gon VS PyOxidizer

It might be less effort to use something like this: https://gregoryszorc.com/blog/2021/04/14/pure-rust-implement...

Might even be able to modify `gon` to use that instead of Apple's `codesign` and then you'll have notarization too: https://github.com/mitchellh/gon

I’ve always used gon ( https://github.com/mitchellh/gon ) for this, which is open source golang, but I don’t think it supports mach-o embedding. I’ll have to try this tool out.

There is no need for some special solution to pack your .app, you need to create .app directories, copy your binary, create Info.plist with metadata about your binary, icon, etc. I did this for a couple of apps and it is simple. It is another thing if you want to sign and notarize the binary, there are other tools for that, like https://github.com/mitchellh/gon.

I use gon to sign and notarize a DMG file. Once you set it up, it's a simple one-line command that will upload the DMG to Apple, await notarization, and give you back a DMG that's ready for distribution.

My advice from years of notarizing my apps is to make sure you do it at least once per day for each of your apps. If you only notarize once every release (say, every month or so), you are almost guaranteed to encounter some new cryptic error that you've never seen before, either due to some glitch in signing your app or frameworks, or else some server-side error such as new terms & conditions that you are being "encouraged" to agree to. It will take you hours to research and resolve them if they aren't spotted right away.

As others pointed out, https://github.com/mitchellh/gon is a great tool for doing this on your local machine (e.g., with a cron job). In addition, if you are building your app using a GitHub action (which I highly recommend if it is open-source), you can use my https://github.com/hubomatic/hubomat action to package and notarize a release in one shot. The sample/template app does this automatically on every commit as well as once per day: https://github.com/hubomatic/MicroVector/actions.

So when this fails from a scheduled job, you at least know that something has changed on the Apple side and can investigate that right away. And if it fails as a result of a commit, then at least you can start looking at what changes you may have made to your entitlements or code signing settings or embedded frameworks or any of the other million things that can cause it to fail.

Bundling Python isn't too bad if you find the right tools for it.

I really like https://github.com/indygreg/python-build-standalone and https://github.com/indygreg/PyOxidizer

A bundled, built standalone Python can be 16 to 32MB (including the full standard library, which you can strip down to just the bits you use to save size). Not tiny, but probably not worth switching programming languages over.

But really, I would suggest thinking about what you want to build before "how" or "with which tool" - one of the signs of a person becoming a good engineer is having an array of tools at their disposal and being able to choose a correct tool for the correct task. Rust also excels in integrating with other languages - with JS via WebAssembly (a bit of self-promotion, for example), with Elixir via Rustler, with Python via PyO3 and PyOxidizer, etc. So you absolutely can start writing a frontend app with JS, or a distributed system with Elixir, or a data processing/ML app with Python and use Rust to speed up critical parts of those. Or, in reverse, you can start with Rust & add new capabilities to whatever you're building, that being a frontend, a resilient chat interface, or an ML model.

Thank you, although this is not exactly on topic. I'd not heard of PyOxidizer, but it appears to have the same goal as PyInstaller, py2exe, and cx_Freeze -- as the PyOxidizer readme says, it produces

Here is some example Github Action from PyOxidizer as a Kickstarter: https://github.com/indygreg/PyOxidizer/blob/main/.github/workflows/build-exe.yml

A starting point to try out binary modules by the way would be https://github.com/indygreg/PyOxidizer - could already have benefits by rolling in all dependencies of modules (so no more pip/apt/dnf/... installs on target hosts). Setting this up should be relatively straightforward and could probably be automated enough to even manage to build binary modules for all modules in the community ansible distribution eventually.

PyOxidizer might be another option.

XAR signing is effectively just an RFC 5652 CMS signature plus some minimal data structure manipulation. Code at https://github.com/indygreg/PyOxidizer/blob/faa7dfcea5d66bf5....

Mach-O and bundles, by contrast, require a myriad of additional data structures requiring thousands of lines of code to support. To my knowledge, nobody else has implemented signing of these far-more-complicated primitives. (Existing Mach-O signing solutions just do ad-hoc signing and/or don't handle Mach-O in the context of a bundle.)