Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8257488

jpackage in jdk.16 (EA) produces output that cannot be notarized by Apple

XMLWordPrintable

    • x86_64
    • os_x

      ADDITIONAL SYSTEM INFORMATION :
      macOS Big Sur version 11.0.1.
      jdk.16 build 26

      A DESCRIPTION OF THE PROBLEM :
      When notarizing an app produced by jpackage the .app contains two files for which the notarization states "The signature of the binary is invalid." These files are:
      MyApp.app/Contents/MacOS/PKB
      MyApp/Contents/runtime/Contents/MacOS/libjli.dylib
      As has been suggested by others, deleting these files and signing as separate steps produces an app image that can be notarized but then the required Staple step fails.

      In addition, jpackage fails to pick up the entitlements file from the resources directory. As well as fixing this it would be good to provide an explicit parameter to the jpackage call.

      This bug has been present in at least jdk.15.

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      Set up an Apple developer certificate and profile for the app.
      Download JDK 16 from https://jdk.java.net/16/
      Build an app, using for example NetBeans. (We have tried several and the issue applies to all apps).
      Run jpackage, as for example:
      /jdk-16.jdk/Contents/Home/bin/jpackage --type app-image --app-version 1.0.1 --copyright "Gradwell Business Solutions Limited 2020" --name PKB --dest /Users/davidjlgradwell/NetBeansDev/PKB/jpackageappimageoutput --temp /Users/davidjlgradwell/NetBeansDev/PKB/jpackageappimagetemp --vendor "Gradwell Business Solutions Limited" --icon /Users/davidjlgradwell/NetBeansDev/PKB/PKB.icns --input /Users/davidjlgradwell/NetBeansDev/PKB/dist --main-jar PKB.jar --main-class com.gradwell.PKB.PKBStartClass --java-options " -Xdock:name=PKB" --mac-package-identifier PKB --mac-sign --mac-signing-keychain "/Users/davidjlgradwell/Library/Keychains/login.keychain-db" --verbose

      run alttool as for example:
      xcrun altool --notarize-app --primary-bundle-id "PKBAppNotarisation27Nov2020" --username david@gradwell.com --password "mypassword" --file /Users/davidjlgradwell/NetBeansDev/PKB/jpackageappimageoutput/PKB.app.zip --verbose



      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      jpackage produces a runnable app (which it does).
      The app can be notarized by Apple.
      The notarized app can be stapled and distributed
      ACTUAL -
      When notarizing an app produced by jpackage the .app contains two files for which the notarization process states "The signature of the binary is invalid." These files are:
      MyApp.app/Contents/MacOS/PKB
      MyApp/Contents/runtime/Contents/MacOS/libjli.dylib
      As has been suggested by others, deleting these files and signing as separate steps produces an app image that can be notarized but then the required Staple step fails.

      In addition, jpackage fails to pick up the entitlements file from the resources directory. As well as fixing this it would be good to provide an explicit parameter to the jpackage call.

      This bug has been present in at least jdk.15.

      ---------- BEGIN SOURCE ----------
      We have an extensive test rig and would be happy to test suggestions and new builds that address this issue.
      ---------- END SOURCE ----------

      CUSTOMER SUBMITTED WORKAROUND :
      This is clearly a bug affecting many people. A suggested workaround is to delete the offending files which allows the notarization to succeed but then the Staple fails.

      FREQUENCY : always


        1. Test.jar
          1 kB
        2. Test.java
          1 kB

            almatvee Alexander Matveev
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: