P4
ADDITIONAL SYSTEM INFORMATION :
macOS Catalina 10.15.7
openjdk version "16" 2021-03-16
OpenJDK Runtime Environment (build 16+36-2231)
OpenJDK 64-Bit Server VM (build 16+36-2231, mixed mode, sharing)
A DESCRIPTION OF THE PROBLEM :
Apple application codesigning includes commands to verify the correctness of the signed application. I do not believe these are included in current builds. Even if there is no error in the process on the part of jpackage it still seems possible that some error on the user end could result in an invalid signature or application not ready for the Mac App Store.
Incorrect or invalid/expired signing certificates for an example.
Based on
spctl fails with source=Unnotarized Developer ID
https://developer.apple.com/forums/thread/124614
I added this to the end of my jpackage script...
echo '*******************'
echo 'verifying signature'
echo '*******************'
codesign -v --verbose=4 outputdir/HalfPipe.app
echo '********************'
echo 'spctl assess install'
echo '********************'
spctl --assess --type install --verbose=4 outputdir/HalfPipe.app
echo '********************'
echo 'spctl assess execute'
echo '********************'
spctl --assess --type execute --verbose=4 outputdir/HalfPipe.app
I am no expert and am learning this myself but roughly codesign -v appears to confirm that the app is signed correctly while the spctl commands seems more to show if the application is Mac App Store ready(?).
I more elaborately tried...
echo '*******************'
echo 'verifying signature'
echo '*******************'
if ! codesign -v outputdir/HalfPipe.app 2>/dev/null; then
codesign -v --verbose=4 outputdir/HalfPipe.app
else
echo "codesign verify OK"
fi
echo '********************'
echo 'spctl assess install'
echo '********************'
if ! spctl --assess install outputdir/HalfPipe.app 2>/dev/null; then
spctl --assess --type install --verbose=4 outputdir/HalfPipe.app
else
echo "spctl assess install: OK"
fi
echo '********************'
echo 'spctl assess execute'
echo '********************'
if ! spctl --assess --type execute outputdir/HalfPipe.app 2>/dev/null; then
spctl --assess --type execute --verbose=4 outputdir/HalfPipe.app
else
echo "spctl assess execute: OK"
fi
To actually confirm the command is successful. I went back to the simpler when the script seemed to quit after the first spctl command. Sometimes not even giving full output from that, This almost seems like the command is doing a System.exit sort of thing following the error. It unfortunately also occurs on the simpler.
However it is implemented I believe this could sometimes provide useful information to a user in at least verbose builds. Possibly not failing the build but just including the commands so that the user can see the results.
macOS Catalina 10.15.7
openjdk version "16" 2021-03-16
OpenJDK Runtime Environment (build 16+36-2231)
OpenJDK 64-Bit Server VM (build 16+36-2231, mixed mode, sharing)
A DESCRIPTION OF THE PROBLEM :
Apple application codesigning includes commands to verify the correctness of the signed application. I do not believe these are included in current builds. Even if there is no error in the process on the part of jpackage it still seems possible that some error on the user end could result in an invalid signature or application not ready for the Mac App Store.
Incorrect or invalid/expired signing certificates for an example.
Based on
spctl fails with source=Unnotarized Developer ID
https://developer.apple.com/forums/thread/124614
I added this to the end of my jpackage script...
echo '*******************'
echo 'verifying signature'
echo '*******************'
codesign -v --verbose=4 outputdir/HalfPipe.app
echo '********************'
echo 'spctl assess install'
echo '********************'
spctl --assess --type install --verbose=4 outputdir/HalfPipe.app
echo '********************'
echo 'spctl assess execute'
echo '********************'
spctl --assess --type execute --verbose=4 outputdir/HalfPipe.app
I am no expert and am learning this myself but roughly codesign -v appears to confirm that the app is signed correctly while the spctl commands seems more to show if the application is Mac App Store ready(?).
I more elaborately tried...
echo '*******************'
echo 'verifying signature'
echo '*******************'
if ! codesign -v outputdir/HalfPipe.app 2>/dev/null; then
codesign -v --verbose=4 outputdir/HalfPipe.app
else
echo "codesign verify OK"
fi
echo '********************'
echo 'spctl assess install'
echo '********************'
if ! spctl --assess install outputdir/HalfPipe.app 2>/dev/null; then
spctl --assess --type install --verbose=4 outputdir/HalfPipe.app
else
echo "spctl assess install: OK"
fi
echo '********************'
echo 'spctl assess execute'
echo '********************'
if ! spctl --assess --type execute outputdir/HalfPipe.app 2>/dev/null; then
spctl --assess --type execute --verbose=4 outputdir/HalfPipe.app
else
echo "spctl assess execute: OK"
fi
To actually confirm the command is successful. I went back to the simpler when the script seemed to quit after the first spctl command. Sometimes not even giving full output from that, This almost seems like the command is doing a System.exit sort of thing following the error. It unfortunately also occurs on the simpler.
However it is implemented I believe this could sometimes provide useful information to a user in at least verbose builds. Possibly not failing the build but just including the commands so that the user can see the results.