Can I build a .app in such a way that I can later edit some information in it without Mac quarantining it?

[Shotgunosine]

I am trying to build an app that runs cognitive tasks. I'm building the .app file with PyInstaller 6.9.0 on an Intel Mac running Sonoma (14.7). Participants will be downloading the task from a website after completing a survey, and I want to embed a unique participant id into each .app before packaging it in a dmg for download so that the results of the task can be linked to the results of the survey and participants don't have to enter a code manually (which can be error prone). I'm accomplishing this by building the app with a WorkerID field in the plist of the same length as the worker ids generated by the website. When I try downloading and running a .app file that I've modified with pefile, I get a message saying:

“SUPREME.app” is damaged and can’t be opened. You should eject the disk image.

When I check the xattrs of the .dmg, sure enough, it's got a quarantine tag:

nielsond$ xattr SUPREME.dmg
com.apple.macl
com.apple.metadata:kMDItemWhereFroms
com.apple.quarantine
nielsond$ xattr -p com.apple.quarantine SUPREME.dmg
0081;673ba95b;Chrome;

I'm running the webpage from the Python 3.12 Docker image and using pefile 2024.8.26.
The code for the .app is here: https://github.com/compmem/cogmood
And the mac spec file specifically is here: https://github.com/compmem/cogmood/blob/master/package/cogmood_mac.spec
The code where I'm editing the .app is here: https://github.com/Shotgunosine/cogmood_backend/blob/e3e5231f0a3db123ca8b9654c1093e5ada071015/app/utils.py#L98-L114

Is there a different way to set up the .app so that I can embed a unique ID in each app before I package it in a .dmg for download?

[rokm]

If you modify .app bundle, you will need to re-sign it using the codesign utility (this applies both to modifications of Info.plist and addition/removal of files in the bundle).

See

pyinstaller/PyInstaller/building/osx.py

Lines 661 to 671 in a2a6d1e

	# Sign the bundle
	logger.info('Signing the BUNDLE...')
	try:
	osxutils.sign_binary(self.name, self.codesign_identity, self.entitlements_file, deep=True)
	except Exception as e:
	# Display a warning or re-raise the error, depending on the environment-variable setting.
	if os.environ.get("PYINSTALLER_STRICT_BUNDLE_CODESIGN_ERROR", "0") == "0":
	logger.warning("Error while signing the bundle: %s", e)
	logger.warning("You will need to sign the bundle manually!")
	else:
	raise RuntimeError("Failed to codesign the bundle!") from e

and

pyinstaller/PyInstaller/utils/osx.py

Lines 370 to 391 in a2a6d1e

	def sign_binary(filename, identity=None, entitlements_file=None, deep=False):
	"""
	Sign the binary using codesign utility. If no identity is provided, ad-hoc signing is performed.
	"""
	extra_args = []
	if not identity:
	identity = '-' # ad-hoc signing
	else:
	extra_args.append('--options=runtime') # hardened runtime
	if entitlements_file:
	extra_args.append('--entitlements')
	extra_args.append(entitlements_file)
	if deep:
	extra_args.append('--deep')
	logger.debug("Signing file %r", filename)
	cmd_args = [
	'/usr/bin/codesign', '-s', identity, '--force', '--all-architectures', '--timestamp', *extra_args, filename
	]
	p = subprocess.run(cmd_args, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, encoding='utf-8')
	if p.returncode:
	raise SystemError(f"codesign command ({cmd_args}) failed with error code {p.returncode}!\noutput: {p.stdout}")

(you should probably be looking at ad-hoc signing codepath, i.e., without identitity).

[Shotgunosine]

Is there anyway to re-sign the bundle on linux?

[rokm]

Is there anyway to re-sign the bundle on linux?

No idea, sorry. We don't have use cases for signing macOS .app bundles on linux here, because they need to be built on native platform anyway...

[Shotgunosine]

Alright, thanks for the quick response!

[Shotgunosine]

In case anyone else stumbles on this, I was able to find a solution for signing mac apps on linux, the apple codesign tool from the zombie project pyoxidizer.

I was initially hesitant because it's a zombie and I've never used Rust, but it was easy to install in the docker image:

RUN curl https://sh.rustup.rs -sSf > install_rust.sh && \
bash install_rust.sh -y && \
. "$HOME/.cargo/env" && \
cargo install --git https://github.com/indygreg/apple-platform-rs --branch main --bin rcodesign apple-codesign 

And easy to use (in my case, running it from a python function):

sign_cmd = [
    '/root/.cargo/bin/rcodesign',
    'sign',
    img_app_path
]
run(sign_cmd)