jpackage and macOS Catalina notarization

James Elliott james at deepsymmetry.org
Sat Jan 4 06:50:00 UTC 2020 

Hello, everyone, I finally found this list, as well as a way to search it, and so hope this question is relevant and appropriate and not already answered.

For some time I have been using an old javapackager along with a newer release of jlink to create native macOS installers for a free, open-source Swing application, and am very excited to see that JEP-343 is finally on the horizon so I soon can stop relying on the ancient javapackager. Still, its ability to code sign my installer DMG has been very beneficial to my less-Java-savvy users (generally musicians and light/laser/video technicians running stage shows).

Apple’s current operating system, Catalina, adds still more hoops for developers to jump through in order to enable their software to be run without complaint and complexity: It needs to be notarized (uploaded to Apple and scanned for malicious code and other unsafe properties). I am not asking if jpackage might assist with the notarization step any time soon; that is something that can be accomplished separately after the code-signed package or disk image has been produced.

The issue, however, is that for notarization to succeed, the code signing must be performed in a manner that causes the application to use the hardened runtime, and therefore a set of entitlements must be added in order for Java code to run successfully. (These requirements have been temporarily relaxed because so few developers were ready for them, but they will be returning soon.) I could not see any evidence in the jpackage documentation or help text that it could support these code signing options, specifically —timestamp, —options runtime, and —entitlements entitlements.plist (for full details on getting this process to work, I found the following two articles incredibly helpful: http://www.zarkonnen.com/signing_notarizing_catalina <http://www.zarkonnen.com/signing_notarizing_catalina> and http://kothar.net/macos_catalina_java_11 <http://kothar.net/macos_catalina_java_11> ).

Is this something that is on the radar for a future jpackage release? Failing that, is there a way to perform the code signing separately and still use jpackage to produce the disk image?

Thanks for any thoughts or insight you might be able to share,

	-James

More information about the core-libs-dev mailing list