-
Notifications
You must be signed in to change notification settings - Fork 128
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
macos app notarization #387
Comments
Hi @nemqooo! |
Hi Francisco,
thank you for getting back to me on this, really do appreciate it! Please find attached the POM from the project.

Thank you.
Norbert
… Dňa 23. 2. 2024 o 13:37, Francisco Vargas Ruiz ***@***.***> napísal:
Hi @nemqooo <https://github.com/nemqooo>!
Sorry for my late reply.
Could you share your POM, please?
—
Reply to this email directly, view it on GitHub <#387 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AFC5QI6BUPD76TURZWKTEETYVCEP7AVCNFSM6AAAAABBFOPLMOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRRGI2TGMRYGE>.
You are receiving this because you were mentioned.
|
Hi Norbert! |
Yeah sorry, the extract from POM already attached. Thank you 😊 <?xml version="1.0" encoding="UTF-8"?>
<project xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://maven.apache.org/POM/4.0.0"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.1.0</version>
<relativePath/>
</parent>
<groupId>com.accute</groupId>
<artifactId>Invoiceline</artifactId>
<version>1.6.6-SNAPSHOT</version>
<name>InvoiceLine</name>
<description>Test</description>
<properties>
<java.version>21</java.version>
<maven.compiler.source>21</maven.compiler.source>
<maven.compiler.target>21</maven.compiler.target>
<javafx.version>21</javafx.version>
<javafx.maven.plugin.version>0.0.8</javafx.maven.plugin.version>
</properties>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.openjfx</groupId>
<artifactId>javafx-maven-plugin</artifactId>
<version>0.0.8</version>
<configuration>
<mainClass>com.accute.invoiceline.Invoiceline</mainClass>
</configuration>
</plugin>
<plugin>
<groupId>io.github.fvarrui</groupId>
<artifactId>javapackager</artifactId>
<version>1.7.5</version>
<executions>
<execution>
<id>bundling-for-macos</id>
<phase>package</phase>
<goals>
<goal>package</goal>
</goals>
<configuration>
<platform>mac</platform>
<name>InvoiceLine</name>
<organizationName>accute</organizationName>
<version>1.6.6</version>
<mainClass>com.accute.invoiceline.Invoiceline</mainClass>
<bundleJre>true</bundleJre>
<customizedJre>false</customizedJre>
<iconFile>src/main/resources/favicon_mac.icns</iconFile>
<vmArgs>-Xmx1g -XX:+UseG1GC -Dprism.dirtyopts=false -Dsun.java2d.metal=true</vmArgs>
<additionalResources>
<additionalResource>src/main/resources</additionalResource>
</additionalResources>
<modules>
<module>javafx.controls</module>
<module>javafx.fxml</module>
</modules>
<macConfig>
<appId>Invoiceline</appId>
<developerId>my-developer-email@gmail.com</developerId>
<codesignApp>true</codesignApp>
<hardenedCodesign>true</hardenedCodesign>
<notarizeApp>true</notarizeApp>
<keyChainProfile>accute</keyChainProfile>
<iconSize>100</iconSize>
<appsLinkIconY>210</appsLinkIconY>
<iconY>210</iconY>
<backgroundImage>src/main/resources/installer.png</backgroundImage>
<icnsFile>src/main/resources/favicon_mac.icns</icnsFile>
<generateDmg>true</generateDmg>>
<generatePkg>false</generatePkg>
<volumeIcon>src/main/resources/favicon_mac.icns</volumeIcon>
<volumeName>InvoiceLine</volumeName>
</macConfig>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<source>21</source>
<target>21</target>
<compilerArgs>--enable-preview</compilerArgs>
</configuration>
</plugin>
</plugins>
</build>
</project> |
Your POM seems to be fine, so I need more info. Please, could you share all JP output? |
Sure, there is a JP output (extract) together with the .json log from Apples notarytool. All the errors are with the same reason -> The binary is not signed with a valid Developer ID certificate. The issue seems to be with the packager not signing the files, since, during the packaging a bunch of errors relating to signing the files appear. Is it me missing something? [INFO] Executing command: /bin/sh -c cd '/Users/norbertgalik/Documents/invoiceline/.' && 'codesign' -f --timestamp -s email@gmail.com /Users/norbertgalik/Documents/invoiceline/target/InvoiceLine/InvoiceLine.app/Contents/PlugIns/jre.jre/Contents/Home/lib/libmanagement.dylib
[ERROR] /Users/norbertgalik/Documents/invoiceline/target/InvoiceLine/InvoiceLine.app/Contents/PlugIns/jre.jre/Contents/Home/lib/libmanagement.dylib: replacing existing signature
[INFO] Executing command: /bin/sh -c cd '/Users/norbertgalik/Documents/invoiceline/.' && 'codesign' -f --timestamp -s email@gmail.com /Users/norbertgalik/Documents/invoiceline/target/InvoiceLine/InvoiceLine.app/Contents/PlugIns/jre.jre/Contents/Home/lib/libgstreamer-lite.dylib
[ERROR] /Users/norbertgalik/Documents/invoiceline/target/InvoiceLine/InvoiceLine.app/Contents/PlugIns/jre.jre/Contents/Home/lib/libgstreamer-lite.dylib: replacing existing signature
[INFO] Executing command: /bin/sh -c cd '/Users/norbertgalik/Documents/invoiceline/.' && 'codesign' -f --timestamp -s email@gmail.com /Users/norbertgalik/Documents/invoiceline/target/InvoiceLine/InvoiceLine.app/Contents/PlugIns/jre.jre/Contents/Home/lib/libjsound.dylib
[ERROR] /Users/norbertgalik/Documents/invoiceline/target/InvoiceLine/InvoiceLine.app/Contents/PlugIns/jre.jre/Contents/Home/lib/libjsound.dylib: replacing existing signature
[INFO] Executing command: /bin/sh -c cd '/Users/norbertgalik/Documents/invoiceline/.' && 'codesign' -f --timestamp -s email@gmail.com /Users/norbertgalik/Documents//invoiceline/target/InvoiceLine/InvoiceLine.app/Contents/PlugIns/jre.jre/Contents/Home/lib/libjfxwebkit.dylib
[ERROR] /Users/norbertgalik/Documents/invoiceline/target/InvoiceLine/InvoiceLine.app/Contents/PlugIns/jre.jre/Contents/Home/lib/libjfxwebkit.dylib: replacing existing signature [INFO] Current status: In Progress.........................
[INFO] Current status: In Progress..........................
[INFO] Current status: In Progress...........................
[INFO] Current status: In Progress............................
[INFO] Current status: In Progress.............................
[INFO] Current status: In Progress..............................
[INFO] Current status: In Progress...............................
[INFO] Current status: In Progress................................
[INFO] Current status: Invalid.................................Processing complete
[INFO] id: 2ce2e22c-c735-4ace-8f7f-22c56ca3f445
[INFO] status: Invalid
[INFO]
[INFO] Executing command: /bin/sh -c cd '/Users/norbertgalik/invoiceline/.' && 'xcrun' stapler staple /Users/norbertgalik/Documents//invoiceline/target/InvoiceLine/InvoiceLine.app
[INFO] Processing: /Users/norbertgalik/Documents//invoiceline/target/InvoiceLine/InvoiceLine.app
[INFO] CloudKit query for InvoiceLine.app (2/684f33420e8871fb88470dba837e26e8c3d2aa20) failed due to "Record not found".
[INFO] Could not find base64 encoded ticket in response for 2/684f33420e8871fb88470dba837e26e8c3d2aa20
[INFO] The staple and validate action failed! Error 65. {
"logFormatVersion": 1,
"jobId": "2ce2e22c-c735-4ace-8f7f-22c56ca3f445",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "InvoiceLine.app-notarization.zip",
"uploadDate": "2024-02-25T20:00:18.641Z",
"sha256": "8a57cbb995ccc4028ee9308bc2b89035d11689ad241f6919e8b64a7e37a577c2",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "InvoiceLine.app-notarization.zip/InvoiceLine.app/Contents/PlugIns/jre.jre/Contents/Home/bin/jwebserver",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "InvoiceLine.app-notarization.zip/InvoiceLine.app/Contents/PlugIns/jre.jre/Contents/Home/bin/jarsigner",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "InvoiceLine.app-notarization.zip/InvoiceLine.app/Contents/PlugIns/jre.jre/Contents/Home/bin/jfr",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "x86_64"
|
Please, try to run next command to check if the app is properly signed: codesign -dv --verbose=4 /Users/norbertgalik/Documents/invoiceline/target/InvoiceLine/InvoiceLine.app Not sure, but maybe the |
The app seems to be signed by the certificate from Apple (hashes adjusted). I have once again checked all the errors from the notary tool, you are right, most of them relate to JRE files. However, at the end, there is also one error related to the app package {
"severity": "error",
"code": null,
"path": "InvoiceLine.app-notarization.zip/InvoiceLine.app/Contents/Resources/Java/Invoiceline-1.6.6-SNAPSHOT-runnable.jar/libJTouchID.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "x86_64"
} Executable=/Users/norbertgalik/Documents/invoiceline/target/InvoiceLine/InvoiceLine.app/Contents/MacOS/universalJavaApplicationStub
Identifier=Invoiceline
Format=bundle with generic
CodeDirectory v=20200 size=267 flags=0x10000(runtime) hashes=1+5 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha1=fdec0e33e3f0asdasf2341d4cc1812970feac74d
CandidateCDHashFull sha1=fdec0e34233fasf098fd4cc1812970feac74d
CandidateCDHash sha256=684f33420e8871fb88470d533FAS8c3d2aa20
CandidateCDHashFull sha256=684f33420e8871fb88470db43DAFCsdasdrw8c3d2aa206b8470b58adb6add3d37fsfd53ac
Hash choices=sha1,sha256
CMSDigest=6f8df9ef591c05ef69ae28f604e15eef5a0f79032ae3f5219d97fa8124162b
CMSDigestType=2
Page size=none
CDHash=68123412das3420e8871fb88470dba837e26e8c3gsdc0
Signature size=9183
Authority=Apple Development: email@gmail.com (XXXXXXXXX)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Timestamp=25 Feb 2024 at 20:58:58
Info.plist entries=19
TeamIdentifier=XXXXXXXXX
Sealed Resources version=2 rules=13 files=163
Internal requirements count=2 size=236 |
I'm submitting a…
Short description of the issue/suggestion:
The binaries within the app bundle seem to be not signed by the Developer ID certificate. The hardened codesign is turned on together with it's notarization, correct keyChainProfile is entered. The app is being uploaded to Apple, however, the content is not signed.
What is the expected behavior?
Returned success result from the Apple Notarization API
What is the current behavior?
Invalid status is being returned
Please tell us about your environment:
The text was updated successfully, but these errors were encountered: