How to code sign "libffi.8.dylib" on MacOS?

Question

I have created a python application that I build into a Unix executable using Pyinstaller. The application runs fine until I attempt to code sign it. After code signing, I get the following error when attempting to run the executable:

rosetta error: /var/db/oah/526469a4f4887ee6ca553807c3196c9533da7ef706c684764b83169e8658f8e2/ba3f613b849de777b4a89fdb1760c3c2343ac52546e2629e28f83fbf530a8f27/libffi.8.dylib.aot: unable to mmap __TEXT: 1

Is it possible to code sign dylib files such as this?

Steps to reproduce the error:

1. Create conda environment with python v3.9
2. Activate environment and conda install numpy and pyinstaller
3. Create python script that imports numpy. Doesn't matter what the python script does, can just be one line as long as it imports numpy.
4. Use pyinstaller to build a distribution for the python file, with code signing like so:

pyinstaller -y --clean --codesign-identity='<apple-id>' --osx-entitlements-file='<path-to-entitlements.plist-file>' <name-of-python-script>

5. Run the Unix executable that is produced inside the dist folder.

Answer 1

While I can't answer definitively, I think I have a solid guess.

The error you're encountering is likely due to the fact that the dynamic library (dylib) file libffi.8.dylib is not being properly signed during the PyInstaller build process.

If this is the case, here are the steps to manually sign the dylib file:

1. First, locate the libffi.8.dylib file in your PyInstaller bundle. It should be in the dist/<your-app-name>/ directory.

2. Use the codesign command to sign the dylib file. Replace <apple-id> with your Apple Developer ID and <path-to-libffi> with the path to the libffi.8.dylib file:

codesign --force --verify --verbose --sign "<apple-id>" "<path-to-libffi>"

3. Verify that the dylib file is properly signed:

codesign --verify --verbose "<path-to-libffi>"

4. Now, rebuild your PyInstaller bundle with the same command you used before. The libffi.8.dylib file should now be properly signed and the error should be resolved.

If you're still encountering the error, it's possible that there are other dylib files that also need to be signed. You can use the otool command to check for any unsigned dependencies:

otool -L <path-to-your-executable>

This will list all the dylib files that your executable depends on. You can then manually sign these files using the codesign command as described above.

If this is not the case, please let me know. But I hope this solves your issue.