Skip to content

Fix macOS ad-hoc backend library-validation (runs off the build host)#164

Merged
AlvinShenSSW merged 1 commit into
mainfrom
fix/macos-sidecar-library-validation
Jul 2, 2026
Merged

Fix macOS ad-hoc backend library-validation (runs off the build host)#164
AlvinShenSSW merged 1 commit into
mainfrom
fix/macos-sidecar-library-validation

Conversation

@AlvinShenSSW

Copy link
Copy Markdown
Owner

Problem

The PyInstaller onefile backend extracts its bundled libpython3.10.dylib at runtime and dlopen()s it. That dylib's code-signature Team ID differs from the ad-hoc-signed exe, so macOS library validation refuses it (... have different Team IDs) and the backend fails with "did not start within 30s" on any Mac other than the build host. (Confirmed on a deploy machine; a manual re-sign of the sidecar with disable-library-validation fixed it — this bakes that in.)

Fix

Ad-hoc builds (scripts/build.py, no APPLE_SIGNING_IDENTITY) now:

  1. tauri build --bundles app (Tauri deletes the .app right after making the DMG, and signs the sidecar without the needed entitlement).
  2. Re-sign the taskpaw-backend sidecar with com.apple.security.cs.disable-library-validation (+ allow-dyld-environment-variables / allow-unsigned-executable-memory for CPython) — taskpaw_v3/src-tauri/macos-adhoc-entitlements.plist.
  3. Re-seal the .app non-deep so the entitlement survives.
  4. Build the DMG via hdiutil. App selected by role productName (both roles' .app coexist under --bundles app).

Developer-ID + notarized release path (APPLE_SIGNING_IDENTITY) is untouched.

Verified

  • Built agent + hub DMGs; each contains its own role's .app.
  • codesign -d --entitlements on the sidecar shows disable-library-validation.
  • codesign --verify --strict passes; sidecar loads Python (smoke run).
  • Deploy machine (different Mac): backend starts after the equivalent manual re-sign.

🤖 Generated with Claude Code

…he build host

The PyInstaller onefile backend extracts its bundled libpython at runtime and
dlopen()s it; that dylib's code-signature Team ID differs from the ad-hoc-signed exe,
so macOS library validation refuses it ("different Team IDs") and the backend fails to
start ("did not start within 30s") on any mac other than the one that built it.

Ad-hoc builds now: build the .app only (Tauri deletes the .app right after the DMG and
signs the sidecar without the needed entitlement), re-sign the taskpaw-backend sidecar
with com.apple.security.cs.disable-library-validation (+ allow-dyld-env /
allow-unsigned-executable-memory for CPython), re-seal the app (non-deep, so the
entitlement survives), then build the DMG via hdiutil. Select the app by role
productName (--bundles app leaves both roles' .app in place). Developer-ID/notarized
release path (APPLE_SIGNING_IDENTITY) is untouched.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@AlvinShenSSW AlvinShenSSW merged commit 8bbe40b into main Jul 2, 2026
7 checks passed
@AlvinShenSSW AlvinShenSSW deleted the fix/macos-sidecar-library-validation branch July 2, 2026 16:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant