New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nammu Jar should be signed #112
Comments
Here are some links with info:
|
Sent email asking about TERENA certificates to |
They replied back with this:
|
It was not clear in the documentation in that link if COMODO supported signatures for things other than Windowsy files like exe or dll. I spoke with an agents and they confirmed you can sign JAR files with COMODO, and also that the certificate we buy for Nammu's JAR can be used on things other than JAR files in the future that we want to sign. Here's the link about signing JARs with COMODO (content takes a while to load): https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/531/7/ And here's what the agent sent to order the certificate: |
Email sent to Tony Brown to start the process of getting the certificate. COMODO's site says it'll take 3-5 working days. |
Sent another email today since we haven't heard back yet. |
Update from Tony Brown last Friday:
|
Another update:
|
|
Tim sent the certificate and password. Working out how to put everything together so JAR doesn't force people to run content from untrusted source. |
Followed these instructions. Note alias, which is needed by the
I'll test it and then try to add the |
Turns out Apple computers need some extra signing. We need to use an Apple Developer ID so Apple trusts our application and users don't get prompted with something like"This app has been made by an untrusted developer", which is not ideal. ISD folks said Robert Silk has a Developer ID we can use, so I've sent an email and I'm waiting to hear back. |
Also emailed isd-itpurchasing since Robert is on leave tomorrow. |
I got an invite to the Apple Developer ID account. However, it turns out you can't sign JAR files, you can only sign dmg or app files :-/ I'm trying to bundle the JAR into an app or a dmg, using a maven plugin. It does create an app and dmg, but when I open them nothing happens. Here's the plugin I'm using: https://github.com/federkasten/appbundle-maven-plugin I'll come back to this later. Making the bundle would also be nice to add an icon to it and so on, but I need to investigate further on this and I might not have time before the release later today. Some other links to look at:
|
I have managed to create a working DMG file for Nammu, including icon and context menu that says "Nammu" instead of "App" :) I couldn't do it with the maven plugin, which did prepare a dmg, but it wouldn't trigger the JAR, so for now I've done it with This is what I run: mkdir package/macosx
# For some reason javapackager needs nammu_icon.ics to be in that folder
cp nammu_icon.icns package/macosx
javapackager -deploy -native dmg -srcfiles ~/workspace/ORACC/nammu/target/nammu-0.4.jar -appclass uk.ac.ucl.rc.development.oracc.nammu.Nammu -name Nammu -outdir deploy -outfile Nammu -v -Bicon=package/macosx/nammu_icon.icns -BappVersion=0.4
I tried following the instructions here: But that only works for native Apple applications written in Objective-C or Swift, so I can't open my project there and configure it the way the instructions say. I've emailed the people who manage this team and I'm waiting to hear back, because I'm a bit lost. |
I could also try and look into moving from maven to gradle and use this: https://github.com/crotwell/gradle-macappbundle/wiki/Intro |
Some update: COMODO ships its certificate with no indications on how to install it. There's this help I found though, which is what I followed, but it's outdated/wrong. After consulting with COMODO support I finally got some help. The validation chain of their certificate was wrong. The certificate needed to be regenerated with OpenSSL to build the validation chain from scratch, like this: # 1. Generate private key:
openssl pkcs12 -in ../certificate/Trac_dcs_lob#16969-Comodo_Code_signing_certificate.p12 -nocerts -out privateKey.pem
# 2. Generate public certificate
openssl pkcs12 -in ../certificate/Trac_dcs_lob#16969-Comodo_Code_signing_certificate.p12 -clcerts -nokeys -out publicCert.pem
# 3. Regenerate p12 certificate with SHA-1 codesigning_bundle.txt given by COMODO
openssl pkcs12 -export -in publicCert.pem -inkey privateKey.pem -out certificate.p12 -certfile ../certificate/Codesigning_bundle.txt When running this for information:
The output shows a confirmation of my validation chain's length being 4 - it was 3 before which was reporting a warning about my validation chain being incomplete. Then when signing the jar no more warnings appear and all seems good:
The problem is that when opening in a Mac, this is displayed:
Which has to do with the Apple Developer ID signature. One can't sign JARs with the Apple Developer ID, they must be app or dmg files. So I've created a dmg bundle like I said in earlier and then signed it after installing all the certificates in my Keystore:
I've also tried to sign my App, then sign the DMG, but I keep on getting that error when trying to open the file on a Mac. IT Purchasing who dealt with the Apple Developer ID stuff don't know how to help with this, so I'm going to ask in Apple support, although could take very long to get an answer. This issue will remain unresolved for now. |
Apple hasn't replied yet. We have tried a few things, but still when opening the App, we keep on getting this warning:
which makes users manually accept to trust Nammu. This is bad because we are identified developers! We've tried to check directly on the app file, which is what fails. Signing the dmg doesn't seem to help. If we install Nammu.app from a Nammu dmg file, we can then check if the app is signed:
Then we sign it and check again:
This still triggers the warning when trying to open the app. We have tried signing other files inside the app folder, like It might be helpful in the future to note we also found how to modify on the command line the exceptions for unidentified apps on the system's policy security tool:
This issue affects Mac computers only, so we'll need to investigate further. For now we'll focus on moving forward with other functionality. |
I was thinking maybe the problem is still in the way the certificate is created, or there is something missing on it. I've asked again Robert Silk and Niall Roche, which are the ones administrating UCL Developer IDs, but they do it for iOS, which is different because it publishes things in the App Store and couldn't help much before. Anyway, I thought it'd be good to keep a summary somewhere of what I've done, just in case I forget :) Here it is:
|
Potentially related: https://apple.stackexchange.com/questions/200844/if-i-sign-a-jar-with-a-certificate-from-comodo-will-i-still-get-warnings This will become more of an issue as future OS X versions will require software to be notarized in addition to being signed. See here for an example for another project - thanks for bringing that up, @giordano. |
No description provided.
The text was updated successfully, but these errors were encountered: