On an M1 Mac mini running MacOS 11.2.2, having installed one of the Apple Silicon builds, Python would report that I was “Trying to load an unsigned library”. Turns out that it was not so hard to solve. At least now it appears to work after I executed these commands
ls -1 *.so | awk '{print "codesign -s -", $1}' | sh
ls -1 *.dylib | awk '{print "codesign -s -", $1}' | sh
As I understand ‘-s -’ signs with the ad hoc signature. I looked at some other Python libraries in the site-packages directory and they had been signed ‘adhoc’ whereas all panda3d libraries were unsigned. I suppose it comes down to specifics of the build process, but no actual certificate was provided by me.
I first looked at numpy which was ‘adhoc’ signed. Also, I develop pygel3d, and you can see below that it is also ‘adhoc’ code signed. I did nothing to achieve this. It is a very standard build process using CMake. However, the compiler is ‘clang’. If Panda3d is compiled and linked with a different tool chain that could be the reason.
Some more experimentation shows that invoking with the linker with -arch arm64does generate the signature, but adding -arch arm64 -arch x86_64 (which is what we do to create a universal wheel) doesn’t. How odd.
Ok. I was mistaken. I can confirm that the dylib in the GEL wheel on PyPI does not have a signature - I get the same result as you. The version I tested was compiled on my local machine (M1 Mac mini). The PyPI version is compiled on GitHub for X86_64 using GitHub Actions. Honestly, I thought that there would be no difference regarding signature, but turns out I was wrong. It is the same version of Xcode but GitHub does not run MacOS 11 yet.
So, the question is why on earth there is a signature if it is compiled for arm64 but not if it is compiled x86_64 or for both architectures. For now, I guess you could run codesign afterwards, but it seems to be a bug in Apple’s toolchain.
I figured out that it’s because the fat binary as a whole isn’t codesigned, only the embedded arm64 binary, as can be confirmed using lipo -extract arm64.
This appeared to be a red herring, the problem is that we apparently have a codesign --strip-signature in our process of building a wheel:
We ought to replace this with a codesign -s - step when building for arm64.
I fear the whl signatures are in a bad state — this may correspond to when I had to downgrade from doing osx_11_0 builds to osx_10_14 builds.
% python3 setup_glb.py build_apps
running build_apps
Building platforms: macosx_11_0_x86_64
Gathering wheels for platform: macosx_11_0_x86_64
Looking in indexes: https://pypi.org/simple, https://archive.panda3d.org/simple/opt, https://archive.panda3d.org/thirdparty
Collecting panda3d
Using cached https://buildbot.panda3d.org/downloads/v1.10.9/opt/panda3d-1.10.9%2Bopt-cp39-cp39-macosx_11_0_universal2.whl (111.0 MB)
ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
panda3d from https://buildbot.panda3d.org/downloads/v1.10.9/opt/panda3d-1.10.9%2Bopt-cp39-cp39-macosx_11_0_universal2.whl#md5=6719fa4ca2fc24591b4a7638d2eebc87 (from -r <redacted>/requirements.txt (line 1)):
Expected md5 6719fa4ca2fc24591b4a7638d2eebc87
Got 651b1c61dd502d24a26254f955af115a