Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    • Switch to GitLab Next
  • Sign in / Register
ovito
ovito
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 21
    • Issues 21
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
    • Iterations
  • Merge Requests 2
    • Merge Requests 2
  • Requirements
    • Requirements
    • List
  • Security & Compliance
    • Security & Compliance
    • Dependency List
    • License Compliance
  • Operations
    • Operations
    • Incidents
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Code Review
    • Insights
    • Issue
    • Repository
    • Value Stream
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
  • Alexander Stukowski
  • ovitoovito
  • Issues
  • #191

Closed
Open
Opened Apr 17, 2020 by vyasr@vyasr

Code signing of site-packages on MacOS Catalina

Python packages on PyPI can currently be installed for use with the ovitos interpreter using ovitos -m pip install.... For any Python package with extension modules, installing (either from a wheel or from source) will place shared libraries (or possible even executables, although I don't think so) into the site-packages folder in the application (the path is something like Ovito.app/Contents/MacOS/Ovito.app/Contents/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/). Unfortunately, with the strict code signing requirements in Catalina, any .so files here can't actually be loaded without triggering code signing errors since the files were added after Ovito was installed. I'm not very familiar with the code signing process; is it possible to skip the signing of certain subdirectories of Contents? If so, are there security risks? I think it should be fine for Ovito to put the onus on users to not pip install something unsafe. At present this is rather inconvenient, and I'm overcoming it just by performing an ad hoc code signing of the entire Ovito package (codesign --force --deep -s - Ovito.app).

Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: stuko/ovito#191