1

Upgraded jdk from 13 to temurin-17, builds no longer successfully notarize with Apple.

The libjli seems to be known to be problematical and much reading seems to refer always to remove all extended attributes before signing (xattr -cr) however this doesn't change the outcome, Apple still complain as follows:

      "path": "DrumScoreEditor-2.92.dmg/DrumScoreEditor.app/Contents/runtime/Contents/MacOS/libjli.dylib",
      "message": "The signature of the binary is invalid.",
      "docUrl": null,
      "architecture": "x86_64"

Build process hasn't changed (other than to add in the xattr) remains as:

$JAVA_HOME/bin/jlink --output runtime --add-modules java.base,java.desktop,java.datatransfer,java.prefs,java.xml,jdk.xml.dom --strip-native-commands

$JAVA_HOME/bin/jpackage \
  --type app-image \
  --dest bundles \
  -i build \
  -n DrumScoreEditor \
  --main-class org.whiteware.DrumScoreEditor \
  --main-jar DrumScoreEditor-$VERSION.jar \
  --app-version $VERSION \
  --runtime-image runtime \
  --copyright "Copyright (c) 2022 Alan R. White" \
  --vendor "drumscore.scot" \
  --file-associations autobuild/filetypes.txt \
  --resource-dir package/macosx

xattr -cr bundles/DrumScoreEditor.app

codesign --force --deep \
    --options runtime \
    --timestamp \
    --prefix org.whiteware.DrumScoreEditor \
    --entitlements autobuild/entitlements.txt \
    --sign "Developer ID Application: Alan White (XXXXXXXXXX)" \
    bundles/DrumScoreEditor.app

$JAVA_HOME/bin/jpackage \
  --type dmg \
  --dest bundles \
  -n DrumScoreEditor \
  --app-image bundles/DrumScoreEditor.app \
  --mac-package-identifier org.whiteware.DrumScoreEditor \
  --copyright "Copyright (c) 2022 Alan R. White" \
  --vendor "drumscore.scot" \
  --app-version $VERSION \
  --file-associations autobuild/filetypes.txt

xcrun altool --notarize-app \
etc

Has anyone successfully notarized a java app with temurin, and if so help spot where I'm going wrong please?

Hamish258
  • 305
  • 2
  • 9
  • Looking that jpackage source code the signing capabilities seem more complete than when I built the above process, especially the —mac-entitlements argument. Having some initial success there, once I’ve got the customised runtime bit integrated too I will post an answer. – Hamish258 Jan 23 '22 at 09:38

1 Answers1

0

Simplifying the build process resolved the issue, specifically letting jpackage do the signing itself. Verbose mode shows how it's taking care of the signing on a per-file basis, removing any existing signature first.

$JAVA_HOME/bin/jpackage \
  --dest bundles \
  --input build \
  --name DrumScoreEditor \
  --main-class org.whiteware.DrumScoreEditor \
  --main-jar DrumScoreEditor-$VERSION.jar \
  --add-modules java.base,java.desktop,java.datatransfer,java.prefs,java.xml,java.logging \
  --app-version $VERSION \
  --copyright "Copyright (c) 2022 Alan R. White" \
  --vendor "drumscore.scot" \
  --file-associations autobuild/filetypes.txt \
  --mac-sign \
  --mac-package-signing-prefix org.whiteware.DrumScoreEditor \
  --mac-signing-key-user-name "Alan White (XXXXXXXXXX)" \
  --mac-package-name "Drum Score Editor" \
  --mac-entitlements autobuild/entitlements.txt \
  --resource-dir package/macosx \
  --verbose
Hamish258
  • 305
  • 2
  • 9