Unix Executable File cannot be verified by Apple.

[bobleer]

Env:

• macOS 15.1
• PyInstaller 6.11.1

Project include

• fastapi
• uvicorn
• aiohttp
• pydantic
• psutil

Symptoms:

When attempting to execute a PyInstaller-generated Unix executable, macOS displays the following Gatekeeper warning: "Apple could not verify “FILE_NAME” is free of malware that may harm your Mac or compromise your privacy."

Key Issue:

While I understand that macOS .app bundles require code signing, I've never encountered this issue with standalone Unix executables in the past. This is a new behavior.

Questions:

1. Has macOS changed its security policies regarding standalone executables? Is code signing now mandatory for all executables, even those not bundled as .apps?
2. Are there specific PyInstaller options or build steps required to address this new behavior?

Any insights would be greatly appreciated. Thanks.

[rokm]

Ad-hoc code signing is mandatory for all executables and binaries, and has been a while. But we do that (unless you specify actual codesign identity), so it shouldn't be a problem. I can launch built programs on my test system without running afoul of Gatekeeper.

Are we talking about onefile or onedir build?

Does it happen with every program (e.g., a hello world or something simpler), or just this one?

Is it on the same machine, or are you transferring the file to another one (and it might have gained com.apple.quarantine attribute while being downloaded)? If it is onedir build, are you copying the application directory around (without option to preserve symlinks)?

[bobleer]

Thank you for your response.

1. This project is built using the one-file option: pyinstaller -F filename.py
2. I tried building a "Hello, world!" program, and the same problem occurs.
3. ** No problem in build mac. But I transferred the file to another Mac, and the problem happened in another one.**
4. I compared the files from the build Mac and the receiving Mac using xattr -l FILENAME. The file from the build Mac has no attributes. However, the transferred file has com.apple.quarantine and com.apple.macl attributes.

Therefore, is it impossible to distribute self-built binary executables from one Mac to another? Or are there necessary steps before distribution, such as code signing, removing file tags, or other solutions?

Looking forward to your answer. Thank you.

[rokm]

3. ** No problem in build mac. But I transferred the file to another Mac, and the problem happened in another one.**

4. I compared the files from the build Mac and the receiving Mac using xattr -l FILENAME. The file from the build Mac has no attributes. However, the transferred file has com.apple.quarantine and com.apple.macl attributes.

That's the root of the problem, then. When a binary is downloaded, macOS applies the com.apple.quarantine attribute. (Likely the same if the executable was inside a .zip archive).

You could have user manually remove the attribute: xattr -dr com.apple.quarantine <filename> (the recursive option is redundant in this case, since it's a single file).

You could try signing the executable with Apple Developer ID - but with onefile build, you also need to ensure that all collected binaries and shared libraries are signed, so you will need to use --codesign-identity option during build.

Perhaps you could put the executable into a DMG (I'm not sure if that's an option only for .app bundles, or also for regular executables); see #8268

[bobleer]

It helps. Thank you very much.