I'm developing some code which I run on OSX with the mpirun
command. Every time I compile my code, the execution afterwards opens a bunch of popup dialogs asking for accepting or refusing incoming connections. There are as many popups as MPI ranks I am using. For example, if I run
mpirun -np 4 myprogram
then I obtain 4 popups.
I know I am supposed to codesign
something to prevent the firewall to open these popups, so I tried the following commands:
sudo codesign --force --deep --sign - /opt/local/libexec/openmpi-gcc48/orterun
sudo codesign --force --deep --sign - /opt/local/bin/mpi*
Note that my installation of OpenMPI is in /opt/local
. Unfortunately, this did not work.
What should I codesign in order to prevent the firewall to show these popups ?
I believe that one reason to why the pop-ups still appear even after using codesign
is that you are doing an ad-hoc signing. As stated in codesign:
Ad-hoc signing does not use an identity at all, and identifies exactly one instance of code. Significant restrictions apply to the use of ad-hoc signed code; consult documentation before using this.
Instead I believe you should create a certificate as in the link provided in a comment by @alfC. In this SO post: What are the ways or technologies to sign an executable application file in mac os x environment?
Furthermore I also think that you need to sign the related processes when you are running mpirun
meaning that you need to sign
(1) sudo codesign --force --deep --sign "<your certificate>" /opt/local/libexec/openmpi-gcc48/orterun
(2) sudo codesign --force --deep --sign "<your certificate>" /opt/local/libexec/openmpi-gcc48/orted
(3) sudo codesign --force --deep --sign "<your certificate>" /opt/local/bin/mpirun
(4) sudo codesign --force --deep --sign "<your certificate>" /path/to/your/executable
If things are still not working you can further debug your issue by looking at the log or inspecting your executable (see below).
Logging
log show --predicate 'eventMessage contains "codesign"' --info
(More information in an SO post: Can you use macOS "log stream" or "log show" to get messages from connected iOS devices?)
Inspecting
codesign -dv --verbose=4 /path/to/your/executable
spctl --assess --verbose /path/to/your/executable
If you want to read more in-depth how there is a difference between ad-hoc signing and using a certificate there is a post on stackexchange discussing the limit of ad-hoc signing: https://apple.stackexchange.com/questions/288291/what-are-the-restrictions-of-ad-hoc-code-signing which is referring to macOS Code signing in depth