JavaPackager
JavaPackager copied to clipboard
fvarrui
macos app notarization
I'm submitting a…
- [ ] bug report
- [ ] feature request
- [ x ] other
Short description of the issue/suggestion: The binaries within the app bundle seem to be not signed by the Developer ID certificate. The hardened codesign is turned on together with it's notarization, correct keyChainProfile is entered. The app is being uploaded to Apple, however, the content is not signed.
-
pom setup
-
notarization result
-
preview of the result log from Apple
What is the expected behavior? Returned success result from the Apple Notarization API
What is the current behavior? Invalid status is being returned
Please tell us about your environment:
- JavaPackager version: 1.7.5
- OS version: Sonoma 14.1.1 (23B81)
- JDK version: 21
- Build tool:
- [ x ] Maven
- [ ] Gradle
Hi Francisco,
thank you for getting back to me on this, really do appreciate it! Please find attached the POM from the project.  Thank you.
Norbert
Dňa 23. 2. 2024 o 13:37, Francisco Vargas Ruiz @.***> napísal:
Hi @nemqooo https://github.com/nemqooo! Sorry for my late reply. Could you share your POM, please?
— Reply to this email directly, view it on GitHub https://github.com/fvarrui/JavaPackager/issues/387#issuecomment-1961253281, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFC5QI6BUPD76TURZWKTEETYVCEP7AVCNFSM6AAAAABBFOPLMOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRRGI2TGMRYGE. You are receiving this because you were mentioned.
Hi Francisco, thank you for getting back to me on this, really do appreciate it! Please find attached the POM from the project.  Thank you. Norbert … Dňa 23. 2. 2024 o 13:37, Francisco Vargas Ruiz @.***> napísal: Hi @nemqooo https://github.com/nemqooo! Sorry for my late reply. Could you share your POM, please? — Reply to this email directly, view it on GitHub <#387 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFC5QI6BUPD76TURZWKTEETYVCEP7AVCNFSM6AAAAABBFOPLMOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRRGI2TGMRYGE. You are receiving this because you were mentioned.
Hi Norbert! Sorry, but there's no POM attached. 😮
Hi Francisco, thank you for getting back to me on this, really do appreciate it! Please find attached the POM from the project.  Thank you. Norbert … Dňa 23. 2. 2024 o 13:37, Francisco Vargas Ruiz @.***> napísal: Hi @nemqooo https://github.com/nemqooo! Sorry for my late reply. Could you share your POM, please? — Reply to this email directly, view it on GitHub <#387 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFC5QI6BUPD76TURZWKTEETYVCEP7AVCNFSM6AAAAABBFOPLMOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRRGI2TGMRYGE. You are receiving this because you were mentioned.
Hi Norbert! Sorry, but there's no POM attached. 😮
Yeah sorry, the extract from POM already attached. Thank you 😊
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://maven.apache.org/POM/4.0.0"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.1.0</version>
<relativePath/>
</parent>
<groupId>com.accute</groupId>
<artifactId>Invoiceline</artifactId>
<version>1.6.6-SNAPSHOT</version>
<name>InvoiceLine</name>
<description>Test</description>
<properties>
<java.version>21</java.version>
<maven.compiler.source>21</maven.compiler.source>
<maven.compiler.target>21</maven.compiler.target>
<javafx.version>21</javafx.version>
<javafx.maven.plugin.version>0.0.8</javafx.maven.plugin.version>
</properties>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.openjfx</groupId>
<artifactId>javafx-maven-plugin</artifactId>
<version>0.0.8</version>
<configuration>
<mainClass>com.accute.invoiceline.Invoiceline</mainClass>
</configuration>
</plugin>
<plugin>
<groupId>io.github.fvarrui</groupId>
<artifactId>javapackager</artifactId>
<version>1.7.5</version>
<executions>
<execution>
<id>bundling-for-macos</id>
<phase>package</phase>
<goals>
<goal>package</goal>
</goals>
<configuration>
<platform>mac</platform>
<name>InvoiceLine</name>
<organizationName>accute</organizationName>
<version>1.6.6</version>
<mainClass>com.accute.invoiceline.Invoiceline</mainClass>
<bundleJre>true</bundleJre>
<customizedJre>false</customizedJre>
<iconFile>src/main/resources/favicon_mac.icns</iconFile>
<vmArgs>-Xmx1g -XX:+UseG1GC -Dprism.dirtyopts=false -Dsun.java2d.metal=true</vmArgs>
<additionalResources>
<additionalResource>src/main/resources</additionalResource>
</additionalResources>
<modules>
<module>javafx.controls</module>
<module>javafx.fxml</module>
</modules>
<macConfig>
<appId>Invoiceline</appId>
<developerId>[email protected]</developerId>
<codesignApp>true</codesignApp>
<hardenedCodesign>true</hardenedCodesign>
<notarizeApp>true</notarizeApp>
<keyChainProfile>accute</keyChainProfile>
<iconSize>100</iconSize>
<appsLinkIconY>210</appsLinkIconY>
<iconY>210</iconY>
<backgroundImage>src/main/resources/installer.png</backgroundImage>
<icnsFile>src/main/resources/favicon_mac.icns</icnsFile>
<generateDmg>true</generateDmg>>
<generatePkg>false</generatePkg>
<volumeIcon>src/main/resources/favicon_mac.icns</volumeIcon>
<volumeName>InvoiceLine</volumeName>
</macConfig>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<source>21</source>
<target>21</target>
<compilerArgs>--enable-preview</compilerArgs>
</configuration>
</plugin>
</plugins>
</build>
</project>
Your POM seems to be fine, so I need more info. Please, could you share all JP output? JP logs a meesage each time it executes an external tool like "codesign" ... files reported by Apple when notarizing are in that list?
Your POM seems to be fine, so I need more info. Please, could you share all JP output? JP logs a meesage each time it executes an external tool like "codesign" ... files reported by Apple when notarizing are in that list?
Sure, there is a JP output (extract) together with the .json log from Apples notarytool. All the errors are with the same reason -> The binary is not signed with a valid Developer ID certificate. The issue seems to be with the packager not signing the files, since, during the packaging a bunch of errors relating to signing the files appear. Is it me missing something?
[INFO] Executing command: /bin/sh -c cd '/Users/norbertgalik/Documents/invoiceline/.' && 'codesign' -f --timestamp -s [email protected] /Users/norbertgalik/Documents/invoiceline/target/InvoiceLine/InvoiceLine.app/Contents/PlugIns/jre.jre/Contents/Home/lib/libmanagement.dylib
[ERROR] /Users/norbertgalik/Documents/invoiceline/target/InvoiceLine/InvoiceLine.app/Contents/PlugIns/jre.jre/Contents/Home/lib/libmanagement.dylib: replacing existing signature
[INFO] Executing command: /bin/sh -c cd '/Users/norbertgalik/Documents/invoiceline/.' && 'codesign' -f --timestamp -s [email protected] /Users/norbertgalik/Documents/invoiceline/target/InvoiceLine/InvoiceLine.app/Contents/PlugIns/jre.jre/Contents/Home/lib/libgstreamer-lite.dylib
[ERROR] /Users/norbertgalik/Documents/invoiceline/target/InvoiceLine/InvoiceLine.app/Contents/PlugIns/jre.jre/Contents/Home/lib/libgstreamer-lite.dylib: replacing existing signature
[INFO] Executing command: /bin/sh -c cd '/Users/norbertgalik/Documents/invoiceline/.' && 'codesign' -f --timestamp -s [email protected] /Users/norbertgalik/Documents/invoiceline/target/InvoiceLine/InvoiceLine.app/Contents/PlugIns/jre.jre/Contents/Home/lib/libjsound.dylib
[ERROR] /Users/norbertgalik/Documents/invoiceline/target/InvoiceLine/InvoiceLine.app/Contents/PlugIns/jre.jre/Contents/Home/lib/libjsound.dylib: replacing existing signature
[INFO] Executing command: /bin/sh -c cd '/Users/norbertgalik/Documents/invoiceline/.' && 'codesign' -f --timestamp -s [email protected] /Users/norbertgalik/Documents//invoiceline/target/InvoiceLine/InvoiceLine.app/Contents/PlugIns/jre.jre/Contents/Home/lib/libjfxwebkit.dylib
[ERROR] /Users/norbertgalik/Documents/invoiceline/target/InvoiceLine/InvoiceLine.app/Contents/PlugIns/jre.jre/Contents/Home/lib/libjfxwebkit.dylib: replacing existing signature
[INFO] Current status: In Progress.........................
[INFO] Current status: In Progress..........................
[INFO] Current status: In Progress...........................
[INFO] Current status: In Progress............................
[INFO] Current status: In Progress.............................
[INFO] Current status: In Progress..............................
[INFO] Current status: In Progress...............................
[INFO] Current status: In Progress................................
[INFO] Current status: Invalid.................................Processing complete
[INFO] id: 2ce2e22c-c735-4ace-8f7f-22c56ca3f445
[INFO] status: Invalid
[INFO]
[INFO] Executing command: /bin/sh -c cd '/Users/norbertgalik/invoiceline/.' && 'xcrun' stapler staple /Users/norbertgalik/Documents//invoiceline/target/InvoiceLine/InvoiceLine.app
[INFO] Processing: /Users/norbertgalik/Documents//invoiceline/target/InvoiceLine/InvoiceLine.app
[INFO] CloudKit query for InvoiceLine.app (2/684f33420e8871fb88470dba837e26e8c3d2aa20) failed due to "Record not found".
[INFO] Could not find base64 encoded ticket in response for 2/684f33420e8871fb88470dba837e26e8c3d2aa20
[INFO] The staple and validate action failed! Error 65.
{
"logFormatVersion": 1,
"jobId": "2ce2e22c-c735-4ace-8f7f-22c56ca3f445",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "InvoiceLine.app-notarization.zip",
"uploadDate": "2024-02-25T20:00:18.641Z",
"sha256": "8a57cbb995ccc4028ee9308bc2b89035d11689ad241f6919e8b64a7e37a577c2",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "InvoiceLine.app-notarization.zip/InvoiceLine.app/Contents/PlugIns/jre.jre/Contents/Home/bin/jwebserver",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "InvoiceLine.app-notarization.zip/InvoiceLine.app/Contents/PlugIns/jre.jre/Contents/Home/bin/jarsigner",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "InvoiceLine.app-notarization.zip/InvoiceLine.app/Contents/PlugIns/jre.jre/Contents/Home/bin/jfr",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "x86_64"
Please, try to run next command to check if the app is properly signed:
codesign -dv --verbose=4 /Users/norbertgalik/Documents/invoiceline/target/InvoiceLine/InvoiceLine.app
Not sure, but maybe the The binary is not signed with a valid Developer ID certificate message is related to replacing existing signature error when codesigning files. All those are JRE's binary files.
The app seems to be signed by the certificate from Apple (hashes adjusted). I have once again checked all the errors from the notary tool, you are right, most of them relate to JRE files. However, at the end, there is also one error related to the app package The signature does not include a secure timestamp.
{
"severity": "error",
"code": null,
"path": "InvoiceLine.app-notarization.zip/InvoiceLine.app/Contents/Resources/Java/Invoiceline-1.6.6-SNAPSHOT-runnable.jar/libJTouchID.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "x86_64"
}
Executable=/Users/norbertgalik/Documents/invoiceline/target/InvoiceLine/InvoiceLine.app/Contents/MacOS/universalJavaApplicationStub
Identifier=Invoiceline
Format=bundle with generic
CodeDirectory v=20200 size=267 flags=0x10000(runtime) hashes=1+5 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha1=fdec0e33e3f0asdasf2341d4cc1812970feac74d
CandidateCDHashFull sha1=fdec0e34233fasf098fd4cc1812970feac74d
CandidateCDHash sha256=684f33420e8871fb88470d533FAS8c3d2aa20
CandidateCDHashFull sha256=684f33420e8871fb88470db43DAFCsdasdrw8c3d2aa206b8470b58adb6add3d37fsfd53ac
Hash choices=sha1,sha256
CMSDigest=6f8df9ef591c05ef69ae28f604e15eef5a0f79032ae3f5219d97fa8124162b
CMSDigestType=2
Page size=none
CDHash=68123412das3420e8871fb88470dba837e26e8c3gsdc0
Signature size=9183
Authority=Apple Development: [email protected] (XXXXXXXXX)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Timestamp=25 Feb 2024 at 20:58:58
Info.plist entries=19
TeamIdentifier=XXXXXXXXX
Sealed Resources version=2 rules=13 files=163
Internal requirements count=2 size=236
If anyone would have issues with this, I have managed to solve the issue:
- be careful, what type of Apple Developer certificate type are you using - at first I was using the Developer ID Installer, however, after using the Developer ID Application cert. I have moved foward.
- I have used custom library for TouchID for macbooks (.dylib) which I had to exclude, since signing it didnt work properly and this one file blocked me from notarizing the app.
Now the app is signed and notarized successfully.
Thanks