Sign the entire macos app bundle

[emlys]

As of #697, we're correctly signing the mac binary DMG with the correct type of Apple-issued certificate 🎉 This is important for security because it ensures that the entire DMG (not just the app bundle in the DMG) is what we expect it to be. So security-wise I think we're fine. It also (I'm pretty sure) prevents any Gatekeeper warnings when the user opens the DMG.

The next step in our Apple security journey will be to sign the app bundle itself. This is one of the things needed in order to prevent Gatekeeper warnings when opening the app. The command to do so is

codesign --deep --sign <identifier> <path/to/bundle>`

This recursively signs everything in the bundle from the most-deeply-nested up to the top. It complains about the following directories:

Contents/MacOS/invest_dist/documentation/userguide/.doctrees
Contents/MacOS/invest_dist/cryptography-35.0.0.dist-info
Contents/MacOS/invest_dist/pygeoprocessing-2.3.2.dist-info
Contents/MacOS/invest_dist/wheel-0.37.0-py3.9.egg-info
Contents/MacOS/invest_dist/natcap.invest-3.9.1.post72+g6af0b498.dist-info
Contents/MacOS/invest_dist/setuptools-59.1.1-py3.8.egg-info
Contents/MacOS/invest_dist/charset_normalizer-2.0.0.dist-info
Contents/MacOS/invest_dist/taskgraph-0.11.0.dist-info

If you delete all these, it works! This is a good sign that our app bundle structure is not severely wrong. So we just need to remove or reorganize these folders somehow.

[emlys]

Because the apple developer docs are notoriously hard to search and the links often get broken, I am including a screenshot for posterity of the relevant info from https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html#//apple_ref/doc/uid/TP40005929-CH4-SW19:

[phargogh]

I know we talked about this briefly on the phone, but I thought I'd mention the couple things I was thinking about that might be additional things to think about:

• PyInstaller has a flag for signing binaries directly: https://pyinstaller.readthedocs.io/en/stable/feature-notes.html#macos-binary-code-signing so maybe their solution will magically just work? I'm skeptical given how things have typically been with pyinstaller, but you never know!
• The various .egg-info directories contain package metadata, which we mostly use internally for storing and retrieving version information. There are other ways to store the version info, but it sure would be convenient if we didn't have to change that across 3 packages (plus others we don't control).
• Maybe there's a way to just tell codesign about the textfiles we expect and it'll skip those? One can hope.

[emlys]

https://github.com/pyinstaller/pyinstaller/wiki/Recipe-OSX-Code-Signing-Qt

This example is for Qt, but the problem is the same - all our problematic directories contain periods in the name, and so are expected to be in bundle format.