Apple Notarization

[Tres Finocchiaro]

I was linked to this conversation from a stackoverflow comment and wanted
to offer my experiences.  I hope this message is well received.

I have a project with bundled 3rd party DYLIBs and has passed Apple
notarization.

I'm doing it by extracting the JAR's files, signing them and then JARing
them back up.  I would assume JavaFX would work just the same.  I have my
steps outlined in detail here including how to review the rejection from
Apple during the trial-and-error phases of notarization:

https://stackoverflow.com/a/53528020/3196753

> "Has any thought been put into preparing/signing Java for the purpose of
notarization? It seems like Java might not be ready for this yet."

Apple doesn't mention whether or not they allow mixed signatures in the
bundles.  If they do, the OpenJDK team can tackle this.  My guess is
they're already signing their distributions.  You can find out by
extracting any offending .dylibs in a bundle.  Here's a StackOverflow
question which mentions being rejected in JRE11 due to JavaFX libraries:
https://stackoverflow.com/q/53439639/3196753

If someone can chime in on whether or not using 3rd party signed DYLIB and
JNILIB files is supported, please do.  It could make this task much easier
(and help move ownness to the 3rd parties) for software developers.

To see if its already signed:
code sign -dv --verbose=4 /path/to/extracted/libfxplugins.dylib

Note, there's a bit of an order-of-operations if a programmer is signing
the JAR itself too.  You would need to extract the JAR, sign the native
code, bundle the JAR, sign the JAR.  A build system that relies on signed
JARs would break the signature once it's modified.  This is increasingly
frustrating with 3rd party libraries.

Apple may eventually allow traversing into these JARs with the --deep
signing option (it's smart enough to do it while validating for
notarization) but it wouldn't be smart enough to resign the JAR itself.