<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Oct 28, 2018, at 2:57 PM, Glyph <<a href="mailto:glyph@twistedmatrix.com" class="">glyph@twistedmatrix.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="auto" class="Singleton"><blockquote type="cite" style="font-family: Menlo-Regular; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><div dir="ltr" class=""><div class="">I wonder what the “hardened runtime” option actually does and enforces.   In 3.7 the line in ctypes/__init__.py that causes the exception is a call that creates a dummy C function, and likely triggers the first allocation for storing a libffi closure which could be something the hardened runtime doesn’t like (being writeable + executable memory). </div></div></blockquote><div style="caret-color: rgb(0, 0, 0); font-family: Menlo-Regular; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><br class=""></div><div style="caret-color: rgb(0, 0, 0); font-family: Menlo-Regular; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">Interesting. Perhaps what I want is simply <a href="https://developer.apple.com/documentation/security/com_apple_security_cs_allow-unsigned-executable-memory" class="">https://developer.apple.com/documentation/security/com_apple_security_cs_allow-unsigned-executable-memory</a> then?  Any chance you know how to jam that into a `codesign` command line somehow? :-)</div></div><br class="Apple-interchange-newline"></div></blockquote></div><br class=""><div class="">Thank you so much for this tip, Ronald!  This was much easier than I anticipated, and things are working now!</div><div class=""><br class=""></div><div class="">The relevant entitlements file is literally just:</div><div class=""><br class=""></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class=""><div class=""><div class=""><?xml version="1.0" encoding="UTF-8"?></div><div class=""><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "<a href="http://www.apple.com/DTDs/PropertyList-1.0.dtd" class="">http://www.apple.com/DTDs/PropertyList-1.0.dtd</a>"></div><div class=""><plist version="1.0"></div><div class=""><dict></div><div class=""><span class="Apple-tab-span" style="white-space:pre">   </span><key>com.apple.security.cs.allow-unsigned-executable-memory</key></div><div class=""><span class="Apple-tab-span" style="white-space:pre">     </span><true/></div><div class=""></dict></div><div class=""></plist></div></div></blockquote><br class=""><div class="">I dropped that in a file, added `--entitlements=$THAT_FILE.plist` to my codesign invocations, removed all my workarounds for ctypes et. al. (except for the hard-coded 'import _cffi_backend' still necessary to convince modulegraph to include enough code for SSL to work), and then tried launching my app.  Success!  Then I tried notarizing it: also success!  Time permitting, I'll be updating my blog post at <a href="https://glyph.twistedmatrix.com/2018/01/shipping-pygame-mac-app.html" class="">https://glyph.twistedmatrix.com/2018/01/shipping-pygame-mac-app.html</a> with this information, and possibly publishing the now unfortunately somewhat complex tooling I use to do signing now.</div><div class=""><br class=""></div><div class="">So I don't know if I'm the first to <i class="">do</i> this, but looking at the archives for these lists I seem to be the first to <i class="">report</i> it: you can successfully codesign and notarize apps created with py2app and python 3.6!</div><div class=""><br class=""></div><div class="">It seems to me that whatever "MAP_JIT" is (an mmap flag, I'm guessing?) libffi needs to be using it for the memory it places synthetic closures into, so that this entitlement won't be necessary with some future version of Python.  But it looks like Apple is not pushing particularly hard to deprecate this one right now, thank goodness :-).</div><div class=""><br class=""></div><div class="">-glyph</div></body></html>