[PD-dev] codesigning externals (was Re: building fluidsynth~)

Dan Wilcox danomatika at gmail.com
Wed May 4 10:34:26 CEST 2022


This is correct. I added it to the Pd app bundle entitlements to get rid of the error dialog for (older) externals on macOS 10.15, I believe:

https://github.com/pure-data/pure-data/blob/master/mac/stuff/pd.entitlements <https://github.com/pure-data/pure-data/blob/master/mac/stuff/pd.entitlements>

https://eclecticlight.co/2021/01/07/notarization-the-hardened-runtime/ <https://eclecticlight.co/2021/01/07/notarization-the-hardened-runtime/>

If you start signing dynamic libs, I think you also need to set the min deployment target to 10.9 or above, at least for apps with a "hardened run-time" but I'm not sure if Pd does since we are (re)using the Wish app from the Tk build process. (I *think* it is as it is enabled during the code sign steps which apply the entitlements?.) The security settings like these are much more obvious when making a more "native app" via Xcode but less so when building on the command line. In any case, I did a quick search and found the following:

https://developer.apple.com/forums/thread/130065 <https://developer.apple.com/forums/thread/130065>

https://developer.apple.com/documentation/security/hardened_runtime <https://developer.apple.com/documentation/security/hardened_runtime>

etc...

(Sorry for not being the authority on this. I honestly try to write scripts for this so I can flush my memory every time I deal with code signing.)

> On May 4, 2022, at 8:32 AM, pd-dev-request at lists.iem.at wrote:
> 
> i guess that while Pd has the permission to load *unsigned* externals, 
> macOS still refuses to load *signed* externals with an invalid signature.

--------
Dan Wilcox
@danomatika <http://twitter.com/danomatika>
danomatika.com <http://danomatika.com/>
robotcowboy.com <http://robotcowboy.com/>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.puredata.info/pipermail/pd-dev/attachments/20220504/ebe6519f/attachment-0001.htm>


More information about the Pd-dev mailing list