Apple Notarization

Zheka Kozlov orionllmain at gmail.com
Tue Mar 5 11:19:11 UTC 2019


Hello Jessica. We also deliver our software with a bundled Java. In the
last couple of months, I was trying to overcome Apple notarization. I
finally managed to do it, however, after signing of Java executables and
dynamic libraries it doesn't work anymore.

Here I'll describe the steps I did:

1. Downloaded JRE 10.0.2 for macOS from Oracle (I could use JDK 11 as well,
JR).

2. Ungzipped it with `tar -zxf`.

3. Signed all executables and dynamic libraries with `codesign --force
--verify --deep --verbose --sign <identity> --timestamp -o runtime
--entitlements test.entitlements`
`-o runtime` enabled hardened runtime (which is required for successful
notarization)
test.entitlements is a file with entitlements. Its contents are:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "
http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-executable-page-protection</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
</dict>
</plist>

4. Zipped the JRE and submitted it for notarization: `xcrun altool
--notarize-app --primary-bundle-id "<id here>" --username <user name>
--file <jre zip file name>

The archive successfully passed the notarization. However, JRE is not
executable anymore. When I run `java -version`, it reports an error:
Error occurred during initialization of VM
Could not reserve enough space in CodeHeap 'non-nmethods' (2496K)

And I'm stuck here. I have no ideas on how to resolve this. I was trying to
read the JVM source code but with no luck (it requires deep knowledge of
the JVM internals).

Can anyone help with this? I would really appreciate if someone helped me
to understand this error message.

Thanks.


ср, 19 дек. 2018 г. в 03:51, Jessica Leigh <jessica at geneious.com>:

> I'm investigating the process of getting an application "notarized" for Mac
> OS. This is a process that Apple has introduced with Mac OS 10.14 Mojave,
> and they've indicated that it will be required for developer-signed
> applications in the near future. The process differs from code signing
> (applications are uploaded to Apple, where they're scanned and either
> notarized or rejected). More information is available from Apple:
>
> https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution
>
> Our software is bundled with Java 11, and my attempts to find information
> on notarizing Java applications led me to some Stack Overflow questions
> that suggest there may be problems with JAR files, e.g.,
>
> https://stackoverflow.com/questions/53439639/notarize-java-app-for-distribution-on-mac-app-store
> , where dynamic libraries inside JARs aren't signed, which causes
> notarization to fail.
>
> Has any thought been put into preparing/signing Java for the purpose of
> notarization? It seems like Java might not be ready for this yet.
>
>
>
> *Dr. Jessica Leigh*Software Developer
> GENEIOUS
>


More information about the jdk-dev mailing list