Hello,
For an application, I need to create a pkg for macOS of a Java application, but
jpackage does not provide support for all the steps required. As a reminder,
here is the full workflow needed to create a valid pkg that passes Gatekeeper
on macOS, which requires three different certificates:
* A standard signing certificate
* An Apple Developer ID Application certificate
* An Apple Developer ID Installer certificate
The full workflow is:
1. Signing the native libraries inside the JAR (requires a Developer ID
Application certificate)
* Basically, this involves extracting the JAR, signing all .jnilib and
.dylib files, and rebuilding the JAR.
2. Signing the JAR itself (requires a standard certificate)
* Using jarsigner to pass the JVM security check.
3. Generating an application image (.app)
4. Signing the native libraries included in the image (requires a Developer
ID Application certificate)
5. Signing the main executable of the image (requires a Developer ID
Application certificate)
6. Signing the main bundle of the image (requires a Developer ID Application
certificate)
7. (Optional) Adding an entitlements.plist file to allow JNI usage
* Needed if using restricted features such as JNI.
8. Creating the installer package (.pkg)
9. Signing the installer package (requires a Developer ID Installer
certificate)
10. Notarizing the package (submission to Apple for verification)
11. Stapling the package (embedding the notarization directly into the
package)
If we skip steps 1 and 2 for preparing the JAR (it would be better if jpackage
could handle this automatically), as well as steps 10 and 11, then for steps 3
to 9 we need to use two different certificates, but jpackage provides only a
single `--mac-sign` parameter, which does not support multiple certificates and
would ideally be split into separate parameters for the application certificate
and the installer certificate; as a result, when creating a pkg with jpackage,
the App Image inside remains unsigned, which causes Gatekeeper to block the
application.
Best regards,
Florent MARTIN
Développeur
Cegid Relations Bancaires
+33 (0)2 99 55 33 22
[email protected]<mailto:[email protected]>
[Facebook]<https://www.facebook.com/CegidGroup/> [Twitter]
<https://twitter.com/CegidGroup> [LinkedIn]
<https://fr.linkedin.com/company/cegid>
cegid.com<https://www.cegid.com/>
[Cegid]<http://www.cegid.com/>
Cegid est susceptible d'effectuer un traitement sur vos données personnelles à
des fins de gestion de notre relation commerciale. Pour plus d'information,
consultez https://www.cegid.com/fr/privacy-policy
Ce message et les pièces jointes sont confidentiels et établis à l'attention
exclusive de ses destinataires. Toute utilisation ou diffusion, même partielle,
non autorisée est interdite. Tout message électronique est susceptible
d'altération; Cegid décline donc toute responsabilité au titre de ce message.
Si vous n'êtes pas le destinataire de ce message, merci de le détruire et
d'avertir l'expéditeur.
Cegid may process your personal data for the purpose of our business
relationship management. For more information, please visit our website
https://www.cegid.com/en/privacy-policy
This message and any attachments are confidential and intended solely for the
addressees. Any unauthorized use or disclosure, either whole or partial is
prohibited. E-mails are susceptible to alteration; Cegid shall therefore not be
liable for the content of this message. If you are not the intended recipient
of this message, please delete it and notify the sender.
