarized
release path (APPLE_SIGNING_IDENTITY) is untouched.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The PyInstaller onefile backend extracts its bundled
libpython3.10.dylibat runtime anddlopen()s it. That dylib's code-signature Team ID differs from the ad-hoc-signed exe, so macOS library validation refuses it (... have different Team IDs) and the backend fails with "did not start within 30s" on any Mac other than the build host. (Confirmed on a deploy machine; a manual re-sign of the sidecar withdisable-library-validationfixed it — this bakes that in.)Fix
Ad-hoc builds (
scripts/build.py, noAPPLE_SIGNING_IDENTITY) now:tauri build --bundles app(Tauri deletes the.appright after making the DMG, and signs the sidecar without the needed entitlement).taskpaw-backendsidecar withcom.apple.security.cs.disable-library-validation(+allow-dyld-environment-variables/allow-unsigned-executable-memoryfor CPython) —taskpaw_v3/src-tauri/macos-adhoc-entitlements.plist..appnon-deep so the entitlement survives.hdiutil. App selected by roleproductName(both roles'.appcoexist under--bundles app).Developer-ID + notarized release path (
APPLE_SIGNING_IDENTITY) is untouched.Verified
.app.codesign -d --entitlementson the sidecar showsdisable-library-validation.codesign --verify --strictpasses; sidecar loads Python (smoke run).🤖 Generated with Claude Code