Uploaded image for project: 'Qt for Python'
  1. Qt for Python
  2. PYSIDE-1445

macOS Gatekeeper does not allow app with embedded PySide2 to start

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Not Evaluated
    • None
    • 5.15.1
    • PySide
    • None
    • macOS 10.15 (Catalina) or macOS 11.0 (Big Sur)
      PySide 15.1 from PyPi
    • macOS

    Description

      A notarized macOS 10.15 application that includes Python and PySIde2 that has been downloaded from the web is not allowed to start when the application icon is double clicked.  The macOS security checker Gatekeeper reports "Application cannot be opened because the developer cannot be verified.  macOS cannot verify that this app is free from malware" and will not start the application.  The error messages is completely misleading.  The macOS notarization for the application succeeds with no errors.  The cause of failure turns out to be PySide2 15.1 from PyPi references non-system libraries outside PySIde2 and this a security weakness that prevents the notarized app from starting.  Two libraries and an executable in the PySIde2 have this problem:

      PySide2/Qt/plugins/sqldrivers/libqsqlodbc.dylib depends on /usr/local/opt/libiodbc/lib/libiodbc.2.dylib

      PySide2/Qt/plugins/sqldrivers/libqsqlpsql.dylib depends on /Applications/Postgres.app/Contents/Versions/9.6/lib/libpq.5.dylib

      PySide2/pyside2-lupdate executable sets LC_RPATH /Users/qt/work/install/lib

      These dependencies can be seen using macOS command otool -L and otool -l.

      I am not sure if any of these dependencies are intended to go into the PyPi distribution.  Possibly the first two are with the idea that the user would need to install these extra packages to make use of the SQL plugins.  The pyside2-lupdate use of LC_RPATH for the distribution looks simply wrong.

      I debugged this problem for an app I distribute ChimeraX and here is the  ChimeraX ticket giving more details.

      https://plato.cgl.ucsf.edu/trac/ChimeraX/ticket/4013

      This took about 8 hours to debug, largely because of the atrociously bad macOS Gatekeeper error handling – there appears to be no way to find why the application was blocked.  Only a system log message saying Gatekeeper blocked the application is issued.

      If these external dependencies are not intentional it would be good to eliminate them in the PyPi PySide2 distributions.

      If the external dependencies are desired, then there should be clear PySIde2 documentation of all the external dependencies since they run afoul of macOS security when included in notarized applications.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            crmaurei Cristian Maureira-Fredes
            tgoddard Tom Goddard
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:

              Gerrit Reviews

                There are no open Gerrit changes