sqlite-jdbc
sqlite-jdbc copied to clipboard
xerial
libsqlitejdbc.jnilib not signed
Hey guys, I uploaded our application to apple to get notarized (new in macOS 10.14): xcrun altool --notarize-app -f DMG_FILE --primary-bundle-id BUNDLE_ID -u USERNAME -p PASSWORD
The result is that the application won't get notarized because the mentioned file in title is not signed.
The report says:
{
"severity": "error",
"code": null,
"path": "application.dmg/application Installer.app/Contents/Resources/app/0.dat/application.jar/org/sqlite/native/Mac/x86_64/libsqlitejdbc.jnilib",
"message": "The binary is not signed.",
"docUrl": null
},
Any information about this?
Hi Dominic, Any info on how to solve the problem. When I go to notarize my app I get messagesL
mypath/.bundled/nw/gephi-toolkit-0.8.2.jar/native/Mac/i386/libsqlitejdbc.jnilib",
"message": "The binary is not signed.",,
"message": "The signature does not include a secure timestamp.",
"path": mypath/.bundled/nw/gephi-toolkit-0.8.2.jar/native/Mac/x86_64/libsqlitejdbc.jnilib",
"message": "The binary is not signed.",
"message": "The signature does not include a secure timestamp."
- Aaron
Confusing... Last year I was able to notarize our application. But I tried again some hours ago and it didn't work.
Once I have time I will check and report back.
Thanks Dominic, Aaron
-- Aaron Brandes, Software Developer Center for Connected Learning and Computer-Based Modeling
From: Dominic Mey [email protected] Reply-To: xerial/sqlite-jdbc [email protected] Date: Monday, March 9, 2020 at 8:42 AM To: xerial/sqlite-jdbc [email protected] Cc: Aaron Andre Brandes [email protected], Comment [email protected] Subject: Re: [xerial/sqlite-jdbc] libsqlitejdbc.jnilib not signed (#383)
Confusing... Last year I was able to notarize our application. But I tried again some hours ago and it didn't work.
Once I have time I will check and report back.
— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/xerial/sqlite-jdbc/issues/383?email_source=notifications&email_token=ANSUO2W3CEV4ADUYEX43AX3RGTW5FA5CNFSM4F74KK4KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEOHFPYI*issuecomment-596531169__;Iw!!Dq0X2DkFhyF93HkjWTBQKhk!GIL2mpV-Tj2GgwM4dpLw8cT_Z6aispvNPDmtjRlnrV2Tsf_4tlO4RJP6pRMkGBtD-_BYLczbTQ$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/ANSUO2TVQ5IWYIKHTA72KNTRGTW5FANCNFSM4F74KK4A__;!!Dq0X2DkFhyF93HkjWTBQKhk!GIL2mpV-Tj2GgwM4dpLw8cT_Z6aispvNPDmtjRlnrV2Tsf_4tlO4RJP6pRMkGBtD-_BVldP3OA$.
Hi,
is there any update on the notarization/signing issue? Since which sqlite-jdbc version are the binaries signed with a hardened runtime enabled?
Greez, Dirk
Hi Dirk, I have not yet tried
gephi-toolkit-0.9.2-all.jar
I tried today to notarize an application using
gephi-toolkit-0.8.2-all.jar
The MacOS notarization failed and gave error information For both gephi-toolkit-0.8.2-all.jar/native/Mac/x86_64/libsqlitejdbc.jnilib and gephi-toolkit-0.8.2-all.jar/native/Mac/i386/libsqlitejdbc.jnilib
That The binary is not signed. The signature does not include a secure timestamp.
I also got the same issue for Java libraries such as JRE/Contents/Home/jre/lib/libAppleScriptEngine.dylib Evidently the fix for the Java Libraries will be included in JDK 8u261, which is not yet scheduled for release.
Thanks for reaching out.
Aaron
-- Aaron Brandes, Software Developer Center for Connected Learning and Computer-Based Modeling
From: Dirk Fauth [email protected] Reply-To: xerial/sqlite-jdbc [email protected] Date: Thursday, June 4, 2020 at 8:55 AM To: xerial/sqlite-jdbc [email protected] Cc: Aaron Andre Brandes [email protected], Comment [email protected] Subject: Re: [xerial/sqlite-jdbc] libsqlitejdbc.jnilib not signed (#383)
Hi,
is there any update on the notarization/signing issue? Since which sqlite-jdbc version are the binaries signed with a hardened runtime enabled?
Greez, Dirk
— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/xerial/sqlite-jdbc/issues/383*issuecomment-638829305__;Iw!!Dq0X2DkFhyF93HkjWTBQKhk!B0Gu2ovjhZANwxOH7KyNr8agvTTCAXQMK9E5eq6Yax5chcxrNp3B-vN7eQ5zKHVaL_rQEjqqYA$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/ANSUO2WK7HALWXJY2J37G6TRU6KUPANCNFSM4F74KK4A__;!!Dq0X2DkFhyF93HkjWTBQKhk!B0Gu2ovjhZANwxOH7KyNr8agvTTCAXQMK9E5eq6Yax5chcxrNp3B-vN7eQ5zKHVaL_ouLGaZAg$.
Hello, I get the same error { "severity": "error", "code": null, "path": "app/sqlite-jdbc-3.30.1.jar/org/sqlite/native/Mac/x86_64/libsqlitejdbc.jnilib", "message": "The binary is not signed.", "docUrl": null, "architecture": "x86_64" }, { "severity": "error", "code": null, "path": "app/lib/sqlite-jdbc-3.30.1.jar/org/sqlite/native/Mac/x86_64/libsqlitejdbc.jnilib", "message": "The signature does not include a secure timestamp.", "docUrl": null, "architecture": "x86_64" },
Thanks, Mike
You need to self-sign all unsigned binaries in sqlite to get the package signed
Maybe you are interested in how to self-sign binary:
- Download latest release: https://repo1.maven.org/maven2/org/xerial/sqlite-jdbc/3.32.3/sqlite-jdbc-3.32.3.jar
- Unzip .jar file
- Navigate to
org/sqlite/native/Mac/x86_64/ - Self sign libsqlitejdbc.jnilib:
find . -type f -name *.jnilib -o -name *.so | xargs codesign -s "YOUR DEVELOPER ID" -v - Put signed binary back into .jar:
jar -uf sqlite-jdbc-3.32.3.jar ./sqlite-jdbc-3.32.3/org/sqlite/native/Mac/x86_64/libsqlitejdbc.jnilib
Then you can add sqlite as file dependency and there should be no problems with notarization.
I don't think that this is really a suitable solution. Because then you are changing the signed JAR by replacing the native part with something else. So IMHO it would be wrong to do this and should also result in failures in the notarization process. Self-signing can't be the solution. I am not the developer of the native parts, so it would be wrong if I sign them. And as I want to use it from an open source project, it would be even blocked by the OSS processes.
Yeah... It's not the best way but as long the dev is not able to sign the package correctly I need to do this. He is not even answering here.
I understand and it should be no blaming. It is a solution that can be seen often. I just wanted to comment that this could also lead to several issues in the whole process and probably could even be a legal issue with regards to the licensing or security processes, as the JAR gets changed afterwards. Otherwise others might simply adapt the self-signing without thinking about the consequences. But anyhow thanks for the replies. I hope the developers come up on this soon.
I successfully published my app on the App Store about 6 months ago using the unpackaging and signing of individual files. However, it seems the new macOS version Big Sur no longer accepts this: I have been receiving emails from users that the jnilib file could not be verified. Anyone else experiencing a similar issue and.or have some pointers on how to fix this?
In the end I got the app accepted by placing the jnilib outside of the JAR and sign it. I changed the path to the jnilib by calling
System.setProperty("org.sqlite.lib.path", PATHTOFILE);
For anyone needing to self-sign these files in Github Actions, here's how:
- name: Self-sign SQLite native libs
if: ${{ runner.os == 'macOS' }}
env:
P12_BASE64: ${{ secrets.P12_BASE64 }}
P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
run: |
# Step 1.
# Update local macOS keychain with our key
# ## The following step are based on: https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions
echo Step 1: Starting
export PASSWORD=$(openssl rand -hex 50) # See https://linuxhint.com/generate-random-string-bash/
echo $P12_BASE64 | base64 --decode > certificate.p12
security create-keychain -p "$PASSWORD" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "$PASSWORD" build.keychain
security import certificate.p12 -k build.keychain -P "$P12_PASSWORD" -T /usr/bin/codesign
security find-identity -v
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$PASSWORD" build.keychain
echo Step 1: Done
# Step 2.
# Sign SQLite native libs
# ## More info: https://github.com/xerial/sqlite-jdbc/issues/383
echo Step 2: Starting
export SQLITE_JAR=$(find . -name "org.xerial.sqlite-jdbc-*.jar")
unzip $SQLITE_JAR -d extracted
cd extracted
find . -type f -name "*.jnilib" | xargs codesign -s "<YOUR DEVELOPER ID>" -v -f
# https://docs.oracle.com/javase/tutorial/deployment/jar/update.html
find . -type f -name "*.jnilib" | xargs jar -ufv "../$SQLITE_JAR"
cd ..
rm -rf extracted
echo Step 2: Done
Note: The "<YOUR DEVELOPER ID>" can be found in the output of the security find-identity -v command
A big thanks to @meydominic for the initial instructions 🙇
I am not familiar with the signing process, but i understand a developer ID would be required. AFAIK those are not free, and need a subscription?
What does the process of signing actually does ? Can anybody explain ? Does it generate additional files, or does it modify the existing files ?
