[KevinH]

Yes, that should help. At least it shows what an entitlements file needs to look like and which exception setting a webkit/webengine based viewer might need to use, and where it goes in the signing process.

You are right, Apple's mac developer docs are bad and especially are horrible for anyone wanting to automate the process and not use XCode.

I am still unsure what exceptions are needed to embed an entire Python 3.7 interpreter inside our app, and how external python modules/packages will be viewed that are not signed, how pure python plugins are treated if not signed, etc. What about python byte code and bytecode caches being written to places inside the app. Their current docs seem set for simple do one thing apps.

Thanks again for the links. They will be a big help.

Quote:

Originally Posted by kovidgoyal

I looked into the hardened runtime a bit and it looks like most things can be turned off. For example, firefox is building with it according to this: https://bugzilla.mozilla.org/show_bug.cgi?id=1470597

Here is the firefox entitlements file:

https://d3kxowhw4s8amj.cloudfront.ne...7a/D27396.diff


Basically looks like adding that entitlements file and calling codesign with it should be all that's needed (and adding the enable hardened runtime flag to Infoplist)

But I have to say, Aple's documentation is horrenduous.