Apple Notarization

Tue Jun 11 05:49:55 UTC 2019

FYI:  https://bugs.openjdk.java.net/browse/JDK-8223671

вт, 5 мар. 2019 г. в 18:19, Zheka Kozlov <orionllmain at gmail.com>:

> Hello Jessica. We also deliver our software with a bundled Java. In the
> last couple of months, I was trying to overcome Apple notarization. I
> finally managed to do it, however, after signing of Java executables and
> dynamic libraries it doesn't work anymore.
>
> Here I'll describe the steps I did:
>
> 1. Downloaded JRE 10.0.2 for macOS from Oracle (I could use JDK 11 as
> well, JR).
>
> 2. Ungzipped it with `tar -zxf`.
>
> 3. Signed all executables and dynamic libraries with `codesign --force
> --verify --deep --verbose --sign <identity> --timestamp -o runtime
> --entitlements test.entitlements`
> `-o runtime` enabled hardened runtime (which is required for successful
> notarization)
> test.entitlements is a file with entitlements. Its contents are:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "
> http://www.apple.com/DTDs/PropertyList-1.0.dtd">
> <plist version="1.0">
> <dict>
> <key>com.apple.security.cs.allow-jit</key>
> <true/>
> <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
> <true/>
> <key>com.apple.security.cs.disable-executable-page-protection</key>
> <true/>
> <key>com.apple.security.cs.disable-library-validation</key>
> <true/>
> </dict>
> </plist>
>
> 4. Zipped the JRE and submitted it for notarization: `xcrun altool
> --notarize-app --primary-bundle-id "<id here>" --username <user name>
> --file <jre zip file name>
>
> The archive successfully passed the notarization. However, JRE is not
> executable anymore. When I run `java -version`, it reports an error:
> Error occurred during initialization of VM
> Could not reserve enough space in CodeHeap 'non-nmethods' (2496K)
>
> And I'm stuck here. I have no ideas on how to resolve this. I was trying
> to read the JVM source code but with no luck (it requires deep knowledge of
> the JVM internals).
>
> Can anyone help with this? I would really appreciate if someone helped me
> to understand this error message.
>
> Thanks.
>
>
> ср, 19 дек. 2018 г. в 03:51, Jessica Leigh <jessica at geneious.com>:
>
>> I'm investigating the process of getting an application "notarized" for
>> Mac
>> OS. This is a process that Apple has introduced with Mac OS 10.14 Mojave,
>> and they've indicated that it will be required for developer-signed
>> applications in the near future. The process differs from code signing
>> (applications are uploaded to Apple, where they're scanned and either
>> notarized or rejected). More information is available from Apple:
>>
>> https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution
>>
>> Our software is bundled with Java 11, and my attempts to find information
>> on notarizing Java applications led me to some Stack Overflow questions
>> that suggest there may be problems with JAR files, e.g.,
>>
>> https://stackoverflow.com/questions/53439639/notarize-java-app-for-distribution-on-mac-app-store
>> , where dynamic libraries inside JARs aren't signed, which causes
>> notarization to fail.
>>
>> Has any thought been put into preparing/signing Java for the purpose of
>> notarization? It seems like Java might not be ready for this yet.
>>
>>
>>
>> *Dr. Jessica Leigh*Software Developer
>> GENEIOUS
>>
>