I ship my app as universal2 with latest Python (including modules and complex shared objects preinstalled to site packages such as Pytorch, numpy, opencv), xpc services, a launch daemon, a handful of frameworks, and ~137 shared objects in deeply nested subfolders. Fully notarized + stapled + hardened runtime + library validation. I don't build in Xcode, as this is a cross platform app. It's caused little stress. AMA.
(I also ship the same app to Windows with EV signing and I think that is more of a pain, due to the physical HSM requirement)
I’ve packaged and signed/notarized a Dolphin (fork) build and it was relatively painless all things considered. Dylibs have no real impact on this process so I’m curious what you ran into.
In python there are a handful of .so files in subdirectories you need to sign. You can basically `find . -name \*.dylib -o -name \*.so` and codesign those.
You're gonna need to expound on --deep being broken, considering I've not run into a single issue with it, and judging by the majority of blog posts/docs that cover this, others have the same experience.
I'm assuming it doesn't work well with nested bundle signing. As per my other thread it also seems to be picky about which subdirectories it signs, and there are lots of weird paths (LaunchDaemons, XPCServices, LoginItems, etc) you can put stuff in that needs signed. Not to mention if you put anything needing a sig in Resources.
I can't remember, because I did this a few years ago, but I think there was some other code signing benefit to not putting all of Python in Frameworks as well.
(I also ship the same app to Windows with EV signing and I think that is more of a pain, due to the physical HSM requirement)