Have PyInstaller sign MacOS binaries

2026-06-28 09:51:36 +00:00 · 2024-09-17 21:35:47 -04:00
parent b7a20ceb4f
commit e54d3d274a
3 changed files with 19 additions and 11 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -608,12 +608,12 @@ jobs:
          rm -v "$gam"
          mv -v "${gam}-staticx" "$gam"

-      - name: MacOS sign GAM binary
-        if: runner.os == 'macOS'
-        run: |
-          security find-identity -v signing_temp.keychain
-          codesign --force --deep --sign "Jay Lee" --options=runtime --entitlements "${GITHUB_WORKSPACE}/.github/actions/entitlements.plist" --timestamp "$gam"
-          codesign -dv --verbose=4 "$gam"
+      #- name: MacOS sign GAM binary
+      #  if: runner.os == 'macOS'
+      #  run: |
+      #    security find-identity -v signing_temp.keychain
+      #    codesign --force --deep --sign "Jay Lee" --options=runtime --entitlements "${GITHUB_WORKSPACE}/.github/actions/entitlements.plist" --timestamp "$gam"
+      #    codesign -dv --verbose=4 "$gam"

      - name: MacOS send GAM binary for Apple notarization
        if: runner.os == 'macOS'
--- a/src/add_lib.py
+++ b/src/add_lib.py
@@ -0,0 +1,6 @@
+import os
+import sys
+
+
+sys.path.append(os.path.join(os.getcwd(), 'lib'))
+sys._MEIPASS=os.path.join(sys._MEIPASS, 'lib')
--- a/src/gam.spec
+++ b/src/gam.spec
@@ -30,7 +30,7 @@ a = Analysis(
    hiddenimports=hiddenimports,
    hookspath=[],
    hooksconfig={},
-    runtime_hooks=[],
+    runtime_hooks=['add_lib.py'],
    excludes=[],
    win_no_prefer_redirects=False,
    win_private_assemblies=False,
@@ -48,12 +48,16 @@ pyz = PYZ(a.pure,
          cipher=None)
 # requires Python 3.10+ but no one should be compiling
 # GAM with older versions anyway
+target_arch = None
+codesign_identity = None
+entitlements_file = None
 match platform:
    case "darwin":
        if getenv('arch') == 'universal2':
            target_arch = "universal2"
-        else:
-            target_arch = None
+        codesign_identity = getenv('codesign_identity')
+        if codesign_identity:
+            entitlements_file = '../.github/actions/entitlements.plist'
        strip = True
    case "win32":
        target_arch = None
@@ -68,8 +72,6 @@ upx = False
 console = True
 disable_windowed_traceback = False
 argv_emulation = False
-codesign_identity = None
-entitlements_file = None
 if not getenv('PYINSTALLER_BUILD_ONEDIR') == 'yes':
    # Build one file
    exe = EXE(