Code signing does not sign Python executable on macOS

[samschott]

Describe the bug
During the package step the Python executable Contents/Resources/Support/bin/python3 is not signed, presumably because it is located in the Resources folder. As a result, any packaged apps are rejected by Apple's notary service. For example:

  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "Maestral-1.2.2.dev0.dmg/Maestral.app/Contents/Resources/Support/bin/python3",
      "message": "The binary is not signed.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "Maestral-1.2.2.dev0.dmg/Maestral.app/Contents/Resources/Support/bin/python3",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "Maestral-1.2.2.dev0.dmg/Maestral.app/Contents/Resources/Support/bin/python3",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": null,
      "architecture": "x86_64"
    }
  ]

To Reproduce
Run through the beeware tutorial and package the app with a valid code-signing identity. Submit it to the notary service.

Expected behavior
In principle, executable files are expected to live in Contents/MacOS and will automatically be code-signed. Alternatively, it may be possible to sign Contents/Resources/Support/bin/python3 manually before signing the bundle.

Additional context
The app bundle passes verification with codesign --verify --deep --strict. Still, the notary service complains.

Environment:

• Operating System: macOS
• Python version: 3.8
• Software versions:
  • Briefcase: 0.3.3