temurin-build
temurin-build copied to clipboard
adoptium
Mac builds failing due to sign_installer Notarization "Not signed" errors
https://ci.adoptium.net/job/build-scripts/job/release/job/sign_installer/9894/console
Notarization failed: {"uuid":"b9809b86-4789-4655-937c-d3895b9bbafe","notarizationStatus":{"status":"ERROR","message":"Notarization has failed on Apple notarization service","moreInfo":"Failed to notarize the requested file (status=Invalid). Error code=OptionalInt.empty. Reason: Optional.empty","log":"{\n \"logFormatVersion\": 1,\n \"jobId\": \"b868a917-04c1-4e28-b5dd-5fb0d6bb37a5\",\n \"status\": \"Invalid\",\n \"statusSummary\": \"Archive contains critical validation errors\",\n \"statusCode\": 4000,\n \"archiveFilename\": \"OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg\",\n \"uploadDate\": \"2023-10-10T08:57:27.708Z\",\n \"sha256\": \"c6c5eef2408ff9160a140a2d59b90fdffcec3d44d783a5e824932b8b42d538b8\",\n \"ticketContents\": null,\n \"issues\": [\n {\n \"severity\": \"error\",\n \"code\": null,\n \"path\": \"OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/jdk.jdwp.agent.jmod/lib/libdt_socket.dylib\",\n \"message\": \"The binary is not signed with a valid Developer ID certificate.\",\n \"docUrl\": \"https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721\",\n \"architecture\": \"arm64\"\n },\n {\n \"severity\": \"error\",\n \"code\": null,\n \"path\": \"OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/jdk.jdwp.agent.jmod/lib/libdt_socket.dylib\",\n \"message\": \"The signature does not include a secure timestamp.\",\n \"docUrl\": \"https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733\",\n
Examing the .dylib's show they look as though they are signed, but the Notarization service seems to not think so....
The documentation link in the error states that:
You can only notarize apps that you sign with a Developer ID certificate. If you use any other certificate — like a Mac App Distribution certificate, or a self-signed certificate — notarization fails with the following message:
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/jdk.jdwp.agent.jmod/lib/libdt_socket.dylib",\n
"message": "The binary is not signed with a valid Developer ID certificate.",\n "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",\n "architecture": "arm64"\n },\n {\n "severity": "error",\n "code": null,\n
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/jdk.jdwp.agent.jmod/lib/libdt_socket.dylib",\n
"message": "The signature does not include a secure timestamp.",\n
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",\n
so it looks like 1 file in the archive is not signed and has no secure timestamp?
Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/jdk.jdwp.agent.jmod/lib/libdt_socket.dylib
I've started a new nightly jdk21u build here: https://ci.adoptium.net/job/build-scripts/job/jobs/job/jdk21u/job/jdk21u-mac-aarch64-temurin/10/
From the build script I see that you first use the code signing api at https://cbi.eclipse.org/macos/codesign/sign to sign the file and then notarize the archive. Maybe something in the signing went wrong, inspecting the logs. Do we also have a trace if the file in question libdt_socket.dylib is actually being signed?
In the error logs of the codesign service I dont find anything related to the libdt_socket.dylib file. The access logs dont indicate the file to be signed.
This line selects all dylib with certain permissions to be setup for signing:
FILES=$(find "${TMP_DIR}" -perm +111 -type f -not -name '.*' -o -name '*.dylib' || find "${TMP_DIR}" -perm /111 -type f -not -name '.*' -o -name '*.dylib')
could it be that this specific file ha different permissions and is thus not included?
Here is the build log showing the signing of libdt_socket.dylib by that loop:
09:40:38 + for f in $FILES
09:40:38 + echo 'Signing workspace/build/src/build/macosx-aarch64-server-release/support/modules_libs/jdk.jdwp.agent/libdt_socket.dylib using Eclipse Foundation codesign service'
09:40:38 Signing workspace/build/src/build/macosx-aarch64-server-release/support/modules_libs/jdk.jdwp.agent/libdt_socket.dylib using Eclipse Foundation codesign service
09:40:38 ++ dirname workspace/build/src/build/macosx-aarch64-server-release/support/modules_libs/jdk.jdwp.agent/libdt_socket.dylib
09:40:38 + dir=workspace/build/src/build/macosx-aarch64-server-release/support/modules_libs/jdk.jdwp.agent
09:40:38 ++ basename workspace/build/src/build/macosx-aarch64-server-release/support/modules_libs/jdk.jdwp.agent/libdt_socket.dylib
09:40:38 + file=libdt_socket.dylib
09:40:38 + mv workspace/build/src/build/macosx-aarch64-server-release/support/modules_libs/jdk.jdwp.agent/libdt_socket.dylib workspace/build/src/build/macosx-aarch64-server-release/support/modules_libs/jdk.jdwp.agent/unsigned_libdt_socket.dylib
09:40:38 + curl -o workspace/build/src/build/macosx-aarch64-server-release/support/modules_libs/jdk.jdwp.agent/libdt_socket.dylib -F file=@workspace/build/src/build/macosx-aarch64-server-release/support/modules_libs/jdk.jdwp.agent/unsigned_libdt_socket.dylib -F entitlements=@/var/jenkins/workspace/build-scripts/jobs/release/jobs/jdk17u/jdk17u-release-mac-aarch64-temurin/entitlements.plist https://cbi.eclipse.org/macos/codesign/sign
09:40:38 % Total % Received % Xferd Average Speed Time Time Time Current
09:40:38 Dload Upload Total Spent Left Speed
09:40:38
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 144k 100 73376 100 74167 429k 433k --:--:-- --:--:-- --:--:-- 862k
09:40:38 + chmod --reference=workspace/build/src/build/macosx-aarch64-server-release/support/modules_libs/jdk.jdwp.agent/unsigned_libdt_socket.dylib workspace/build/src/build/macosx-aarch64-server-release/support/modules_libs/jdk.jdwp.agent/libdt_socket.dylib
09:40:38 + rm -rf workspace/build/src/build/macosx-aarch64-server-release/support/modules_libs/jdk.jdwp.agent/unsigned_libdt_socket.dylib
I could see the request in the access log, and there was no error during signing.
I could retrieve the full log when using notarytool to notarize the package:
{
"logFormatVersion": 1,
"jobId": "b868a917-04c1-4e28-b5dd-5fb0d6bb37a5",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg",
"uploadDate": "2023-10-10T08:57:27.708Z",
"sha256": "c6c5eef2408ff9160a140a2d59b90fdffcec3d44d783a5e824932b8b42d538b8",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/jdk.jdwp.agent.jmod/lib/libdt_socket.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/jdk.jdwp.agent.jmod/lib/libdt_socket.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/jdk.jdwp.agent.jmod/lib/libjdwp.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/jdk.jdwp.agent.jmod/lib/libjdwp.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/jdk.jpackage.jmod/classes/jdk/jpackage/internal/resources/jpackageapplauncher",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/jdk.jpackage.jmod/classes/jdk/jpackage/internal/resources/jpackageapplauncher",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/jdk.jpackage.jmod/classes/jdk/jpackage/internal/resources/jpackageapplauncher",
"message": "The executable does not have the hardened runtime enabled.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087724",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/jdk.management.jmod/lib/libmanagement_ext.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/jdk.management.jmod/lib/libmanagement_ext.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.rmi.jmod/lib/librmi.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.rmi.jmod/lib/librmi.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/jdk.net.jmod/lib/libextnet.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/jdk.net.jmod/lib/libextnet.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.prefs.jmod/lib/libprefs.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.prefs.jmod/lib/libprefs.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.base.jmod/lib/libnet.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.base.jmod/lib/libnet.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.base.jmod/lib/libnio.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.base.jmod/lib/libnio.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.base.jmod/lib/libzip.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.base.jmod/lib/libzip.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.base.jmod/lib/libjimage.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.base.jmod/lib/libjimage.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.base.jmod/lib/libosxsecurity.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.base.jmod/lib/libosxsecurity.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.base.jmod/lib/libjava.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.base.jmod/lib/libjava.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.desktop.jmod/lib/libsplashscreen.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.desktop.jmod/lib/libsplashscreen.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.desktop.jmod/lib/libosxui.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.desktop.jmod/lib/libosxui.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.desktop.jmod/lib/libawt_lwawt.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.desktop.jmod/lib/libawt_lwawt.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.desktop.jmod/lib/libjavajpeg.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.desktop.jmod/lib/libjavajpeg.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.desktop.jmod/lib/libmlib_image.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.desktop.jmod/lib/libmlib_image.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.desktop.jmod/lib/libjsound.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.desktop.jmod/lib/libjsound.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.desktop.jmod/lib/libjawt.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.desktop.jmod/lib/libjawt.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.desktop.jmod/lib/libfontmanager.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.desktop.jmod/lib/libfontmanager.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.desktop.jmod/lib/liblcms.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.desktop.jmod/lib/liblcms.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.desktop.jmod/lib/libawt.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.desktop.jmod/lib/libawt.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.desktop.jmod/lib/libosx.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.desktop.jmod/lib/libosx.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.desktop.jmod/lib/libosxapp.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.desktop.jmod/lib/libosxapp.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/jdk.attach.jmod/lib/libattach.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/jdk.attach.jmod/lib/libattach.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.management.jmod/lib/libmanagement.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.management.jmod/lib/libmanagement.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.instrument.jmod/lib/libinstrument.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/java.instrument.jmod/lib/libinstrument.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/jdk.management.agent.jmod/lib/libmanagement_agent.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/jdk.management.agent.jmod/lib/libmanagement_agent.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/jdk.security.auth.jmod/lib/libjaas.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/jdk.security.auth.jmod/lib/libjaas.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
}
]
}
so its not only a single file but many, but all of them are inside jmods.
Could it be that the dylibs that are packaged in the jmods have not been signed, and notarytool does now also check if they are signed as well, which it did not do before?
I've unzipped the archive OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1.tar.gz: And the Home/lib/libdt_socket.dylib does show as signed:
anleonar@anleonar-mac Downloads % codesign -dvvv jdk-17.0.8.1+1/Contents/Home/lib/libdt_socket.dylib
Executable=/Users/anleonar/Downloads/jdk-17.0.8.1+1/Contents/Home/lib/libdt_socket.dylib
Identifier=SigningServlet-7530518851525430414-unsigned_libdt_socket
Format=Mach-O thin (arm64)
CodeDirectory v=20500 size=772 flags=0x10000(runtime) hashes=14+5 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=5ae8ec416a1c5a2681aa6c553dace343180b172d
CandidateCDHashFull sha256=5ae8ec416a1c5a2681aa6c553dace343180b172dffcdc1311fea6a2fcffcd566
Hash choices=sha256
CMSDigest=5ae8ec416a1c5a2681aa6c553dace343180b172dffcdc1311fea6a2fcffcd566
CMSDigestType=2
CDHash=5ae8ec416a1c5a2681aa6c553dace343180b172d
Signature size=8998
Authority=Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=10 Oct 2023 at 09:51:37
Info.plist=not bound
TeamIdentifier=JCDTMS22B4
Runtime Version=11.1.0
Sealed Resources=none
Internal requirements count=1 size=216
However ! The jdk-17.0.8.1+1/Contents/Home/jmods/jdk.jdwp.agent.jmod(libdt_socket.dylib) does not:
anleonar@anleonar-mac jmods % codesign -dvvv lib/libdt_socket.dylib
Executable=/Users/anleonar/Downloads/jdk-17.0.8.1+1/Contents/Home/jmods/lib/libdt_socket.dylib
Identifier=libdt_socket-555549446044422ba42e37d88da3986aae019e7a
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=750 flags=0x2(adhoc) hashes=14+5 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=cf4f8721822cb51d3e504f654b422f88471d26af
CandidateCDHashFull sha256=cf4f8721822cb51d3e504f654b422f88471d26aff146fd408114ebff082c9cad
Hash choices=sha256
CMSDigest=cf4f8721822cb51d3e504f654b422f88471d26aff146fd408114ebff082c9cad
CMSDigestType=2
CDHash=cf4f8721822cb51d3e504f654b422f88471d26af
Signature=adhoc
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=0 size=12
if [[ "${BUILD_CONFIG[ASSEMBLE_EXPLODED_IMAGE]}" == "true" ]]; then
# This is required so that make will only touch the jmods and not re-compile them after signing
FULL_MAKE_COMMAND="make -t \&\& ${FULL_MAKE_COMMAND}"
fi
That sounds like the jmods do not include the signed dylibs after signing.
The currently running build has this set:
13:59:51 BUILD_CONFIG[ASSEMBLE_EXPLODED_IMAGE]="true"
So from my naive understanding of the build where I see that the jmods are built quite early on, you would have to sign the dylibs that are used to create them before building the jmods, or rebuild them again later on after signing.
I have a bit of a crazy idea, but I tested it and seemed to work fine.
In the sign.sh script, we extract the archive and sign all encountered dylib files. It will only find dylib's inside the archive, not any dylib's that are contained in a jmod.
To check if the archive contains all signed dylib's in the /Contents/Home/lib directory that are also contained in the various jmod files, I extracted all files from all jmods and compared the list. They are identical as far as I could see.
Now my idea is to regenerate the jmod's by replacing the unsigned dylibs with the signed version.
The standard jmod tool does not support that, but I had the idea to use proguard as it can read / write jmods.
With a configuration like that (name replace.pro), I could replace any dylib in a jmod with the signed version:
-injars signed(**.dylib)
-injars jdk.jdwp.agent.jmod
-outjars jdk.jdwp.agent.signed.jmod
-dontobfuscate
-dontshrink
-dontoptimize
-ignorewarnings
-dontwarn
and then run
/home/tn/bin/proguard-7.4.0-beta02/bin/proguard.sh @replace.pro
That replaces the dylib' contained in a single jmod. One would dynamically create such a config file for all jmod files.
I use that beta version of proguard as this is the first to add support for JDK 21. Before that I copy all signed dylibs into a directory signed to make sure they are in the same directory structure as in the ylib (in a lib directory). Then proguard will read the jmod and just write it as is to the output, but the signed dylibs will be read first, so they take precedence when writing the output.
One could also quite easily write something in java to replace a file inside a jmod to avoid using proguard. Was using this to illustrate that it would be possible imho.
hmm the jmods will need to be post-processed as the hashes change and the module-info.class inside them will not match anymore. Running jmod hash might help though.
I have worked on some bytecode manipulation library that would be able to do that:
- read the jmod
- replace the dylib with signed version
- update hashes in all ModuleHashes attributes of all jmod
it would have to be smart to process all jmods in a directory in one go and determine dependencies between them as they depend on each other, and changing a jmod changes its hash ofc. But that could be doable.
Link to the library: https://github.com/TinyGearsOrg/bat
I have worked on some bytecode manipulation library that would be able to do that:
* read the jmod * replace the dylib with signed version * update hashes in all ModuleHashes attributes of all jmodit would have to be smart to process all jmods in a directory in one go and determine dependencies between them as they depend on each other, and changing a jmod changes its hash ofc. But that could be doable.
Link to the library: https://github.com/TinyGearsOrg/bat
So yes this is possible. I am going to add some debugging to our current process, before trying to re-write the processing which would be risky at this stage.
What is suspicious is, it seems the Mac x64 builds sign fine most of the time, it's only the Mac aarch64 that fail all the time...
Do you have a trace of a x64 build that is getting signed and notarized fine so I can check the notarization log? Maybe we should check if the x64 build has also dylibs inside the jmods. I find it strange that these dylibs seem to be duplicated anyways (inside the jmod and in the dedicated directory exploded).
Sure: This build: https://ci.adoptium.net/job/build-scripts/job/jobs/job/jdk17u/job/jdk17u-mac-x64-temurin/369/consoleFull Notarized here: https://ci.adoptium.net/job/build-scripts/job/release/job/sign_installer/9902/console
Maybe we should check if the x64 build has also dylibs inside the jmods. I find it strange that these dylibs seem to be >duplicated anyways (inside the jmod and in the dedicated directory exploded).
So yes that's standard, openjdk has a utility called "jlink" for creating custom JREs which creates new bundles from the required jmods, and and dylib's in each
I cant access the notarization build to retrieve the uuid.
However, I downloaded the artifact that succeeded, extracted all files from the jmods and compared them to the dylib's in the Contents/Home/lib folder and the files are identical.
This is different to the other build that failed, where the jmods contained slightly different versions of the same dylibs (apparently signed vs unsigned).
This is different to the other build that failed, where the jmods contained slightly different versions of the same dylibs (apparently signed vs unsigned). yes, agree that's what I found with the bad build The logic should be no different between x64 and aarch64,... so that's a bit puzzling! I'm running a build with extra debug here: https://ci.adoptium.net/job/build-scripts/job/jobs/job/jdk11u/job/jdk11u-mac-aarch64-temurin/247/console
the aarch64 build has
14:08:38 BUILD_CONFIG[MAKE_EXPLODED]="true"
while the x86 has
14:06:28 BUILD_CONFIG[MAKE_EXPLODED]="false"
that seems to change the build quite a lot from the logs.
the aarch64 build has
14:08:38 BUILD_CONFIG[MAKE_EXPLODED]="true"
while the x86 has
14:06:28 BUILD_CONFIG[MAKE_EXPLODED]="false"
that seems to change the build quite a lot from the logs.
You're probably looking at the 2nd build within the log, if you do a find of the first instance of MAKE_EXPLODED in both they will be "true"
I think this is the problem, as part of the 2nd build we are seeing :
14:27:11 /Users/jenkins/workspace/build-scripts/jobs/jdk11u/jdk11u-mac-aarch64-temurin/workspace/build/src/build/macosx-aarch64-normal-server-release/support/modules_libs/java.base/libnio.dylib: replacing existing signature
This did not used to occur.
Could it be that aarch64 is built with a different Xcode (12.4) compared to x86 which has a different default settings to the code signing identity that is being used?
I can see the following code in mac.sh
# The configure option '--with-macosx-codesign-identity' is supported in JDK8 OpenJ9 and JDK11 and JDK14+
if [[ ( "$JAVA_FEATURE_VERSION" -eq 11 ) || ( "$JAVA_FEATURE_VERSION" -ge 14 ) ]]
then
export CONFIGURE_ARGS_FOR_ANY_PLATFORM="${CONFIGURE_ARGS_FOR_ANY_PLATFORM} --with-sysroot=/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/"
## Login to KeyChain
## shellcheck disable=SC2046
## shellcheck disable=SC2006
#security unlock-keychain -p `cat ~/.password` login.keychain-db
#rm -rf codesign-test && touch codesign-test
#codesign --sign "Developer ID Application: London Jamocha Community CIC" codesign-test
#codesign -dvvv codesign-test
#export BUILD_ARGS="${BUILD_ARGS} --codesign-identity 'Developer ID Application: London Jamocha Community CIC'"
fi
to explicitly set a code sign identity in some cases. Maybe with older XCode versions the default was to not touch signatures, but with XCode 12.4 it overwrites them or removes them when no identity is set.
Btw. I also checked older builds of aarch64 and the same message was there, it was probably not noticed as the previous notarization did not care.
The building.md in the jdk project says something about that:
https://github.com/adoptium/jdk21u/blob/7d0a937446d37ef2cd88ebf91b3a429134d447a0/doc/building.md?plain=1#L905
When search for codesigning in the jdk repo, I found a variable MACOSX_CODESIGN_MODE
https://github.com/search?q=repo%3Aadoptium%2Fjdk%20MACOSX_CODESIGN_MODE&type=code
The build was switched to use the Eclipse Signing Service instead of doing code signing by xcode itself, I wonder if the configuration variable MACOSX_CODESIGN_MODE is explicitly set to disabled to avoid that codesign interferes at all during the build?
checking for macosx code signing mode... auto, default
15:20:24 checking for macosx code signing identity... openjdk_codesign, default
15:20:24 checking if codesign with hardened runtime is possible... no
15:20:24 checking if debug mode codesign is possible... yes
15:20:24 checking for macosx code signing mode... debug
for whatever reasons these lines are missing for the x86 build, while they are there for the aarch64 build.
So it looks like in case of aarch64 a debug codesigning mode is enabled which will sign the dylibs with a debug identity which would explain the error messages from the notarization.