如何修改我的 Java appbundler 构建以签署第 3 方库
How do I modify my Java appbundler build to sign 3rd party library
我向我的 Java 应用程序添加了一个新的依赖项,其中包括两个动态库(intel/arm64 版本),现在我的应用程序无法通过公证,因为
songkong-osx.dmg/SongKong.app/Contents/Java/japlscript-executor-3.4.10.jar/japlscript-aarch64-3.4.10.dylib
在此示例中,我在 M1 Mac 上构建。
{
"logFormatVersion": 1,
"jobId": "f90d1f17-d51c-4b13-95d5-3629126aa3b8",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "songkong-osx.dmg",
"uploadDate": "2022-04-13T15:16:01Z",
"sha256": "44742c010d90183f2129c675a81377f89a6321a17eaee54ecb45fa638132686c",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "songkong-osx.dmg/SongKong.app/Contents/Java/japlscript-executor-3.4.10.jar/japlscript-x86_64-3.4.10.dylib",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "songkong-osx.dmg/SongKong.app/Contents/Java/japlscript-executor-3.4.10.jar/japlscript-x86_64-3.4.10.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "songkong-osx.dmg/SongKong.app/Contents/Java/japlscript-executor-3.4.10.jar/japlscript-aarch64-3.4.10.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": null,
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "songkong-osx.dmg/SongKong.app/Contents/Java/japlscript-executor-3.4.10.jar/japlscript-aarch64-3.4.10.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "arm64"
}
]
}
我有凭证和构建系统来公证我自己的应用程序,但我不知道这如何适合签署第三方动态库
这是我构建的签名部分
export CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate"
/usr/bin/codesign --timestamp --options runtime \
--entitlements $HOME/code/jthink/songkong/songkong.entitlements \
--sign "Developer ID Application: P Taylor" \
--force --deep --verbose /Applications/SongKong.app
/usr/bin/codesign -vvv --deep --strict /Applications/SongKong.app
spctl -a -t exec -vv /Applications/SongKong.app
cd $HOME/code/jthink/SongKong
/usr/local/bin/dmgcanvas $HOME/code/jthink/SongKong/dmgCanvas_songkong.dmgCanvas $HOME/songkong-osx.dmg -v SongKong
如何修改以额外签署此动态库?
编辑
似乎即使我使用 --deep
它还不够深入?
/usr/bin/codesign --timestamp --options runtime \
--entitlements $HOME/code/jthink/songkong/songkong.entitlements \
--sign "Developer ID Application: P Taylor" \
--force --deep --verbose /Applications/SongKong.app
所以虽然验证显示正常
/usr/bin/codesign -vvv --deep --strict /Applications/SongKong.app
spctl -a -t exec -vv /Applications/SongKong.app
当它实际发送给 Apple 进行公证(通过 dmgCanvas 应用程序)时,它会检测到这些库并使公证步骤失败。
那么如何使代码设计更深入?
编辑 2
我读了https://developer.apple.com/forums/thread/128166 and https://developer.apple.com/forums/thread/129980
似乎 --deep 并不总是有效,所以我添加了一个似乎有效的 jar 代码
/usr/bin/codesign --timestamp --options runtime \
--entitlements $HOME/code/jthink/songkong/songkong.entitlements \
--sign "Developer ID Application: P Taylor" \
--force --verbose /Applications/SongKong.app/Contents/Java/japlscript-executor-3.4.10.jar
但公证继续失败
我注意到的另一件事是,在公证(我的 DmgCanvas)之前似乎有另一个 dmg 的代码而不是应用程序的代码签名可能是问题
我需要什么来公证应用程序或 dmg 或两者?
要签署 casamplesp 个库,我执行以下操作:
# sign dylibs in jars
unzip -j jar_dir/casampledsp-complete* '*.dylib'
codesign -vvv -f --sign "Developer ID Application: Whatever Your Name Is" *.dylib
jar -uvf jar_dir/casampledsp-complete* casampledsp*
rm casampledsp*
即我提取 *.dylib
文件,对其进行签名,然后使用 jar 标志 -uvf
.
将它们粘贴回
要使此应用适用于您的应用,只需将 jar_dir
替换为您的 macOS 应用 jar 的目录名称。
2022 年 4 月 20 日添加:
从 v3.4.11 开始,JaplScript 中打包的本机库已经签名,因此不再需要。
好的,关键是文件在 jar 文件中时无法签名,但公证步骤会找到它们,如果未签名会导致公证失败,因此必须将它们从 jar 中注销,然后再放回.
根据 Hendriks 的回答,我将构建的签名部分扩展到
unzip -j /Applications/SongKong.app/Contents/Java/japlscript-executor-3.4.10.jar -d /Applications/SongKong.app/Contents/Java/EXTRACT
export CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate"
/usr/bin/codesign --timestamp --options runtime \
--sign "Developer ID Application: P Taylor" \
--force --verbose /Applications/SongKong.app/Contents/Java/EXTRACT/*.dylib
cd /Applications/SongKong.app/Contents/Java/EXTRACT
jar -uvf /Applications/SongKong.app/Contents/Java/japlscript-executor-3.4.10.jar *.dylib
rm -fr /Applications/SongKong.app/Contents/Java/EXTRACT
cd $HOME/code/jthink/songkong
/usr/bin/codesign --timestamp --options runtime \
--entitlements $HOME/code/jthink/songkong/songkong.entitlements \
--sign "Developer ID Application: P Taylor" \
--force --deep --verbose /Applications/SongKong.app
/usr/bin/codesign -vvv --deep --strict /Applications/SongKong.app
/usr/bin/codesign -d --deep --strict /Applications/SongKong.app
spctl -a -t exec -vv /Applications/SongKong.app
cd $HOME/code/jthink/SongKong
/usr/local/bin/dmgcanvas $HOME/code/jthink/SongKong/dmgCanvas_songkong.dmgCanvas $HOME/songkong-osx.dmg -v SongKong -identity "Developer ID Application: P Taylor" -notarizationAppleID paultaylor@jthink.net -notarizationPassword xxxxxxxxxxxxxxxxxxxxx -notarizationPrimaryBundleID songkong
我向我的 Java 应用程序添加了一个新的依赖项,其中包括两个动态库(intel/arm64 版本),现在我的应用程序无法通过公证,因为
songkong-osx.dmg/SongKong.app/Contents/Java/japlscript-executor-3.4.10.jar/japlscript-aarch64-3.4.10.dylib
在此示例中,我在 M1 Mac 上构建。
{
"logFormatVersion": 1,
"jobId": "f90d1f17-d51c-4b13-95d5-3629126aa3b8",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "songkong-osx.dmg",
"uploadDate": "2022-04-13T15:16:01Z",
"sha256": "44742c010d90183f2129c675a81377f89a6321a17eaee54ecb45fa638132686c",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "songkong-osx.dmg/SongKong.app/Contents/Java/japlscript-executor-3.4.10.jar/japlscript-x86_64-3.4.10.dylib",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "songkong-osx.dmg/SongKong.app/Contents/Java/japlscript-executor-3.4.10.jar/japlscript-x86_64-3.4.10.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "songkong-osx.dmg/SongKong.app/Contents/Java/japlscript-executor-3.4.10.jar/japlscript-aarch64-3.4.10.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": null,
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "songkong-osx.dmg/SongKong.app/Contents/Java/japlscript-executor-3.4.10.jar/japlscript-aarch64-3.4.10.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "arm64"
}
]
}
我有凭证和构建系统来公证我自己的应用程序,但我不知道这如何适合签署第三方动态库
这是我构建的签名部分
export CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate"
/usr/bin/codesign --timestamp --options runtime \
--entitlements $HOME/code/jthink/songkong/songkong.entitlements \
--sign "Developer ID Application: P Taylor" \
--force --deep --verbose /Applications/SongKong.app
/usr/bin/codesign -vvv --deep --strict /Applications/SongKong.app
spctl -a -t exec -vv /Applications/SongKong.app
cd $HOME/code/jthink/SongKong
/usr/local/bin/dmgcanvas $HOME/code/jthink/SongKong/dmgCanvas_songkong.dmgCanvas $HOME/songkong-osx.dmg -v SongKong
如何修改以额外签署此动态库?
编辑
似乎即使我使用 --deep
它还不够深入?
/usr/bin/codesign --timestamp --options runtime \
--entitlements $HOME/code/jthink/songkong/songkong.entitlements \
--sign "Developer ID Application: P Taylor" \
--force --deep --verbose /Applications/SongKong.app
所以虽然验证显示正常
/usr/bin/codesign -vvv --deep --strict /Applications/SongKong.app
spctl -a -t exec -vv /Applications/SongKong.app
当它实际发送给 Apple 进行公证(通过 dmgCanvas 应用程序)时,它会检测到这些库并使公证步骤失败。
那么如何使代码设计更深入?
编辑 2
我读了https://developer.apple.com/forums/thread/128166 and https://developer.apple.com/forums/thread/129980
似乎 --deep 并不总是有效,所以我添加了一个似乎有效的 jar 代码
/usr/bin/codesign --timestamp --options runtime \
--entitlements $HOME/code/jthink/songkong/songkong.entitlements \
--sign "Developer ID Application: P Taylor" \
--force --verbose /Applications/SongKong.app/Contents/Java/japlscript-executor-3.4.10.jar
但公证继续失败
我注意到的另一件事是,在公证(我的 DmgCanvas)之前似乎有另一个 dmg 的代码而不是应用程序的代码签名可能是问题
我需要什么来公证应用程序或 dmg 或两者?
要签署 casamplesp 个库,我执行以下操作:
# sign dylibs in jars
unzip -j jar_dir/casampledsp-complete* '*.dylib'
codesign -vvv -f --sign "Developer ID Application: Whatever Your Name Is" *.dylib
jar -uvf jar_dir/casampledsp-complete* casampledsp*
rm casampledsp*
即我提取 *.dylib
文件,对其进行签名,然后使用 jar 标志 -uvf
.
要使此应用适用于您的应用,只需将 jar_dir
替换为您的 macOS 应用 jar 的目录名称。
2022 年 4 月 20 日添加:
从 v3.4.11 开始,JaplScript 中打包的本机库已经签名,因此不再需要。
好的,关键是文件在 jar 文件中时无法签名,但公证步骤会找到它们,如果未签名会导致公证失败,因此必须将它们从 jar 中注销,然后再放回.
根据 Hendriks 的回答,我将构建的签名部分扩展到
unzip -j /Applications/SongKong.app/Contents/Java/japlscript-executor-3.4.10.jar -d /Applications/SongKong.app/Contents/Java/EXTRACT
export CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate"
/usr/bin/codesign --timestamp --options runtime \
--sign "Developer ID Application: P Taylor" \
--force --verbose /Applications/SongKong.app/Contents/Java/EXTRACT/*.dylib
cd /Applications/SongKong.app/Contents/Java/EXTRACT
jar -uvf /Applications/SongKong.app/Contents/Java/japlscript-executor-3.4.10.jar *.dylib
rm -fr /Applications/SongKong.app/Contents/Java/EXTRACT
cd $HOME/code/jthink/songkong
/usr/bin/codesign --timestamp --options runtime \
--entitlements $HOME/code/jthink/songkong/songkong.entitlements \
--sign "Developer ID Application: P Taylor" \
--force --deep --verbose /Applications/SongKong.app
/usr/bin/codesign -vvv --deep --strict /Applications/SongKong.app
/usr/bin/codesign -d --deep --strict /Applications/SongKong.app
spctl -a -t exec -vv /Applications/SongKong.app
cd $HOME/code/jthink/SongKong
/usr/local/bin/dmgcanvas $HOME/code/jthink/SongKong/dmgCanvas_songkong.dmgCanvas $HOME/songkong-osx.dmg -v SongKong -identity "Developer ID Application: P Taylor" -notarizationAppleID paultaylor@jthink.net -notarizationPassword xxxxxxxxxxxxxxxxxxxxx -notarizationPrimaryBundleID songkong