Attempt to make progress on macOS code signing

Author: pjkundert

Makefile

@@ -22,14 +22,14 @@ APPID		?= 1608360813
 #DEVID		?= DDB5489E29389E9081E0A2FD83B6555D1B101829
 #DEVID		?= 3rd Party Mac Developer Application: Perry Kundert ($(TEAMID))
 #DEVID		?= A5DE932A0649AE3B6F06A8134F3E19D2E19A8196
-# Developer ID Application (not for Mac App Store)
-DEVID		?= EAA134BE299C43D27E33E2B8645FF4CF55DE8A92
-
-#PKGID		?= 3rd Party Mac Developer Installer: Perry Kundert ($(TEAMID))
-#PKGID		?= 1B482CEB543825C33C366A5665B935D3CEC9FD05
+# Developer ID Application (not for Mac App Store) (exp. Friday, November 10, 2028 at 14:19:34 Mountain Standard Time)
+#DEVID		?= EAA134BE299C43D27E33E2B8645FF4CF55DE8A92
+# 3rd Party Mac Developer Application; for signing for Mac App Store
+DEVID		?= AAEEBB68998F340D00A05926C67D77980D562856
 
 PKGID		?= Developer ID Installer: Perry Kundert ($(TEAMID))
-
+#PKGID		?= CC8AA39695DCC81F0DD56063EBCF033DC2529CC7
+#PKGID		?= 3rd Party Mac Developer Installer: Perry Kundert ($(TEAMID))
 
 BUNDLEID	?= ca.kundert.perry.SLIP39
 APIISSUER	?= 5f3b4519-83ae-4e01-8d31-f7db26f68290
@@ -49,7 +49,11 @@ SIGNTOOL	?= "c:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x86\signtoo
 
 NIX_OPTS	?= # --pure
 
-# PY[3] is the target Python interpreter; require 3.11+.  Detect if it is named python3 or python, and if system, nix or venv-supplied.
+# PY[3] is the target Python interpreter; require 3.11+.  Detect if it is named python3 or python,
+# and if system, nix or venv-supplied.  NOTE: Don't try to provide a full path to a Python
+# interpreter as the PYTHON variable, as this will interfere with properly using the venv-supplied
+# python.  Instead, alter the PATH variable so the 'make' invocation sees the correct target Python.
+
 PYTHON		?= $(shell python3 --version >/dev/null 2>&1 && echo python3 || echo python )
 PYTHON_P	= $(shell which $(PYTHON))
 PYTHON_V	= $(shell $(PYTHON) -c "import sys; print('-'.join((('venv' if sys.prefix != sys.base_prefix else next(iter(filter(None,sys.base_prefix.split('/'))))),sys.platform,sys.implementation.cache_tag)))" 2>/dev/null )
@@ -65,7 +69,7 @@ else
 endif
 
 # To see all pytest output, uncomment --capture=no, ...
-PYTEST_OPTS	?= -v # --log-cli-level=WARNING --capture=no  # --doctest-modules 
+PYTEST_OPTS	?= -vv # --capture=no --log-cli-level=INFO  # --doctest-modules 
 
 PYTEST		= $(PYTHON) -m pytest $(PYTEST_OPTS)
 
@@ -373,24 +377,29 @@ $(VENV):
 wheel:			deps $(WHEEL)
 
 $(WHEEL):		FORCE
-	$(PYTHON) -m pip install -r requirements-tests.txt
+	$(PYTHON) -m pip install -r requirements-dev.txt
 	$(PYTHON) -m build
 	@ls -last dist
 
-# Install from wheel, including all optional extra dependencies (except dev)
+# Install from wheel, including all optional extra dependencies (except dev).  Always use the venv (or global) 
 install:		$(WHEEL) FORCE
-	$(PYTHON) -m pip install --force-reinstall $<[all]
+	$(PYTHON) -m pip install --no-user --force-reinstall $<[all]
 
 install-%:  # ...-dev, -tests
-	$(PYTHON) -m pip install --upgrade -r requirements-$*.txt
+	$(PYTHON) -m pip install --no-user --upgrade -r requirements-$*.txt
 
 
 # Building / Signing / Notarizing and Uploading the macOS or win32 App
 # o TODO: no signed and notarized package yet accepted for upload by macOS App Store
 # 
 # Mac:  To build the .dmg installer, run:
+#    nix develop
+#    PYTHON=python3.12 make venv
+#  - In the venv:
 #    make clean
 #    make installer  # continue running every couple of minutes 'til the App is notarized
+#  - Once .pkg is successfully notarized, upload it:
+#    make app-pkg-upload
 #
 installer:		$(INSTALLER)
 
@@ -642,7 +651,7 @@ dist/SLIP-39-$(VERSION).zip:	dist/SLIP-39.app
 	codesign -dv -r- $<
 	codesign -vv $<
 	rm -f $@
-	/usr/bin/ditto -c -k --keepParent "$<" "$@"
+	/usr/bin/ditto -c -k --sequesterRsrc --keepParent "$<" "$@"
 	@ls -last dist
 
 # Upload and notarize the .zip, unless we've already uploaded it and have a RequestUUID
@@ -777,13 +786,13 @@ dist/SLIP-39.app: 		SLIP-39-macOS.spec \
 				$(PROVISION)
 	@echo -e "\n\n*** Rebuilding $@, version $(VERSION)..."
 	rm -rf build $@*
-	sed -I "" -E "s/version=.*/version='$(VERSION)',/" $<
-	sed -I "" -E "s/'CFBundleVersion':.*/'CFBundleVersion':'$(VERSION)',/" $<
-	sed -I "" -E "s/codesign_identity=.*/codesign_identity='$(DEVID)',/" $<
+	sed -i"" -E "s/version=.*/version='$(VERSION)',/" $<
+	sed -i"" -E "s/'CFBundleVersion':.*/'CFBundleVersion':'$(VERSION)',/" $<
+	sed -i"" -E "s/codesign_identity=.*/codesign_identity='$(DEVID)',/" $<
 	pyinstaller --noconfirm $<
 	#echo "Copying Provisioning Profile..."; rsync -va $(PROVISION) $@/Contents/embedded.provisionprofile
 	echo "Checking signature (pyinstaller signed)..."; ./SLIP-39.metadata/check-signature $@ || true
-	codesign --verify --verbose $@
+	codesign --verify --verbose $@ || echo "Not valid; codesign-ing..."
 	# codesign --deep --force \
 	#     --all-architectures --options=runtime --timestamp \
 	#     --sign "$(DEVID)" \

SLIP-39-macOS.spec

@@ -45,25 +45,26 @@ exe = EXE(
     console=False,
     disable_windowed_traceback=False,
     argv_emulation=False,
+    #target_arch='universal2',  # Requires Python fat binary
     target_arch=None,
-    codesign_identity='EAA134BE299C43D27E33E2B8645FF4CF55DE8A92',
-    entitlements_file=None,
+    codesign_identity='AAEEBB68998F340D00A05926C67D77980D562856',
+    entitlements_file='SLIP-39.metadata/entitlements.plist',
     icon='images/SLIP-39.icns',
 )
 
 app = BUNDLE(
     exe,
     name='SLIP-39.app',
     icon='images/SLIP-39.icns',
-    version='11.2.1',
+    version='14.0.0',
     info_plist={
         'NSPrincipalClass': 'NSApplication',
         'NSAppleScriptEnabled': False,
         'LSBackgroundOnly': False,
         'NSRequiresAquaSystemAppearance': 'No',
         'CFBundleSupportedPlatforms': ['MacOSX'],
         'CFBundleIdentifier': 'ca.kundert.perry.SLIP39',
-        'CFBundleVersion':'11.2.1',
+        'CFBundleVersion':'14.0.0',
         'CFBundlePackageType':'APPL',
         'LSApplicationCategoryType':'public.app-category.utilities',
         'LSMinimumSystemVersion':'10.15',

SLIP-39.metadata/entitlements.plist

@@ -4,11 +4,10 @@
   <dict>
     <key>com.apple.security.files.user-selected.read-write</key>	<true/>
     <!-- These are required for binaries built by PyInstaller -->
-    <!--
-    <key>com.apple.security.app-sandbox</key>				<true/>
-      -->
     <key>com.apple.security.cs.allow-jit</key>				<true/>
     <key>com.apple.security.cs.allow-unsigned-executable-memory</key>	<true/>
     <key>com.apple.security.cs.disable-library-validation</key>		<true/>
+    <!-- The app-sandbox is required by the App Store, but you must ensure console=False -->
+    <key>com.apple.security.app-sandbox</key>				<true/>
   </dict>
 </plist>

default.nix

@@ -0,0 +1,63 @@
+{
+  description = "Python HD Wallet development environment with multiple Python versions";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/25.05";
+    flake-utils.url = "github:numtide/flake-utils";
+  };
+
+  outputs = { self, nixpkgs, flake-utils }:
+    flake-utils.lib.eachDefaultSystem (system:
+      let
+        pkgs = nixpkgs.legacyPackages.${system};
+        
+        # Create Python environments with required packages
+        mkPythonEnv = pythonPkg: pythonPkg.withPackages (ps: with ps; [
+          pytest
+          coincurve
+          scikit-learn
+          pycryptodome
+          pynacl
+        ]);
+
+        python310Env = mkPythonEnv pkgs.python310;
+        python311Env = mkPythonEnv pkgs.python311;
+        python312Env = mkPythonEnv pkgs.python312;
+        python313Env = mkPythonEnv pkgs.python313;
+        python314Env = mkPythonEnv pkgs.python314;
+
+      in {
+        # Single development shell with all Python versions
+        devShells.default = pkgs.mkShell {
+          buildInputs = with pkgs; [
+            # Common tools
+            cacert
+            git
+            gnumake
+            openssh
+            bash
+            bash-completion
+
+            # All Python versions with packages
+            #python310Env
+            python311Env
+            python312Env
+            python313Env
+            #python314Env
+          ];
+
+          shellHook = ''
+            echo "Welcome to the multi-Python development environment!"
+            echo "Available Python interpreters:"
+            echo "  python (default): $(python --version 2>&1 || echo 'not available')"
+           #echo "  python3.10: $(python3.10 --version 2>&1 || echo 'not available')"
+            echo "  python3.11: $(python3.11 --version 2>&1 || echo 'not available')"
+            echo "  python3.12: $(python3.12 --version 2>&1 || echo 'not available')"
+            echo "  python3.13: $(python3.13 --version 2>&1 || echo 'not available')"
+           #echo "  python3.14: $(python3.14 --version 2>&1 || echo 'not available')"
+            echo ""
+            echo "All versions have pytest, coincurve, scikit-learn, pycryptodome, and pynacl installed."
+          '';
+        };
+      });
+}

flake.lock

@@ -1,4 +1,5 @@
 aiosmtpd		>=1.4,	<2
+numpy
 build
 cx_Freeze		>=6.12
 flake8