jpackage is not finding certificates when using --mac- flags to sign before notarization on MacOS

Question

I'm trying to build an app-image for macos with the following jpackage version:

openjdk 17.0.2 2022-01-18
OpenJDK Runtime Environment (build 17.0.2+8-86)
OpenJDK 64-Bit Server VM (build 17.0.2+8-86, mixed mode, sharing)

I'm using a bash file to build the command:

"$JDK/bin/jpackage" --type app-image --input "$INPUT/target/" --dest "$INPUT/target/output" --name "$NAME" \
  --main-jar my-jar.jar --main-class org.test.Launcher --add-modules "$JDK_MODULES" \
  --resource-dir "$RES" --copyright "$COPYRIGHT" --app-version "$VERSION" --description "$DESC" --vendor "$VENDOR" \
  --verbose --mac-package-identifier "$IDENTIFIER" --mac-sign --mac-package-signing-prefix "$IDENTIFIER" \
  --mac-signing-key-user-name "My Organization (USER_ID_OF_CERTIFICATE)" \
  --mac-signing-keychain "/Users/MyUser/Library/Keychains/login.keychain-db"

The complete output of this command is the following:

[16:59:06.497] Running /usr/bin/security
[16:59:06.527] Command [PID: 20771]:
    /usr/bin/security find-certificate -c Developer ID Application: My Organization (USER_ID_OF_CERTIFICATE) -a /Users/MyUser/Library/Keychains/login.keychain-db
[16:59:06.527] Output:
    keychain: "/Users/MyUser/Library/Keychains/login.keychain-db"
    version: 512
    class: 0x80001000 
    attributes:
        [omitted by me]
[16:59:06.530] Returned: 0

[16:59:06.531] jdk.jpackage.internal.ConfigException: Signature explicitly requested but no signing certificate found
    at jdk.jpackage/jdk.jpackage.internal.MacAppBundler.doValidate(MacAppBundler.java:136)
    at jdk.jpackage/jdk.jpackage.internal.AppImageBundler.validate(AppImageBundler.java:70)
    at jdk.jpackage/jdk.jpackage.internal.Arguments.generateBundle(Arguments.java:675)
    at jdk.jpackage/jdk.jpackage.internal.Arguments.processArguments(Arguments.java:550)
    at jdk.jpackage/jdk.jpackage.main.Main.execute(Main.java:91)
    at jdk.jpackage/jdk.jpackage.main.Main.main(Main.java:52)
[16:59:06.533] jdk.jpackage.internal.PackagerException: Bundler Mac Application Image skipped because of a configuration problem: Signature explicitly requested but no signing certificate found 
Advice to fix: Specify a valid mac-signing-key-user-name and mac-signing-keychain
    at jdk.jpackage/jdk.jpackage.internal.Arguments.generateBundle(Arguments.java:688)
    at jdk.jpackage/jdk.jpackage.internal.Arguments.processArguments(Arguments.java:550)
    at jdk.jpackage/jdk.jpackage.main.Main.execute(Main.java:91)
    at jdk.jpackage/jdk.jpackage.main.Main.main(Main.java:52)
Caused by: jdk.jpackage.internal.ConfigException: Signature explicitly requested but no signing certificate found
    at jdk.jpackage/jdk.jpackage.internal.MacAppBundler.doValidate(MacAppBundler.java:136)
    at jdk.jpackage/jdk.jpackage.internal.AppImageBundler.validate(AppImageBundler.java:70)
    at jdk.jpackage/jdk.jpackage.internal.Arguments.generateBundle(Arguments.java:675)
    ... 3 more
[16:59:06.531] No certificate found matching [Developer ID Application: My Organization (USER_ID_OF_CERTIFICATE)] using keychain [/Users/MyUser/Library/Keychains/login.keychain-db]

In addition, the requested Developer ID Application is at the keychain:

security find-identity -v -p codesigning
  1) HASH_ID_HERE "Developer ID Application: My Organization (USER_ID_OF_CERTIFICATE)"
     1 valid identities found

Can anyone help with this issue? I already found some articles about, but without success.

This issue relates with this one here, I was not using the --mac- flags but then I was having problems with notarization with the same libjli.dylib. This post is me trying the solution of the old one.

{
  "logFormatVersion": 1,
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "path/to/my/APP.app/Contents/runtime/Contents/MacOS/libjli.dylib",
      "message": "The signature of the binary is invalid.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
      "architecture": "x86_64"
    }
  ]
}

Answer 1

I found an issue in jpackage's code. My organization certificates have accentuation in the name. I'm from Brasil, so we use a lot of accentuations here, like "João" and "Informática", etc..

The option --mac-sign tells that jpackage should assign the package according with the certificates available in the keychain.

When jpackage tries to find the certificates installed in the system with the command /usr/bin/security find-certificate -c Developer ID Application: My Informática Organization the output is something like this:

[12:12:45.999] Output:
    keychain: "/Users/MyUser/Library/Keychains/login.keychain-db"
    version: 512
    class: 0x80001000 
    attributes:
        "alis"<blob>=0x446576656C6F7065722049443A20416E696D6174692053697374656D617320646520496E666F726DC3A174696361204C746461202D20455050202836355A3444  "Developer ID Application: My Inform\303\241tica Organization (USER_ID)"
        "cenc"<uint32>=0x00000003 
        "ctyp"<uint32>=0x00000001 
        "hpky"<blob>=0x85815880BCCB6724HASH199EE84FE26B0C9F  "\205\201X\200\274\313g$\002\016\014d\031\342k\014\237"

Then, the MacBaseInstallerBundler.java class from JDK tries to match the output with the given --mac-signing-key-user-name parameter (in my case My Informática Organization)

Pattern p = Pattern.compile("\"alis\"<blob>=\"([^\"]+)\"");
Matcher m = p.matcher(baos.toString());
if (!m.find()) {
   Log.error(MessageFormat.format(I18N.getString("error.cert.not.found"), key, keychainName));
   return null;
}

The matcher doesn't find my developer certificate because it is looking for My Informática Organization but the output returns My Inform\303\241tica Organization.

And we see the message in the logs: No certificate found matching [{0}] using keychain [{1}]

All of that is at jpackage's code from openJDK17

I really don't known if there is an option in Mac system or in Java that returns the output from security find-certificate in UTF-8. As I was running out of time, the easiest solution was to make another apple account.

Solution: I had to make another apple account WITHOUT accentuation in my name (My Informatica Organization) and ask again to enroll in the apple's developer program.

[EDIT] I already sent an e-mail to jdk bug report, but no response.

Answer 2

You are building --type app-image, which means jpackage will prepare all files on disk and terminate. You need a second jpackage run, starting off from the app-image and leading to either PKG or DMG.

This two step process can be used for cases where (for whatever reason) you need to add or tweak files that would be inside the package after the second step. For this reason I believe all code signing options should be valid for the second run only.

If you do not need the second run at all, run JPackage with --type DMG directly. As such files were always marked broken by MacOS (I guess it was the missing signature on my end) I switched to PKG and was positively surprised.