David David - 3 months ago 13
Python Question

Allow Python.app on El Captain (OS X)

enter image description here

I'm using a

python
executable in a virtual environment. I tried doing the whole
codesign
thing as described here, including creating the certificate, etc. The command worked, but the result stayed the same. I think it used to work on previous versions of OS X, but I currently use the most recent El Capitan version (10.11.6) and it's not working anymore. Any ideas on how to fix it?

EDIT: I did see this solution, but since my python is in a virtual environment, I'm not sure it applies, unless you guys say otherwise...

EDIT 2: I tried the solution above, didn't work. I should mention that I am codesigning the python executable in the virtualenv.

EDIT 3: The thing that ended up working for me was upgrading
flask
to the current version, (using
pip install flask --upgarde
), and running the app with
export FLASK_APP=app.py; flask run
instead of with
python app.py
. When you run the app with
flask run
, the annoying dialog box doesn't pop up anymore. No codesigning needed to my knowledge. Hope this helps someone.

Answer

Why is that happening?

So the python executables in El Capitan spawns .../Python.framework/Versions/2.7/Resources/Python.app + some extra magic. The problem is that the framework bundle doesn't have its own signature, and it uses signatures of parent application binaries.

How to check?

The first thing to check after installing applications from non-Apple-maintained-source-that-might-steal-your-soul, is to check if the application you are installing is restricted:

ls -lO /System/Library/Frameworks/Python.framework/Versions/2.7/
csrutil status

If it is restricted it cannot be removed (even with root) as long as SIP is enabled.

What to do?

So you have several different options you must try:

  • Pre-Option 0 - I think you are doing it already: I am not sure how you are maintaining your virtual environments, so just confirm you are going through the process, like here.

  • Option 1 - safe, but might not work: Use brew to maintain your executables and pip to maintain your packages. That usually solves the problem immediately, but I am not sure what is your case :)

  • Option 2 - dangerous, but will work: Check and Disable the SIP. Unless you work in an environment protected by a team of IT guys with years of security experience, I don't suggest it. This option WILL solve the issue, but you basically getting rid of one of the security layers... GL!

UPDATE 1

There is another option (not sure if you tried it though)

  • Option 1.5 - I have no idea if it will work: Try Option 1 (csrutil disable), reboot, go through the codesign process, reboot, and undo the Option 1 (csrutil enable). I have never tried it, but it doesn't mean you can't :))) Credit goes to this SO answer here
Comments