Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

libio_grpc_netty_shaded_netty_tcnative_osx_x86_64 not signed #570

Closed
liamsharp opened this issue Sep 15, 2020 · 3 comments
Closed

libio_grpc_netty_shaded_netty_tcnative_osx_x86_64 not signed #570

liamsharp opened this issue Sep 15, 2020 · 3 comments

Comments

@liamsharp
Copy link

Trying to find the right home for this one, previously raised here and here

Expected behavior

The file grpc-netty-shaded-1.31.1.jar/META-INF/native/libio_grpc_netty_shaded_netty_tcnative_osx_x86_64.jnilib being signed.

Actual behavior

That it's not signed.

Steps to reproduce

Submit a package to Apple for Notarization containing grpc-netty-shaded-1.31.1.jar. The Notarization process will fail, with the following being reported:

{
  "severity": "error",
  "code": null,
  "path": "MyApp-1.0-alpha-1.dmg/My App.app/Contents/Java/lib/grpc-netty-shaded-1.27.1.jar/META-INF/native/libio_grpc_netty_shaded_netty_tcnative_osx_x86_64.jnilib",
  "message": "The binary is not signed.",
  "docUrl": null,
  "architecture": "x86_64"
}

I've worked around this by extracting the libio_grpc_netty_shaded_netty_tcnative_osx_x86_64.jnilib out of the jar, signing it, then replacing it in the jar before sending off to Apple. I think ideally the binary should be signed as part of the build phase of the

Minimal yet complete reproducer code (or URL to code)

Netty version

1.31.1

JVM version (e.g. java -version)

N/A

OS version (e.g. uname -a)

macOS

@ylexus
Copy link

ylexus commented Jul 15, 2021

This will require the paid Apple Developer account (can be opened online in 10 mins), but should otherwise be pretty straighforward. In my project I use this script: https://github.com/ylexus/jiotty-photos-uploader/blob/master/macos_notarize_dmg.sh

Basically, after the macOS binary is built, you'll need to invoke this.

codesign \
  -f \
  --timestamp \
  --entitlements "entitlements.plist" \
  -s "${CODESIGN_IDENTITY}" \
  --prefix "${CODESIGN_PREFIX}" \
  --options runtime \
  -vvvv \
  "${BINARY}"
  • CODESIGN_IDENTITY is your Apple Developer identity, it looks like this: Developer ID Application: John Smith (J44L2GZQ7P)
  • CODESIGN_PREFIX is arbitrary, I use net.yudichev.googlephotosupload.ui.
  • BINARY is the path to your freshly built binary to sign (libio_grpc_netty_shaded_netty_tcnative_osx_x86_64.jnilib).
  • entitlements.plist is the file with the binary options, I use this one, but you may not need to specify any:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>com.apple.security.cs.allow-jit</key>
        <true/>
        <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
        <true/>
        <key>com.apple.security.cs.disable-executable-page-protection</key>
        <true/>
        <key>com.apple.security.cs.disable-library-validation</key>
        <true/>
        <key>com.apple.security.cs.allow-dyld-environment-variables</key>
        <true/>
    </dict>
</plist>

Will be happy to help if any problems are encountered.

@chrisvest
Copy link
Contributor

This was fixed by netty/netty#11734 in Netty 4.1.69

@liamsharp
Copy link
Author

I've tested with grpc-netty-shaded-1.64.0 and still have the same issue:

  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "MyApp-1.0-alpha-1.dmg/My App.app/Contents/Java/lib/grpc-netty-shaded-1.64.0.jar/META-INF/native/libio_grpc_netty_shaded_netty_tcnative_osx_x86_64.jnilib",
      "message": "The binary is not signed.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "MyApp-1.0-alpha-1.dmg/My App.app/Contents/Java/lib/grpc-netty-shaded-1.64.0.jar/META-INF/native/libio_grpc_netty_shaded_netty_tcnative_osx_x86_64.jnilib",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "MyApp-1.0-alpha-1.dmg/My App.app/Contents/Java/lib/grpc-netty-shaded-1.64.0.jar/META-INF/native/libio_grpc_netty_shaded_netty_tcnative_osx_aarch_64.jnilib",
      "message": "The binary is not signed with a valid Developer ID certificate.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
      "architecture": "arm64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "MyApp-1.0-alpha-1.dmg/My App.app/Contents/Java/lib/grpc-netty-shaded-1.64.0.jar/META-INF/native/libio_grpc_netty_shaded_netty_tcnative_osx_aarch_64.jnilib",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
      "architecture": "arm64"
    },

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants