Skip to content

Relax codesigning entitlements for Python on mac #11089

New issue
New issue
Closed
#11090
Closed
Relax codesigning entitlements for Python on mac#11089
#11090
Assignees
jmarrec
Labels
DefectIncludes code to repair a defect in EnergyPlus
@jmarrec

Description

@jmarrec
jmarrec
opened on Jun 2, 2025

Issue overview

In OpenStudio, we pip install some requirements that have native extensions.

PIP_REQUIRE_VIRTUALENV= /Users/julien/.pyenv/versions/3.12.2/bin/python3.12 -m pip install --target=/Users/julien/Software/Others/OS-build-release3/EnergyPlus-25.1.0-1c11a3d85f-Darwin-macOS13-arm64/python_lib --upgrade -r /Users/julien/Software/Others/OpenStudio3/python/requirements.txt

We'd like to be able to use an E+ PythonPlugin that requires these native modules.

E+ has codesigning on macOS, and it does not have a specific entitlement that allows to load unsigned (or differently signed) library at runtime (via dlopen).

The E+ exe is signed, the libpython is signed, all with the EnergyPlus codesigning certificate.
We pip install some dependencies that have a native extension, at least numpy and pandas. these are NOT signed. So it fails at runtime.

The same issue arises if you manipulate the path to point to your own python 3.12.2 environment.

I am assuming users are definitely going to do that for some applications, and it would work fine on Linux and Windows, but fail on mac.

Operating System (Multiple choices)

MacOS

Operating System Version

Any

Version of EnergyPlus

25.1.0, develop

Unmethours link or helpdesk ticket number

N/A

Defect file

https://github.com/NREL/EnergyPlusDevSupport/blob/88e67a15840de900c41789a753d61a17ab4e1344/DefectFiles/11000s/11089/python_plugin_program_jinja.py#L1-L15

python_plugin_program_jinja.py

from pathlib import Path
import sys

# If False, it assumes you have pip installed directly into the EnergyPlus/python_lib folder
USE_EXTERNAL = True
if USE_EXTERNAL:
    sys.path.insert(0, str(Path("~/.pyenv/versions/3.12.2/lib/python3.12/site-packages").expanduser()))
    sys.path.insert(0, str(Path("~/.pyenv/versions/3.12.2/lib/python3.12/lib-dynload").expanduser()))

import pandas as pd
from pyenergyplus.plugin import EnergyPlusPlugin


class PythonAverageZoneTemps(EnergyPlusPlugin):
    # ...

eplusout.err

   ** Severe  ** Failed to import module "python_plugin_program_jinja"
   **   ~~~   ** Current sys.path=["/Users/julien/.pyenv/versions/3.12.2/lib/python3.12/lib-dynload", "/Users/julien/.pyenv/versions/3.12.2/lib/python3.12/site-packages", "./", ".", "/Applications/EnergyPlus-25-1-0", "/Applications/EnergyPlus-25-1-0/python_lib/lib-dynload", "/Applications/EnergyPlus-25-1-0/python_lib"]
   **   ~~~   ** Python error description follows:
   **   ~~~   ** ImportError("Unable to import required dependencies:\nnumpy: Error importing numpy: you should not try to import numpy from\n        its source directory; please exit the numpy source tree, and relaunch\n        your python interpreter from there.\npytz: dlopen(/Users/julien/.pyenv/versions/3.12.2/lib/python3.12/lib-dynload/math.cpython-312-darwin.so, 0x0002): tried: '/Users/julien/.pyenv/versions/3.12.2/lib/python3.12/lib-dynload/math.cpython-312-darwin.so' (code signature in <615EB672-F42C-3A52-8FF1-D34629F0056C> '/Users/julien/.pyenv/versions/3.12.2/lib/python3.12/lib-dynload/math.cpython-312-darwin.so' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs), '/System/Volumes/Preboot/Cryptexes/OS/Users/julien/.pyenv/versions/3.12.2/lib/python3.12/lib-dynload/math.cpython-312-darwin.so' (no such file), '/Users/julien/.pyenv/versions/3.12.2/lib/python3.12/lib-dynload/math.cpython-312-darwin.so' (code signature in <615EB672-F42C-3A52-8FF1-D34629F0056C> '/Users/julien/.pyenv/versions/3.12.2/lib/python3.12/lib-dynload/math.cpython-312-darwin.so' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs)")
   **   ~~~   ** Python traceback follows:
   **   ~~~   ** ```
   **   ~~~   **  >>> Traceback (most recent call last):
   **   ~~~   **  >>>   File "/Users/julien/Software/Others/EnergyPlusDevSupport/DefectFiles/11000s/11089/python_plugin_program_jinja.py", line 10, in <module>
    import pandas as pd
   **   ~~~   **  >>>   File "/Users/julien/.pyenv/versions/3.12.2/lib/python3.12/site-packages/pandas/__init__.py", line 19, in <module>
    raise ImportError(
   **   ~~~   **  >>> ImportError: Unable to import required dependencies:
numpy: Error importing numpy: you should not try to import numpy from
        its source directory; please exit the numpy source tree, and relaunch
        your python interpreter from there.
pytz: dlopen(/Users/julien/.pyenv/versions/3.12.2/lib/python3.12/lib-dynload/math.cpython-312-darwin.so, 0x0002): tried: '/Users/julien/.pyenv/versions/3.12.2/lib/python3.12/lib-dynload/math.cpython-312-darwin.so' (code signature in <615EB672-F42C-3A52-8FF1-D34629F0056C> '/Users/julien/.pyenv/versions/3.12.2/lib/python3.12/lib-dynload/math.cpython-312-darwin.so' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs), '/System/Volumes/Preboot/Cryptexes/OS/Users/julien/.pyenv/versions/3.12.2/lib/python3.12/lib-dynload/math.cpython-312-darwin.so' (no such file), '/Users/julien/.pyenv/versions/3.12.2/lib/python3.12/lib-dynload/math.cpython-312-darwin.so' (code signature in <615EB672-F42C-3A52-8FF1-D34629F0056C> '/Users/julien/.pyenv/versions/3.12.2/lib/python3.12/lib-dynload/math.cpython-312-darwin.so' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs)
   **   ~~~   ** ```
   **  Fatal  ** Python import error causes program termination

Metadata

Metadata

Assignees

Labels

DefectIncludes code to repair a defect in EnergyPlus

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions