Thank you Quinn for your support. I finally solved the issue. I checked the system log and found this error: syspolicyd: [com.apple.syspolicy.exec:default] Error Domain=GatekeeperPolicyScanError Code=-67018 "Code did not match any currently allowed policy" UserInfo={NSURL=file:///Applications/HotelOrganizer.app/Contents/Frameworks/numpy/_core/_multiarray_umath.cpython-311-darwin.so, NSLocalizedDescription=Code did not match any currently allowed policy} I then tried to delete the file _multiarray_umath.cpython-311-darwin.so from my app bundle, and the gatekeeper finally accepted the app. BINGO! However, without that files, my app crashes. Thus I tried to move this file from Frameworks folder to Resources folder and it also worked with gatekeeper. After some fighting with pyinstaller and other dependencies that were refusing to import numpy from the new location, I finally manage to defeat gatekeeper while having my app working well. Now some feedback for Apple: I find it completely illogical that gatekeeper rejects notarised apps. The errors should appear during notarisation, not afterwards. If the errors appear in the system log, why aren't they reported also in the warning message of gatekeeper? This would make debugging 10x easier. syspolicy_check was useless in my case since it didn't provide any extra info that helped me to debug.

Hi Quinn, thanks again for your great support. I uploaded in the feedback assistant ticket the notary log. I checked that b4563a07ac6827cced5dd13a172c41c80ca7d589 was in there to make sure that it was the correct one. Surprisingly in my notary log it seems that all the Mach-O images are in the log. I will try to fix the issues with content in the wrong location, do you have any suggestion on how to do package python apps correctly?

I used syspolicy_check and this is the message I got: App has failed one or more pre-distribution checks. Codesign Error File: HotelOrganizer.app Severity: Fatal Full Error: Gatekeeper rejected this file. If there isn't a more descriptive error elsewhere in this output, please file a Feedback through Feedback Assistant.app so we can continue to improve syspolicy_check. Please include the app bundle you are checking and a sysdiagnose taken immediately after running syspolicy_check. Type: Notary Error I'm really frustrated by this, I tried everything I could find in the forum. I cannot distribute my app to my customers because of this issue.

No, I haven't added that. Is it possible that maybe this library entitlement is added automatically during codesigning? Actually after further testing, I realized that the culprit seem to be the entitlements I assign to the node and Chromium Helper executables within the Playwright framework ( com.apple.security.cs.allow-jit and com.apple.security.cs.allow-unsigned-executable-memory ). The JIT entitlement applied to the main python executable does not affect gatekeeper.

From you answer it sounds like you are skipping the stapling step. Build the Electron .app. Sign it (electron-osx-sign, hardened runtime, entitlements, etc.). Notarise and WAIT for “Accepted”: xcrun notarytool submit MyApp.app --wait Staple the ticket into the bundle: xcrun stapler staple MyApp.app ← Mandatory step you are missing (or use notarytool … --wait --staple) Only after stapling, create the distribution image.

I have a similar issue with the difference that I don't pass spctl for some mysterious and arcane reason. Have you stapled the notarized app with xcrun stapler staple? Also how are you distirbuting the app? Compressing the app before sending (.dmg or .zip) might break the signature. I'm really frustrated with Apple's Gatekeeper blocking my correctly notarized app. They should at least provide clear verbose errors to identify the origin of the problem. I spent more time trying to debug this than building my app...