MAS codesign requirements break Java app signing

Tue Nov 11 21:44:27 UTC 2014

Zach,

Having mentioned this on the side, I’ll say it again for posterity: I bundle my app also using the appbundler and also have just recently been receiving that same email from Apple upon app submission.

Today, I finally got my app bundle to be accepted (for the first part of the process anyhow, it’s still pending a review from a human now).  Here’s what I noticed and did differently…

Looking at my fully signed app bundle, I noticed that the MyApp.app/Contents/PlugIns/1.8.0.jre/Contents/_CodeSignature folder contained different items than the MyApp.app/Contents/_CodeSignature folder.. particularly, it contained a CodeResources file which made me wonder if perhaps this was what was triggering our error (as the Apple documentation mentions not using the --resource-rules flag anymore, which I was never doing in the first place, but according to the codesign documentation, if resource rules are not specified, it does its best to make something up, and I’m guessing it was making something up for my embedded JRE bundle).

After some tinkering around, I discovered that the appbundler removes a particular folder, the 1.8.0.jre/Contents/MacOS folder when it stuffs the JRE into MyApp.app.  Well, when this folder is removed, codesign behaves much differently than when this folder is present.  When this folder is present, the MyApp.app/Contents/PlugIns/1.8.0.jre/Contents/_CodeSignature folder contains the same item as the MyApp.app/Contents/_CodeSignature folder.  So, after I did my usual bundling script, I went in and manually restored the MyApp.app/Contents/PlugIns/1.8.0.jre/Contents/MacOS folder, then I signed everything as I usually do… and surely enough, the app is accepted by Application Loader.

So, given that you are still struggling with javapackager, you might want to try this simple solution, as it might be all that you need to keep your existing flow working.

-Jess

On Nov 9, 2014, at 2:26 PM, Zach Oakes <zsoakes at gmail.com> wrote:

> It looks like Apple has changed its codesigning requirements for the Mac
> App Store. Thus far, I've been packaging my Java app using Oracle's
> appbundler tool and signing it with the following script:
> 
> http://pastebin.com/BtLV9bur
> 
> This worked fine even as recently as last month. This time, I get an email
> from them with the following:
> 
> Invalid code signature - Signatures created with OS X version 10.8.5 or
> earlier [v1 signatures] are obsoleted and will no longer be recognized by
> Gatekeeper beginning with OS X version 10.9.5. To ensure your apps will run
> on updated versions of OS X they must be signed on OS X version 10.9 or
> later [v2 signatures]. For more information, see OS X Code Signing In Depth
> 
> I think this error is incorrect, because I'm using 10.9.5 with the latest
> Xcode (6.1). I tried "codesign -dv MyApp.app" and it says "Sealed Resources
> version=2 rules=12 files=7", so I think I am using v2 signatures. My JDK
> version has not changed since last month (8u25), so I can rule that out.
> 
> I would appreciate any help. Thank you.
> 
> Zach