为什么在使用 --option runtime 进行代码签名后我无法启动 Java 应用程序
Why I can not launch Java application after codesigning with --option runtime
我正在为 Mac OS 分发 Java 应用程序,并使用 appbundler 构建应用程序。目前需要对应用程序进行公证,还需要使Hardened Runtime通过公证。这个有一些问题:
- 如果我在没有
--option runtime 的情况下对应用程序进行代码签名,它可以工作,但无法通过公证
- 如果我使用
--option runtime 对应用程序进行代码签名,它可以通过公证,但无法启动。
使用 Maven 构建应用程序:
<build>
<finalName>${organization.name}-${version}</finalName>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-antrun-plugin</artifactId>
<dependencies>
<dependency>
<groupId>com.panayotis</groupId>
<artifactId>appbundler</artifactId>
<version>1.1.0</version>
</dependency>
</dependencies>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>run</goal>
</goals>
<configuration>
<target>
<mkdir dir="${build.directory}/${build.finalName}"/>
<taskdef name="bundleapp" classname="com.oracle.appbundler.AppBundlerTask"/>
<bundleapp outputdirectory="${build.directory}/${build.finalName}"
name="${organization.name}"
displayname="${organization.name}"
identifier="com.company.product"
shortversion="${revision}"
icon="src/main/resources/icons/Icon.icns"
mainclassname="org.springframework.boot.loader.JarLauncher"
copyright="2019 Company">
<runtime dir="${project.basedir}/../misc/jdk-11.0.4+11/Contents/Home"/>
<classpath file="${build.directory}/${organization.name}-${revision}.jar"/>
<option value="-Dspring.config.location=classpath:/application.yml,file:./application.yml"/>
<option value="-Djava.awt.headless=false"/>
<option value="-Xmx512m"/>
</bundleapp>
</target>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
代码设计流程:
codesign --options runtime --entitlements entitlements.plist --sign "Dev. ID" App.app/Contents/PlugIns/jdk-11.0.4+11
find "App.app/Contents/Resources/additional executables" -type -f -exec "codesign --options runtime --entitlements entitlements.plist --sign "Dev. ID" {}"
codesign --options runtime --entitlements entitlements.plist --sign "Dev. ID" App.app/Contents/Java/App.jar
codesign --options runtime --entitlements entitlements.plist --sign "Dev. ID" App.app/Contents/MacOS/JavaAppLauncher
权利:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-executable-page-protection</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
</dict>
</plist>
从终端启动应用程序时出错:
2019-08-08 10:28:51.443 JavaAppLauncher[4526:559342] int launch(char *, int, char **) Launchpath: /Applications/App.app/Contents/PlugIns/jdk-11.0.4+11/Contents/Home/lib/jli/libjli.dylib
2019-08-08 10:28:51.449 JavaAppLauncher[4526:559342] int launch(char *, int, char **) Error launching JVM Runtime (jdk-11.0.4+11) Relative Path: '/Applications/App.app/Contents/PlugIns/jdk-11.0.4+11' (dylib: /Applications/App.app/Contents/PlugIns/jdk-11.0.4+11/Contents/Home/lib/jli/libjli.dylib)
error: JRELoadError
正确的决定是摆脱 appbundler 插件。
我已经编写了自己的启动器,使用启用了强化运行时的 X-Code 构建它,并且它运行完美。
我正在为 Mac OS 分发 Java 应用程序,并使用 appbundler 构建应用程序。目前需要对应用程序进行公证,还需要使Hardened Runtime通过公证。这个有一些问题:
- 如果我在没有
--option runtime的情况下对应用程序进行代码签名,它可以工作,但无法通过公证 - 如果我使用
--option runtime对应用程序进行代码签名,它可以通过公证,但无法启动。
使用 Maven 构建应用程序:
<build>
<finalName>${organization.name}-${version}</finalName>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-antrun-plugin</artifactId>
<dependencies>
<dependency>
<groupId>com.panayotis</groupId>
<artifactId>appbundler</artifactId>
<version>1.1.0</version>
</dependency>
</dependencies>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>run</goal>
</goals>
<configuration>
<target>
<mkdir dir="${build.directory}/${build.finalName}"/>
<taskdef name="bundleapp" classname="com.oracle.appbundler.AppBundlerTask"/>
<bundleapp outputdirectory="${build.directory}/${build.finalName}"
name="${organization.name}"
displayname="${organization.name}"
identifier="com.company.product"
shortversion="${revision}"
icon="src/main/resources/icons/Icon.icns"
mainclassname="org.springframework.boot.loader.JarLauncher"
copyright="2019 Company">
<runtime dir="${project.basedir}/../misc/jdk-11.0.4+11/Contents/Home"/>
<classpath file="${build.directory}/${organization.name}-${revision}.jar"/>
<option value="-Dspring.config.location=classpath:/application.yml,file:./application.yml"/>
<option value="-Djava.awt.headless=false"/>
<option value="-Xmx512m"/>
</bundleapp>
</target>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
代码设计流程:
codesign --options runtime --entitlements entitlements.plist --sign "Dev. ID" App.app/Contents/PlugIns/jdk-11.0.4+11
find "App.app/Contents/Resources/additional executables" -type -f -exec "codesign --options runtime --entitlements entitlements.plist --sign "Dev. ID" {}"
codesign --options runtime --entitlements entitlements.plist --sign "Dev. ID" App.app/Contents/Java/App.jar
codesign --options runtime --entitlements entitlements.plist --sign "Dev. ID" App.app/Contents/MacOS/JavaAppLauncher
权利:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-executable-page-protection</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
</dict>
</plist>
从终端启动应用程序时出错:
2019-08-08 10:28:51.443 JavaAppLauncher[4526:559342] int launch(char *, int, char **) Launchpath: /Applications/App.app/Contents/PlugIns/jdk-11.0.4+11/Contents/Home/lib/jli/libjli.dylib
2019-08-08 10:28:51.449 JavaAppLauncher[4526:559342] int launch(char *, int, char **) Error launching JVM Runtime (jdk-11.0.4+11) Relative Path: '/Applications/App.app/Contents/PlugIns/jdk-11.0.4+11' (dylib: /Applications/App.app/Contents/PlugIns/jdk-11.0.4+11/Contents/Home/lib/jli/libjli.dylib)
error: JRELoadError
正确的决定是摆脱 appbundler 插件。 我已经编写了自己的启动器,使用启用了强化运行时的 X-Code 构建它,并且它运行完美。