jpackage problem submitting to Apple Store

Andy Herrick andy.herrick at oracle.com
Mon Feb 1 15:02:01 UTC 2021 

Sorry to take so long to get back to you - I read this a week ago and I 
postponed reply till I could investigate some of the many points here.  
Now a week later I still haven't found the time to do that so I will at 
least reply to what I do know now :

First question is what OS version are you using ?

To submit to the mac app store, everything must be signed with special 
certificate "3rd Party Mac ..." certificate from apple. The "Developer 
ID Application" and "Developer ID Installer" certificates can only be 
used for Distributing outside of the mac app store, though you can still 
notarize such signed apps.

I don't myself have a "3rd Party Mac ..." type certificate, but I have 
been able to sign and notarize test apps with jpackage using the 
Developer ID certs I do have.  This step is required to post app on web 
where it can be downloaded and run on other machines running MacOS 
Catalina or later.  I would suggest getting this to work first, as all 
you other should apply to this environment.

The entitlements used come from OpenJDK in 
open/make/data/macosxsigning/default.plist, but the can be fully 
customized by using the custom resource mechanism: create directory 
"resources", add file "<app-name>.entitlements", run jpackage with 
"--resource-dir resources" options.

The problem running app with "./" has been filed and a fix is pending, 
but you can run the same app with full path or in the same dir with just 
"<app-name>" instead of "./<app-name>"

I have not been able to reproduce any of the other problems you allude 
to below, but without a "3rd Party Mac ..." type cert I really don't 
know which further complaints from app store are meaningful.

If you get a Mac Store cert, I did add code in JDK16 that if 
mac-signing-user-name starts with "3rd Party" then it will just use it 
as the full cert name instead of pre-pending "Developer ID Application: 
" or "Developer ID Installer: ".

/Andy

On 1/24/2021 9:28 AM, John Crowley wrote:
> Hi All,
>
> Have been having a problem trying to use jpackage to sign an app and submit it to the Apple Store.
>
> Attached are the following:
> — the script which invokes jpackage. Note that the attached ’…txt’ files show the values for all of the variables.
> — the output of this script
> — the output of the script running with —verbose
>
> To try to summarize all of the attached:
> Trying to create a signed DiskOrganizer-x.y.z.pkg to upload to the Apple Store.
> The problem is with mac-sign and the attempt to load to the Apple Store. Otherwise, have successfully created .app, .pkg, and .dmg versions and they all execute/install as expected on my Mac (except as noted directly below in (4)).
> This attempt used the jpackage in JDK 16-ea, build 31. Had essentially the same results using JDK 15.0.1
> Not shown in the attached is that if you try to manually start by going to DiskOrganizer/Contents/MacOS and execute ./DiskOrganizer directly, it fails with — Error opening "/Applications/DiskOrganizer.app/Contents/Contents/app/DiskOrganizer.cfg" file: No such file or directory — Note the ../Contents/Contents/app… Can fix this after installation by putting in a symlink: ln -s . Contents within the Contents directory.
>
> The last step of the pkg1.sh script invokes xcrun altool —validate-app to validate, comments on these specific errors:
> jpackage generates the Info.plist - some errors from this follow. Tried to make a copy of Info.plist, fix it, and then copy back into the .app, but this then invalidates the signature from —mac-sign.
> Key LSApplicationCategoryType contains Unknown. Probably need a jpackage —mac-category <type> to allow the user to set this.
> Installer package may not include install scripts. No idea where such scripts may be located. There are no scripts in the ./inputs directory. Maybe in the runtime created by jlink?
> The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list: [( "DiskOrganizer-app.pkg/Payload/DiskOrganizer.app/Contents/MacOS/DiskOrganizer", "DiskOrganizer-app.pkg/Payload/DiskOrganizer.app/Contents/runtime/Contents/Home/lib/jspawnhelper"   Probably need an —mac-entitlements <file> option in order to add this, and any other app-specific entitlements, to the code signing step.
> Ensure that it is signed with your "3rd Party Mac Developer Installer" certificate. Don’t understand this - have assumed that the default was to use the Developer ID Application and Developer ID Installer certs (which are in my keychain). Are the "3rd Party …" certs also needed?
> Error in keyPath [product-metadata.product-identifier] — No idea where this resides. Do you know?
> Error in keyPath [product-metadata.product-version — Ditto
> The lowest minimum system version [none] in the Product Definition Property List — .. does not equal 10.9 (from the Info.plist). Any idea where this gets set on the Apple side? Is it supposed to be somewhere within the .pkg? Maybe need a —mac-min-version <x.y.z> keyword?
> Cannot find executable file that matches the value of CFBundleExecutable in the nested bundle DiskOrganizer [DiskOrganizer-app.pkg/Payload/DiskOrganizer.app/Contents/app] property list file.) — No idea what this means. The generated .pkg does in fact install OK on my machine, and /Applications/DiskOrganizer.app launches OK with a double-click.
> For Apple Store you have a Version (<key>CFBundleShortVersionString</key>) which would be set by —app-version and is the version visible to the user. But can also have a <key>CFBundleVersion</key> which is really the build number. This must be 3 numbers separated by periods and must change for each upload to the store. So would be good to be able to set —app-version 1.0 and —app-build 1.0.4 (or —mac-build) to be able to set both values. Otherwise the end user will see things like 1.0.23 (it took 23 uploads to make it through the Apple Store process) - which will be confusing.
>
> Sorry for the length of this email, but have been messing around for well over a week with no success. Also tried using jpackage without the —mac-sign, running 'codesign' directly, etc. Still have not found the magic wand to make this all work.
>
> Would appreciate any suggestions. Would love to hear "You’re doing it wrong, use this set of jpackage options"!
>
> Otherwise, suggestions or pointers to any on-line documents that would help would be great. (Have been Googling everything about this, but almost all of the "answers" assume that you are using Xcode and tell you what parameters to set - nothing about the resulting in-the-trenches process that Xcode then executes.)
>
> Thanks,
>
> John Crowley
> Charlotte, NC
> 203-856-2396
> j.crowley at computer.org
>
>
>
>
>

More information about the core-libs-dev mailing list