I have added a new dependency to my Java application that includes two dynamic libs (intel/arm64 versions) and now my application is failing notarisation because
songkong-osx.dmg/SongKong.app/Contents/Java/japlscript-executor-3.4.10.jar/japlscript-aarch64-3.4.10.dylib
in this example I am building on an M1 Mac.
{
"logFormatVersion": 1,
"jobId": "f90d1f17-d51c-4b13-95d5-3629126aa3b8",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "songkong-osx.dmg",
"uploadDate": "2022-04-13T15:16:01Z",
"sha256": "44742c010d90183f2129c675a81377f89a6321a17eaee54ecb45fa638132686c",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "songkong-osx.dmg/SongKong.app/Contents/Java/japlscript-executor-3.4.10.jar/japlscript-x86_64-3.4.10.dylib",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "songkong-osx.dmg/SongKong.app/Contents/Java/japlscript-executor-3.4.10.jar/japlscript-x86_64-3.4.10.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "songkong-osx.dmg/SongKong.app/Contents/Java/japlscript-executor-3.4.10.jar/japlscript-aarch64-3.4.10.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": null,
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "songkong-osx.dmg/SongKong.app/Contents/Java/japlscript-executor-3.4.10.jar/japlscript-aarch64-3.4.10.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "arm64"
}
]
}
I have the credentials and build system to notarise my own application but I don't know how this fits in with signing the third party dynamic lib
This is the signing part of my build
export CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate"
/usr/bin/codesign --timestamp --options runtime \
--entitlements $HOME/code/jthink/songkong/songkong.entitlements \
--sign "Developer ID Application: P Taylor" \
--force --deep --verbose /Applications/SongKong.app
/usr/bin/codesign -vvv --deep --strict /Applications/SongKong.app
spctl -a -t exec -vv /Applications/SongKong.app
cd $HOME/code/jthink/SongKong
/usr/local/bin/dmgcanvas $HOME/code/jthink/SongKong/dmgCanvas_songkong.dmgCanvas $HOME/songkong-osx.dmg -v SongKong
How do I modify to additionally sign this dynamic library ?
Edit
It seems that even though I am using --deep it not going deep enough ?
/usr/bin/codesign --timestamp --options runtime \
--entitlements $HOME/code/jthink/songkong/songkong.entitlements \
--sign "Developer ID Application: P Taylor" \
--force --deep --verbose /Applications/SongKong.app
and so although the verification appears ok
/usr/bin/codesign -vvv --deep --strict /Applications/SongKong.app
spctl -a -t exec -vv /Applications/SongKong.app
When it is actually sent to Apple for notarization (via the dmgCanvas app) it then detects these libraries and fails the notarization step.
So how do I make codesign go deeper ?
Edit 2
I read https://developer.apple.com/forums/thread/128166 and https://developer.apple.com/forums/thread/129980
and it seems that --deep doesnt always work so I added a codesign of the jar that seemed to work
/usr/bin/codesign --timestamp --options runtime \
--entitlements $HOME/code/jthink/songkong/songkong.entitlements \
--sign "Developer ID Application: P Taylor" \
--force --verbose /Applications/SongKong.app/Contents/Java/japlscript-executor-3.4.10.jar
but notarization continued to fail
One other thing I notice is there seems to be another codesign done of the dmg rather than the app just before the notarization (my DmgCanvas) could that be issue
What do I need to notarize the app or the dmg or both ?
CodePudding user response:
To sign casamplesp libraries, I do the following:
# sign dylibs in jars
unzip -j jar_dir/casampledsp-complete* '*.dylib'
codesign -vvv -f --sign "Developer ID Application: Whatever Your Name Is" *.dylib
jar -uvf jar_dir/casampledsp-complete* casampledsp*
rm casampledsp*
I.e. I extract the *.dylib files, sign them, and stick them back in the using the jar flags -uvf.
To make this work for your app, just replace jar_dir with the directory name of your macOS app jars.
CodePudding user response:
Okay so the key thing is files cannot signed when within a jar file, but the notarization step will find them and cause notarization failure if not signed, so they have to be signed out side of jar and then put back in.
Based on Hendriks answer I extended the signing part of my build to
unzip -j /Applications/SongKong.app/Contents/Java/japlscript-executor-3.4.10.jar -d /Applications/SongKong.app/Contents/Java/EXTRACT
export CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate"
/usr/bin/codesign --timestamp --options runtime \
--sign "Developer ID Application: P Taylor" \
--force --verbose /Applications/SongKong.app/Contents/Java/EXTRACT/*.dylib
cd /Applications/SongKong.app/Contents/Java/EXTRACT
jar -uvf /Applications/SongKong.app/Contents/Java/japlscript-executor-3.4.10.jar *.dylib
rm -fr /Applications/SongKong.app/Contents/Java/EXTRACT
cd $HOME/code/jthink/songkong
/usr/bin/codesign --timestamp --options runtime \
--entitlements $HOME/code/jthink/songkong/songkong.entitlements \
--sign "Developer ID Application: P Taylor" \
--force --deep --verbose /Applications/SongKong.app
/usr/bin/codesign -vvv --deep --strict /Applications/SongKong.app
/usr/bin/codesign -d --deep --strict /Applications/SongKong.app
spctl -a -t exec -vv /Applications/SongKong.app
cd $HOME/code/jthink/SongKong
/usr/local/bin/dmgcanvas $HOME/code/jthink/SongKong/dmgCanvas_songkong.dmgCanvas $HOME/songkong-osx.dmg -v SongKong -identity "Developer ID Application: P Taylor" -notarizationAppleID [email protected] -notarizationPassword xxxxxxxxxxxxxxxxxxxxx -notarizationPrimaryBundleID songkong