datasette-app icon indicating copy to clipboard operation
datasette-app copied to clipboard
verified publisher icon simonw

Possible to create wheels for things like pyjq and sign them for distribution?

Open simonw opened this issue 4 years ago • 3 comments

From https://github.com/simonw/datasette-app/discussions/67#discussioncomment-1300040 - installing the datasette-jq plugin is difficult because it depends on pyjq which needs to compile an extension.

@psychemedia suggests:

Or at a push maintain your own wheelhouse and add a path to also look to that to install packages?

Would this require signing things for distribution for macOS? The wheel generated by pip install pyjq includes a _pyjq.cpython-39-darwin.so file.

simonw avatar Sep 10 '21 22:09 simonw

If I can figure this out I could get some GitHub Actions workflows going that know how to build wheels for various dependencies and sign them with my Apple Developer certificate - then I could publish those .whl files online somewhere and have the plugin directory from #74 know to install from that URL instead of regular PyPI for certain plugins.

simonw avatar Sep 10 '21 22:09 simonw

Creeping the features a bit, if you do have package build automation, then if you had a list of datasette plugin requirements / dependencies, you could check whether an appropriate wheel exists on pypi and if not, build it for your own wheelhouse?

As package maintainers add PyPi distributed wheels that meet datasette needs, they can then be reaped from the datasette wheelhouse. The ideal state would be an empty wheelhouse because it would mean PyPi meets all needs.

I'm not sure how PyPi currently copes with o/s specific builds targeted at Mac M1. Certainly, when I was building packages for use on Raspberry Pi , I could use piwheels.org for 32 bit arm builds, but I had to build my own arm64 wheels for some packages when using dietPi (64 bit o/s).

psychemedia avatar Sep 11 '21 12:09 psychemedia

This may not require signing after all!

https://twitter.com/glyph/status/1436758984287928322

My understanding is shaky, but if you can validate plugins some other way, “The com.apple.security.cs.disable-library-validation entitlement is a boolean value that indicates whether an application can load arbitrary plug-ins or frameworks, without requiring code-signing.”

https://github.com/simonw/datasette-app/blob/f83a9299a01c4394649b76c8ba308fec88597200/build/entitlements.mac.plist#L7-L8

simonw avatar Sep 11 '21 18:09 simonw