TechQA.

Apple notarization lists dylib files as not signed

966 views Asked by At

We distribute a Java application with a bundled JRE, 1.8.0_172. I sign the app using the flags -f --deep and --options runtime. Looking at the CodeResources file in the _CodeSignature directory of the bundled JRE, every file in the JRE is signed and accounted for.

However, after submitting a DMG containing the app to Apple for notarizing, our software is rejected. ALL 60 DYLIB FILES IN THE JRE ARE LISTED AS NOT SIGNED. Here is an example:

From the CodeResources file:

<key>Home/jre/lib/libAppleScriptEngine.dylib</key>
    <dict>
        <key>hash</key>
        <data>
        oJjQQGky4LuYNhwuBu8zMLG4zbc=
        </data>
        <key>hash2</key>
        <data>
        grMACw0q7A9GJyPxlSBDGYEkZKrDusKLRRnXsW/bHGI=
        </data>
    </dict>

From the response from Apple:

"severity": "error",
"code": null,
"path": "TheApplication.dmg/TheApplication.app/Contents/PlugIns/jdk1.8.0_172.jdk/Contents/Home/jre/lib/libAppleScriptEngine.dylib",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"

In addition to the dylib files, the file jspawnhelper is also rejected as not signed.

Lastly, the file libjli.dylib is rejected for the following reason: "The binary uses an SDK older than the 10.9 SDK."

Has anyone encountered a similar problem and then been able to pass the notarization process?

January 14, 2020: The steps I used from this website http://www.zarkonnen.com/signing_notarizing_catalina do not work as of today. Apple changed their restrictions. I now have the same issues as I first asked about in this post.

February 21, 2020: It turned out the files listed as not signed were in fact not signed. I now use a shell script to recursively sign every file in our application. I follow that with overall signing of the bundled JRE, other internal apps, and lastly the entire app at the top level.

The remaining problem is Java 8 is not built with files that use the hardened runtime. Hopefully OpenJDK and/or AdoptOpenJDK will soon have new versions of Java 8 that satisfy Apple's hardened runtime requirements.

java macos notarize
Original Q&A
1

There are 1 answers

1
Tiberiu On BEST ANSWER

This is a bug in Java 8: https://bugs.openjdk.java.net/browse/JDK-8223671

The fastest solution to this problem might come from AdoptOpenJDK hopefully by the end of current month: https://github.com/AdoptOpenJDK/openjdk-build/issues/1130

Related Questions in JAVA

Related Questions in MACOS

Related Questions in NOTARIZE

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions