Runtime Error After Code Signing with Embedded Python 3.9.6 using PyInstaller 6.11.0 on macOS.6

[Asifkhan-akhan]

I'm encountering a runtime error on macOS after code signing an executable built with PyInstaller 6.11.0. The executable embeds Python 3.9.6. The code signing process completes successfully using my Developer ID certificate. However, when I run the signed executable, it fails to load the embedded Python library, resulting in a code signature mismatch error at runtime. The executable runs correctly without code signing (using PyInstaller's ad-hoc signing).

Error Message:

[PYI-ERROR] Failed to load Python shared library '/tmp/<random_temp_dir>/Python3': dlopen: dlopen('/tmp/<random_temp_dir>/Python3', 0x000A): tried: '/tmp/<random_temp_dir>/Python3' (code signature in '/private/tmp/<random_temp_dir>/Python3.framework/Versions/3.9/Python3' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs), '/System/Volumes/Preboot/Cryptexes/OS/tmp/<random_temp_dir>/Python3' (no such file), ...

STEPS:

• pyinstaller --onefile --name myapp main.py
• Run dist/myapp (works fine when I run it)
• codesign --force --deep --sign "Developer ID Application: XXXXXX" --timestamp --options runtime dist/myapp
• Run dist/myapp (throws the above error)

[rokm]

If you sign an executable with actual developer ID, then all shared libraries loaded by that executable needs to be signed with that developer ID.

Therefore, you cannot post-hoc sign a onefile executable, because you are signing only the executable, while the collected shared libraries remained unsigned (or rather, remain ad-hoc signed).

There's a --codesign-identity command line option that allows you to pass your developer ID to the build process itself (so that collected shared libraries are also signed with that identity, instead of being ad-hoc signed).

[Asifkhan-akhan]

thanks @rokm , got it