-
Couldn't load subscription status.
- Fork 143
Codesign fixes and notarization support #307
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
Fixes both having no entitlements file and signing the wrong path in `codesign` fixes javapackager#306
Also rework codesigning to follow the same pattern as jpackage, which matches the official guidelines of only explicitly signing executable code (dylibs and executables), properly wrapping the jdk in a macOS bundle, and only attaching entitlements/hardened runtime to executables. This combination of changes ensures that signing works even without preserving filesystem extended attributes, as tends to happen when zipping application bundles, because Mach-O files have signatures embedded in the file contents whereas all other file types have their signatures stored in FS extended attributes. (Non-code files do get signed, but only through the manifest on the bundle itself so the file doesn't need modification.) This has been tested on a clean macOS 13.2.1 VM that has gatekeeper using its default settings. The VM was disconnected from the internet after downloading to validate the notarization and stapling. The user is prompted to confirm opening an application that came from the internet, as one is with any properly signed and notarized application that was downloaded from the internet. fixes javapackager#286
Hi @maths22!
Great work, thanks!!
I've just merged into pr-307 branch. I'm not able to test it ... please, feedbak!!!
Dear guys,
I would like to test the fix, but I am unable to find branch pr-307.
What must I do in order to checkout this branch?
Thanks in advance
Thorsten
Hi @treimers!!!
Branch pr-307 was probably merged into devel.
Nice to talk with you again 😃
Hi @fvarrui,
quick response, thanks 😃
Yes, nice to get in touch again!
I shall try devel and come back to you.
Ok, it helped with our problem under Mac OS Catalina with error:
/Applications/datasqill.app/Contents/PlugIns/jre/Contents/Home/bin/../lib/libjli.dylib: code signature in (/Applications/datasqill.app/Contents/PlugIns/jre/Contents/Home/bin/../lib/libjli.dylib) not valid for use in process using Library Validation: mapped file has no Team ID and is not a platform binary (signed with custom identity or adhoc?)
Thank you very much guys!
I am getting several error message during build
[WARNING] Entitlements file not specified. Using defaults!
[INFO] Executing command: /bin/sh -c cd '/Users/treimers/Documents/datasqill/git/datasqill/exasol-ml/.' && 'codesign' -f -o runtime --entitlements /Users/treimers/Documents/datasqill/git/datasqill/exasol-ml/datasqill-gui/target/deploy/osx/assets/entitlements.plist --timestamp -s - /Users/treimers/Documents/datasqill/git/datasqill/exasol-ml/datasqill-gui/target/deploy/osx/datasqill/datasqill.app/Contents/PlugIns/jre.jre/Contents/Home/bin/jarsigner
[ERROR] /Users/treimers/Documents/datasqill/git/datasqill/exasol-ml/datasqill-gui/target/deploy/osx/datasqill/datasqill.app/Contents/PlugIns/jre.jre/Contents/Home/bin/jarsigner: replacing existing signature
[INFO] Executing command: /bin/sh -c cd '/Users/treimers/Documents/datasqill/git/datasqill/exasol-ml/.' && 'codesign' -f -o runtime --entitlements /Users/treimers/Documents/datasqill/git/datasqill/exasol-ml/datasqill-gui/target/deploy/osx/assets/entitlements.plist --timestamp -s - /Users/treimers/Documents/datasqill/git/datasqill/exasol-ml/datasqill-gui/target/deploy/osx/datasqill/datasqill.app/Contents/PlugIns/jre.jre/Contents/Home/bin/jaotc
[ERROR] /Users/treimers/Documents/datasqill/git/datasqill/exasol-ml/datasqill-gui/target/deploy/osx/datasqill/datasqill.app/Contents/PlugIns/jre.jre/Contents/Home/bin/jaotc: replacing existing signature
[INFO] Executing command: /bin/sh -c cd '/Users/treimers/Documents/datasqill/git/datasqill/exasol-ml/.' && 'codesign' -f -o runtime --entitlements /Users/treimers/Documents/datasqill/git/datasqill/exasol-ml/datasqill-gui/target/deploy/osx/assets/entitlements.plist --timestamp -s - /Users/treimers/Documents/datasqill/git/datasqill/exasol-ml/datasqill-gui/target/deploy/osx/datasqill/datasqill.app/Contents/PlugIns/jre.jre/Contents/Home/bin/jfr
[ERROR] /Users/treimers/Documents/datasqill/git/datasqill/exasol-ml/datasqill-gui/target/deploy/osx/datasqill/datasqill.app/Contents/PlugIns/jre.jre/Contents/Home/bin/jfr: replacing existing signature
[INFO] Executing command: /bin/sh -c cd '/Users/treimers/Documents/datasqill/git/datasqill/exasol-ml/.' && 'codesign' -f -o runtime --entitlements /Users/treimers/Documents/datasqill/git/datasqill/exasol-ml/datasqill-gui/target/deploy/osx/assets/entitlements.plist --timestamp -s - /Users/treimers/Documents/datasqill/git/datasqill/exasol-ml/datasqill-gui/target/deploy/osx/datasqill/datasqill.app/Contents/PlugIns/jre.jre/Contents/Home/bin/rmid
...
Maybe ERROR in the output means that the message is written to "stderr"? Do you get these messages also?
But good news are that it is working finally. Thanks!
Best I can tell, codesign always logs those "errors" that aren't really errors, so you should be good to ignore that.
Ah ok, thanks.
I did understand now that [ERROR] is the log level. So these warnings are written with level "error".
Fixes both having no entitlements file and signing the wrong path
in
codesign.Add support for notarization.
Also rework codesigning to follow the same pattern as jpackage,
which matches the official guidelines of only explicitly signing
executable code (dylibs and executables), properly wrapping the jdk
in a macOS bundle, and only attaching entitlements/hardened runtime
to executables. This combination of changes ensures that signing
works even without preserving filesystem extended attributes, as
tends to happen when zipping application bundles, because Mach-O
files have signatures embedded in the file contents whereas all
other file types have their signatures stored in FS extended
attributes. (Non-code files do get signed, but only through the
manifest on the bundle itself so the file doesn't need
modification.)
This has been tested on a clean macOS 13.2.1 VM that has gatekeeper
using its default settings. The VM was disconnected from the
internet after downloading to validate the notarization and
stapling. The user is prompted to confirm opening an application
that came from the internet, as one is with any properly signed
and notarized application that was downloaded from the internet.
fixes #306
fixes #286