Code signing of site-packages on MacOS Catalina
Python packages on PyPI can currently be installed for use with the ovitos interpreter using
ovitos -m pip install.... For any Python package with extension modules, installing (either from a wheel or from source) will place shared libraries (or possible even executables, although I don't think so) into the site-packages folder in the application (the path is something like
Ovito.app/Contents/MacOS/Ovito.app/Contents/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/). Unfortunately, with the strict code signing requirements in Catalina, any
.so files here can't actually be loaded without triggering code signing errors since the files were added after Ovito was installed. I'm not very familiar with the code signing process; is it possible to skip the signing of certain subdirectories of
Contents? If so, are there security risks? I think it should be fine for Ovito to put the onus on users to not pip install something unsafe. At present this is rather inconvenient, and I'm overcoming it just by performing an ad hoc code signing of the entire Ovito package (
codesign --force --deep -s - Ovito.app).