Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign native macOS binaries so that they can be embedded in macOS desktop apps #1026

Open
ylexus opened this issue Jul 15, 2021 · 3 comments
Open

Sign native macOS binaries so that they can be embedded in macOS desktop apps #1026

ylexus opened this issue Jul 15, 2021 · 3 comments

Comments

@ylexus
Copy link

ylexus commented Jul 15, 2021

My project https://github.com/ylexus/jiotty-photos-uploader uses https://github.com/google/java-photoslibrary which transitively depends on conscrypt jars. When I use openjdk jpackage utility to create a distributable package (.dmg in case of macOS), it fails to get notarized by Apple with these errors:

    {
      "severity": "error",
      "code": null,
      "path": "Jiotty_Photos_Uploader-2.0.3.dmg/Jiotty Photos Uploader.app/Contents/app/conscrypt-openjdk-uber-2.5.1.jar/META-INF/native/libconscrypt_openjdk_jni-osx-x86_64.dylib",
      "message": "The binary is not signed.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "Jiotty_Photos_Uploader-2.0.3.dmg/Jiotty Photos Uploader.app/Contents/app/conscrypt-openjdk-uber-2.5.1.jar/META-INF/native/libconscrypt_openjdk_jni-osx-x86_64.dylib",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": null,
      "architecture": "x86_64"
    },

It makes jpackage tool's sign functionality unusable as is. I have to apply complex workarounds during build time like unpacking conscrypt jar, signing binaries, re-packing, and re-packaging.

it would be very convenient if conscrypt jars contained native libraries that were properly signed by Apple in the first place.
@ylexus ylexus mentioned this issue Jul 15, 2021
Open
@prbprbprb
Copy link
Collaborator

Sounds eminently sensible but we'll probably need to figure out some bureaucracy first as I think we'll need to sign it with a Google owned key rather than any personally owned one.

@dwhitla
Copy link

dwhitla commented Apr 8, 2022

Is there any movement on this? One of my transitive dependencies uses conscrypt (itself a transitive dependency) and I have to unpack multiple layers of jars to resign the dylibs in this artefact. To say it is a massive PITA is putting it mildly.

@ylexus
Copy link
Author

ylexus commented Apr 8, 2022

MacOS is not a server platform. This means majority of apps using conscrypt will be desktop apps. You can’t distribute a desktop app without it being signed. This means that releasing an unsigned conscrypt macOS binary makes it unusable in the majority of use cases. This must be a high-priority fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ylexus @dwhitla @prbprbprb