如何修改我的 Java appbundler 构建以签署第 3 方库

How do I modify my Java appbundler build to sign 3rd party library

我向我的 Java 应用程序添加了一个新的依赖项,其中包括两个动态库(intel/arm64 版本),现在我的应用程序无法通过公证,因为

songkong-osx.dmg/SongKong.app/Contents/Java/japlscript-executor-3.4.10.jar/japlscript-aarch64-3.4.10.dylib

在此示例中,我在 M1 Mac 上构建。

{

    "logFormatVersion": 1,
    "jobId": "f90d1f17-d51c-4b13-95d5-3629126aa3b8",
    "status": "Invalid",
    "statusSummary": "Archive contains critical validation errors",
    "statusCode": 4000,
    "archiveFilename": "songkong-osx.dmg",
    "uploadDate": "2022-04-13T15:16:01Z",
    "sha256": "44742c010d90183f2129c675a81377f89a6321a17eaee54ecb45fa638132686c",
    "ticketContents": null,
    "issues": [
        {
            "severity": "error",
            "code": null,
            "path": "songkong-osx.dmg/SongKong.app/Contents/Java/japlscript-executor-3.4.10.jar/japlscript-x86_64-3.4.10.dylib",
            "message": "The binary is not signed.",
            "docUrl": null,
            "architecture": "x86_64"
        },
        {
            "severity": "error",
            "code": null,
            "path": "songkong-osx.dmg/SongKong.app/Contents/Java/japlscript-executor-3.4.10.jar/japlscript-x86_64-3.4.10.dylib",
            "message": "The signature does not include a secure timestamp.",
            "docUrl": null,
            "architecture": "x86_64"
        },
        {
            "severity": "error",
            "code": null,
            "path": "songkong-osx.dmg/SongKong.app/Contents/Java/japlscript-executor-3.4.10.jar/japlscript-aarch64-3.4.10.dylib",
            "message": "The binary is not signed with a valid Developer ID certificate.",
            "docUrl": null,
            "architecture": "arm64"
        },
        {
            "severity": "error",
            "code": null,
            "path": "songkong-osx.dmg/SongKong.app/Contents/Java/japlscript-executor-3.4.10.jar/japlscript-aarch64-3.4.10.dylib",
            "message": "The signature does not include a secure timestamp.",
            "docUrl": null,
            "architecture": "arm64"
        }
    ]

}

我有凭证和构建系统来公证我自己的应用程序,但我不知道这如何适合签署第三方动态库

这是我构建的签名部分

export CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate"
/usr/bin/codesign --timestamp --options runtime \
--entitlements $HOME/code/jthink/songkong/songkong.entitlements \
--sign "Developer ID Application: P Taylor" \
--force --deep --verbose /Applications/SongKong.app
/usr/bin/codesign -vvv --deep --strict /Applications/SongKong.app
spctl -a -t exec -vv /Applications/SongKong.app
cd $HOME/code/jthink/SongKong
/usr/local/bin/dmgcanvas $HOME/code/jthink/SongKong/dmgCanvas_songkong.dmgCanvas $HOME/songkong-osx.dmg -v SongKong 

如何修改以额外签署此动态库?

编辑 似乎即使我使用 --deep 它还不够深入?

/usr/bin/codesign --timestamp --options runtime \
--entitlements $HOME/code/jthink/songkong/songkong.entitlements \
--sign "Developer ID Application: P Taylor" \
--force --deep --verbose /Applications/SongKong.app

所以虽然验证显示正常

/usr/bin/codesign -vvv --deep --strict /Applications/SongKong.app
spctl -a -t exec -vv /Applications/SongKong.app

当它实际发送给 Apple 进行公证(通过 dmgCanvas 应用程序)时,它会检测到这些库并使公证步骤失败。

那么如何使代码设计更深入?

编辑 2

我读了https://developer.apple.com/forums/thread/128166 and https://developer.apple.com/forums/thread/129980

似乎 --deep 并不总是有效,所以我添加了一个似乎有效的 jar 代码

/usr/bin/codesign --timestamp --options runtime \
--entitlements $HOME/code/jthink/songkong/songkong.entitlements \
--sign "Developer ID Application: P Taylor" \
--force --verbose /Applications/SongKong.app/Contents/Java/japlscript-executor-3.4.10.jar

但公证继续失败

我注意到的另一件事是,在公证(我的 DmgCanvas)之前似乎有另一个 dmg 的代码而不是应用程序的代码签名可能是问题

我需要什么来公证应用程序或 dmg 或两者?

要签署 casamplesp 个库,我执行以下操作:

# sign dylibs in jars
unzip -j jar_dir/casampledsp-complete* '*.dylib'
codesign -vvv -f --sign "Developer ID Application: Whatever Your Name Is" *.dylib
jar -uvf jar_dir/casampledsp-complete*  casampledsp*
rm casampledsp*

即我提取 *.dylib 文件,对其进行签名,然后使用 jar 标志 -uvf.

将它们粘贴回

要使此应用适用于您的应用,只需将 jar_dir 替换为您的 macOS 应用 jar 的目录名称。

2022 年 4 月 20 日添加:

从 v3.4.11 开始,JaplScript 中打包的本机库已经签名,因此不再需要。

好的,关键是文件在 jar 文件中时无法签名,但公证步骤会找到它们,如果未签名会导致公证失败,因此必须将它们从 jar 中注销,然后再放回.

根据 Hendriks 的回答,我将构建的签名部分扩展到

unzip -j /Applications/SongKong.app/Contents/Java/japlscript-executor-3.4.10.jar -d /Applications/SongKong.app/Contents/Java/EXTRACT
export CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate"
/usr/bin/codesign --timestamp --options runtime \
--sign "Developer ID Application: P Taylor" \
--force --verbose /Applications/SongKong.app/Contents/Java/EXTRACT/*.dylib
cd /Applications/SongKong.app/Contents/Java/EXTRACT
jar -uvf /Applications/SongKong.app/Contents/Java/japlscript-executor-3.4.10.jar *.dylib
rm -fr /Applications/SongKong.app/Contents/Java/EXTRACT
cd $HOME/code/jthink/songkong
/usr/bin/codesign --timestamp --options runtime \
--entitlements $HOME/code/jthink/songkong/songkong.entitlements \
--sign "Developer ID Application: P Taylor" \
--force --deep --verbose /Applications/SongKong.app
/usr/bin/codesign -vvv --deep --strict /Applications/SongKong.app
/usr/bin/codesign -d --deep --strict /Applications/SongKong.app
spctl -a -t exec -vv /Applications/SongKong.app
cd $HOME/code/jthink/SongKong
/usr/local/bin/dmgcanvas $HOME/code/jthink/SongKong/dmgCanvas_songkong.dmgCanvas $HOME/songkong-osx.dmg -v SongKong -identity "Developer ID Application: P Taylor" -notarizationAppleID paultaylor@jthink.net -notarizationPassword xxxxxxxxxxxxxxxxxxxxx -notarizationPrimaryBundleID songkong