jpackage MacOS Notarization
Andy Herrick
andy.herrick at oracle.com
Wed Jul 28 17:17:56 UTC 2021
Not really enough info given here to act on. Exactly what java
version/build are you using? As Kevin suggested it best to try JDK17
EA first, but I can notarize simple test app with JDK16 , staple the
notarization, and then download it and run it on other machines without
the quarantine hacks.
While implementing support for the Mac App Store in JDK17, we had to
change the way signing works (we now unsign the java runtime and then
re-sign it's components together with the app's components, where we
previously used the signing already present in the released jdk.) For
this reason I think it is better to look only at problem that persist
in JDK17 at this time.
/Andy
On 7/28/2021 11:27 AM, Daniel Peintner wrote:
> All,
>
> I am trying to notarize an app (built with jpackage) for MacOS.
>
> jpackage at first *seems* to properly sign all resources with the available
> --mac-sign options et cetera.
>
> Having said that, there are still remaining issues
> 1. The app cannot be properly installed
> (without hacks like xattr -d com.apple.quarantine /Applications/myAPP.app
> ).
This indicates the app is not notarized or the notarization is not
properly stapled.
> 2. I am also not able to properly notarize the app.
>
> According to online resources there seem to exist issues in *past* about
> notarization but according to [1, 2] the issues are fixed.
>
> As mentioned, I still have issues :-(
> Am I really the only one still having problems?
>
> Java Version: AdoptOpenJDK-16.0.1+9 (tried Oracle JDK also without success)
>
> The issue seems to boil down to 2 errors (attached the error log from Apple
> notarization process).
> * app Folder
> * libjli.dylib
From below it looks like you are trying to sign a dmg.
Notarization or a jpackage artifact requires either a signed pkg or a
zipped signed app image.
It looks like notarizing a signed dmg is now supported by Apple, but
this is not something that was available when we initially implemented
this in jpackage.
Can you try the same thing with a "pkg" instead of a "dmg".
We will have to look into what is needed to sign "dmg" artifacts now.
/Andy
More information about the core-libs-dev
mailing list