Description
OS Catalina has introduced stricter security on running binaries, which has dramatically affected the performance of the hwi binaries. Because of the way the binaries are packaged, the full security check (including a remote network call) is made upon every invocation.
The issue is specifically related to the use of PyInstaller, and is described here. In brief, every invocation of hwi expands the python runtime and associated files to a temporary folder, where it is considered by OSX to be a new executable requiring a security check. This security check fails unless it is specifically permitted in System Preferences, but even once this has been done the security check runs every time hwi is executed. On my system this takes around 5 secs.
One workaround to reduce the time taken is to set api.apple-cloudkit.com to point to localhost in /etc/hosts - the security check still runs but at least takes less time.
I have also managed to build a version of hwi that is a folder rather than a binary with PyInstaller using --onedir, as suggested in the link above. This means that at least subsequent executions are instant, even if this is more unwieldy. It doesn't solve the security failure on the first run however for new users.
Ultimately I think the right solution is to codesign and notarize the executables as per Apple's requirements, but I'm not sure if there are better ideas?