jpackage MacOS Notarization

Andy Herrick andy.herrick at oracle.com
Wed Jul 28 17:17:56 UTC 2021 

Not really enough info given here to act on.  Exactly what java 
version/build are you using?   As Kevin suggested it best to try JDK17 
EA first, but I can notarize simple test app with JDK16 , staple the 
notarization, and then download it and run it on other machines without 
the quarantine hacks.

While implementing support for the Mac App Store in JDK17, we had to 
change the way signing works (we now unsign the java runtime and then 
re-sign it's components together with the app's components, where we 
previously used the signing already present in the released jdk.)  For 
this reason I think  it is better to look only at problem that persist 
in JDK17 at this time.

/Andy

On 7/28/2021 11:27 AM, Daniel Peintner wrote:
> All,
>
> I am trying to notarize an app (built with jpackage) for MacOS.
>
> jpackage at first *seems* to properly sign all resources with the available
> --mac-sign options et cetera.
>
> Having said that, there are still remaining issues
> 1. The app cannot be properly installed
>     (without hacks like xattr -d com.apple.quarantine /Applications/myAPP.app
> ).
This indicates the app is not notarized or the notarization is not 
properly stapled.
> 2. I am also not able to properly notarize the app.
>
> According to online resources there seem to exist issues in *past* about
> notarization but according to [1, 2] the issues are fixed.
>
> As mentioned, I still have issues :-(
> Am I really the only one still having problems?
>
> Java Version: AdoptOpenJDK-16.0.1+9 (tried Oracle JDK also without success)
>
> The issue seems to boil down to 2 errors (attached the error log from Apple
> notarization process).
> * app Folder
> * libjli.dylib

 From below it looks like you are trying to sign a dmg.

Notarization or a jpackage artifact requires either a signed pkg or a 
zipped signed app image.

It looks like notarizing a signed dmg is now supported by Apple, but 
this is not something that was available when we initially implemented 
this in jpackage.

Can you try the same thing with a "pkg" instead of a "dmg".

We will have to look into what is needed to sign "dmg" artifacts now.

/Andy

More information about the core-libs-dev mailing list