<!DOCTYPE html><html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
Hi Florent,<br>
<br>
jpackage doesn't build the application jar. Likewise, it doesn't
notarize and staple the package. These limitations leave steps 1, 2,
10, and 11 out of scope. The remaining steps are handled by
jpackage, and each can be customized.<br>
There are three CLI options to control signing certificates:
--mac-signing-key-user-name, --mac-app-image-sign-identity, and
--mac-installer-sign-identity.<br>
--mac-signing-key-user-name option allows specifying a portion of
the names of certificates for signing the application bundle and
.pkg installer. jpackage will use the value of this option to lookup
for certificates. <br>
E.g., say you have "Developer ID Application: Acme Software LLC
(ABCD1234)" and "Developer ID Installer: Acme Software LLC
(ABCD1234)" certificates. You can instruct jpackage to use them in
steps 3-9 by adding "--mac-signing-key-user-name 'Acme Software LLC
(ABCD1234)'" to the command line.<br>
If you want to explicitly specify certificates, you may use
--mac-app-image-sign-identity and --mac-installer-sign-identity
options.<br>
The value of the --mac-app-image-sign-identity option should be the
full name of the certificate for signing application bundle.<br>
The value of the --mac-installer-sign-identity option should be the
full name of the certificate for signing .pkg installer.<br>
<br>
Additionally, you can specify the name of the keychain with the
certificates with the --mac-signing-keychain option and the
entitlements file with --mac-entitlements option.<br>
<br>
All these options are valid only when used with "--mac-sign" option.<br>
<br>
- Alexey<br>
<br>
<div class="moz-cite-prefix">On 2/23/2026 5:53 AM, Florent MARTIN
wrote:<br>
</div>
<blockquote type="cite" cite="mid:MRWPR01MB12445A5B7ADC4B1CFA89C1DEEDE77A@MRWPR01MB12445.eurprd01.prod.exchangelabs.com">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style>@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Aptos;}@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;
mso-fareast-language:EN-US;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#467886;
text-decoration:underline;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0cm;}ul
{margin-bottom:0cm;}</style>
<div class="WordSection1">
<p class="MsoNormal">Hello,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">For an application, I need to create a pkg
for macOS of a Java application, but jpackage does not provide
support for all the steps required. As a reminder, here is the
full workflow needed to create a valid pkg that passes
Gatekeeper on macOS, which requires three different
certificates:<o:p></o:p></p>
<ul style="margin-top:0cm" type="disc">
<li class="MsoNormal" style="mso-list:l0 level1 lfo3">A
standard signing certificate<o:p></o:p></li>
<li class="MsoNormal" style="mso-list:l0 level1 lfo3">An Apple
Developer ID Application certificate<o:p></o:p></li>
<li class="MsoNormal" style="mso-list:l0 level1 lfo3">An Apple
Developer ID Installer certificate<o:p></o:p></li>
</ul>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The full workflow is:<o:p></o:p></p>
<ol style="margin-top:0cm" start="1" type="1">
<li class="MsoNormal" style="mso-list:l2 level1 lfo6">Signing
the native libraries inside the JAR (requires a Developer ID
Application certificate)<o:p></o:p></li>
<ul style="margin-top:0cm" type="circle">
<li class="MsoNormal" style="mso-list:l2 level2 lfo6">Basically,
this involves extracting the JAR, signing all .jnilib and
.dylib files, and rebuilding the JAR.<o:p></o:p></li>
</ul>
<li class="MsoNormal" style="mso-list:l2 level1 lfo6">Signing
the JAR itself (requires a standard certificate)<o:p></o:p></li>
<ul style="margin-top:0cm" type="circle">
<li class="MsoNormal" style="mso-list:l2 level2 lfo6">Using
jarsigner to pass the JVM security check.<o:p></o:p></li>
</ul>
<li class="MsoNormal" style="mso-list:l2 level1 lfo6">Generating
an application image (.app)<o:p></o:p></li>
<li class="MsoNormal" style="mso-list:l2 level1 lfo6">Signing
the native libraries included in the image (requires a
Developer ID Application certificate)<o:p></o:p></li>
<li class="MsoNormal" style="mso-list:l2 level1 lfo6">Signing
the main executable of the image (requires a Developer ID
Application certificate)<o:p></o:p></li>
<li class="MsoNormal" style="mso-list:l2 level1 lfo6">Signing
the main bundle of the image (requires a Developer ID
Application certificate)<o:p></o:p></li>
<li class="MsoNormal" style="mso-list:l2 level1 lfo6">(Optional)
Adding an entitlements.plist file to allow JNI usage<o:p></o:p></li>
<ul style="margin-top:0cm" type="circle">
<li class="MsoNormal" style="mso-list:l2 level2 lfo6">Needed
if using restricted features such as JNI.<o:p></o:p></li>
</ul>
<li class="MsoNormal" style="mso-list:l2 level1 lfo6">Creating
the installer package (.pkg)<o:p></o:p></li>
<li class="MsoNormal" style="mso-list:l2 level1 lfo6">Signing
the installer package (requires a Developer ID Installer
certificate)<o:p></o:p></li>
<li class="MsoNormal" style="mso-list:l2 level1 lfo6">Notarizing
the package (submission to Apple for verification)<o:p></o:p></li>
<li class="MsoNormal" style="mso-list:l2 level1 lfo6">Stapling
the package (embedding the notarization directly into the
package)<o:p></o:p></li>
</ol>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If we skip steps 1 and 2 for preparing the
JAR (it would be better if jpackage could handle this
automatically), as well as steps 10 and 11, then for steps 3
to 9 we need to use two different certificates, but jpackage
provides only a single `--mac-sign` parameter, which does not
support multiple certificates and would ideally be split into
separate parameters for the application certificate and the
installer certificate; as a result, when creating a pkg with
jpackage, the App Image inside remains unsigned, which causes
Gatekeeper to block the application.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Best regards,<o:p></o:p></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="94%" style="width:94.44%">
<tbody>
<tr>
<td width="100%" style="width:100.0%;padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif;color:#002A50;mso-fareast-language:FR">Florent
MARTIN<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif;color:#002A50;mso-fareast-language:FR">Développeur<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif;color:#002A50;mso-fareast-language:FR">Cegid
Relations Bancaires
<o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#002C52;mso-fareast-language:FR"><o:p> </o:p></span></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="25%" style="width:25.92%">
<tbody>
<tr style="height:33.2pt">
<td width="113" style="width:85.1pt;padding:0cm 0cm 0cm 0cm;height:33.2pt">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif;color:#002A50;mso-fareast-language:FR">+33
(0)2 99 55 33 22<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#002C52;mso-fareast-language:FR"><a href="mailto:flmartin@cegid.com" moz-do-not-send="true"><span style="color:#0563C1">flmartin@cegid.com</span></a></span><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif;color:#002A50;mso-fareast-language:FR"><o:p></o:p></span></p>
</td>
<td width="35" style="width:25.9pt;padding:0cm 0cm 0cm 0cm;height:33.2pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif;color:#002A50;mso-fareast-language:FR"><o:p> </o:p></span></p>
</td>
<td width="90" style="width:67.8pt;padding:0cm 0cm 0cm 0cm;height:33.2pt">
<p class="MsoNormal"><a href="https://www.facebook.com/CegidGroup/" title=""Suivre sur Facebook" t " moz-do-not-send="true"><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif;color:blue;mso-ligatures:none;mso-fareast-language:FR;text-decoration:none"><img border="0" width="15" height="15" style="width:.1562in;height:.1562in" id="Picture_x0020_6" src="cid:part1.bc0ShOWC.b4aDoew3@oracle.com" alt="Facebook" class=""></span></a><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif;color:#002A50;mso-fareast-language:FR"> </span><a href="https://twitter.com/CegidGroup" title=""Suivre sur Twitter" t " moz-do-not-send="true"><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif;color:blue;mso-ligatures:none;mso-fareast-language:FR;text-decoration:none"><img border="0" width="15" height="15" style="width:.1562in;height:.1562in" id="Picture_x0020_7" src="cid:part2.bEQ0MqNo.n8Zg2xj5@oracle.com" alt="Twitter" class=""></span></a><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif;color:#002A50;mso-fareast-language:FR"> </span><a href="https://fr.linkedin.com/company/cegid" title=""Suivre sur LinkedIn" t " moz-do-not-send="true"><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif;color:blue;mso-ligatures:none;mso-fareast-language:FR;text-decoration:none"><img border="0" width="15" height="15" style="width:.1562in;height:.1562in" id="Picture_x0020_8" src="cid:part3.ep7dLuZo.jieJBFZO@oracle.com" alt="LinkedIn" class=""></span></a><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif;color:#002A50;mso-fareast-language:FR">
<br>
<a href="https://www.cegid.com/" target="_blank" moz-do-not-send="true"><b><span style="color:#002A50">cegid.com</span></b></a><b>
</b><o:p></o:p></span></p>
</td>
<td width="250" style="width:187.25pt;padding:0cm 0cm 0cm 0cm;height:33.2pt"><br>
</td>
</tr>
<tr style="height:76.1pt">
<td width="488" colspan="4" style="width:366.15pt;padding:0cm 0cm 0cm 0cm;height:76.1pt">
<p class="MsoNormal"><a href="http://www.cegid.com/" target="_blank" moz-do-not-send="true"><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif;color:blue;mso-ligatures:none;mso-fareast-language:FR;text-decoration:none"><img border="0" width="100" height="87" style="width:1.0416in;height:.9062in" id="Picture_x0020_9" src="cid:part4.S8nlqLXR.2nhc1EXD@oracle.com" alt="Cegid" class=""></span></a><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif;color:#0046FE;mso-fareast-language:FR"><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span style="font-size:12.0pt;mso-fareast-language:FR"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<br>
Cegid est susceptible d’effectuer un traitement sur vos données
personnelles à des fins de gestion de notre relation commerciale.
Pour plus d’information, consultez
<a class="moz-txt-link-freetext" href="https://www.cegid.com/fr/privacy-policy">https://www.cegid.com/fr/privacy-policy</a><br>
Ce message et les pièces jointes sont confidentiels et établis à
l'attention exclusive de ses destinataires. Toute utilisation ou
diffusion, même partielle, non autorisée est interdite. Tout
message électronique est susceptible d'altération; Cegid décline
donc toute responsabilité au titre de ce message. Si vous n'êtes
pas le destinataire de ce message, merci de le détruire et
d'avertir l'expéditeur.
<br>
<br>
Cegid may process your personal data for the purpose of our
business relationship management. For more information, please
visit our website <a class="moz-txt-link-freetext" href="https://www.cegid.com/en/privacy-policy">https://www.cegid.com/en/privacy-policy</a><br>
This message and any attachments are confidential and intended
solely for the addressees. Any unauthorized use or disclosure,
either whole or partial is prohibited. E-mails are susceptible to
alteration; Cegid shall therefore not be liable for the content of
this message. If you are not the intended recipient of this
message, please delete it and notify the sender.
</blockquote>
<br>
</body>
</html>