Hi Florent,
jpackage doesn't build the application jar. Likewise, it doesn't
notarize and staple the package. These limitations leave steps 1, 2, 10,
and 11 out of scope. The remaining steps are handled by jpackage, and
each can be customized.
There are three CLI options to control signing certificates:
--mac-signing-key-user-name, --mac-app-image-sign-identity, and
--mac-installer-sign-identity.
--mac-signing-key-user-name option allows specifying a portion of the
names of certificates for signing the application bundle and .pkg
installer. jpackage will use the value of this option to lookup for
certificates.
E.g., say you have "Developer ID Application: Acme Software LLC
(ABCD1234)" and "Developer ID Installer: Acme Software LLC (ABCD1234)"
certificates. You can instruct jpackage to use them in steps 3-9 by
adding "--mac-signing-key-user-name 'Acme Software LLC (ABCD1234)'" to
the command line.
If you want to explicitly specify certificates, you may use
--mac-app-image-sign-identity and --mac-installer-sign-identity options.
The value of the --mac-app-image-sign-identity option should be the full
name of the certificate for signing application bundle.
The value of the --mac-installer-sign-identity option should be the full
name of the certificate for signing .pkg installer.
Additionally, you can specify the name of the keychain with the
certificates with the --mac-signing-keychain option and the entitlements
file with --mac-entitlements option.
All these options are valid only when used with "--mac-sign" option.
- Alexey
On 2/23/2026 5:53 AM, Florent MARTIN wrote:
Hello,
For an application, I need to create a pkg for macOS of a Java
application, but jpackage does not provide support for all the steps
required. As a reminder, here is the full workflow needed to create a
valid pkg that passes Gatekeeper on macOS, which requires three
different certificates:
* A standard signing certificate
* An Apple Developer ID Application certificate
* An Apple Developer ID Installer certificate
The full workflow is:
1. Signing the native libraries inside the JAR (requires a Developer
ID Application certificate)
* Basically, this involves extracting the JAR, signing all
.jnilib and .dylib files, and rebuilding the JAR.
2. Signing the JAR itself (requires a standard certificate)
* Using jarsigner to pass the JVM security check.
3. Generating an application image (.app)
4. Signing the native libraries included in the image (requires a
Developer ID Application certificate)
5. Signing the main executable of the image (requires a Developer ID
Application certificate)
6. Signing the main bundle of the image (requires a Developer ID
Application certificate)
7. (Optional) Adding an entitlements.plist file to allow JNI usage
* Needed if using restricted features such as JNI.
8. Creating the installer package (.pkg)
9. Signing the installer package (requires a Developer ID Installer
certificate)
10. Notarizing the package (submission to Apple for verification)
11. Stapling the package (embedding the notarization directly into the
package)
If we skip steps 1 and 2 for preparing the JAR (it would be better if
jpackage could handle this automatically), as well as steps 10 and 11,
then for steps 3 to 9 we need to use two different certificates, but
jpackage provides only a single `--mac-sign` parameter, which does not
support multiple certificates and would ideally be split into separate
parameters for the application certificate and the installer
certificate; as a result, when creating a pkg with jpackage, the App
Image inside remains unsigned, which causes Gatekeeper to block the
application.
Best regards,
*Florent MARTIN*
Développeur
Cegid Relations Bancaires
+33 (0)2 99 55 33 22
[email protected] <mailto:[email protected]>
Facebook <https://www.facebook.com/CegidGroup/>Twitter
<https://twitter.com/CegidGroup>LinkedIn
<https://fr.linkedin.com/company/cegid>
*cegid.com* <https://www.cegid.com/>**
Cegid <http://www.cegid.com/>
Cegid est susceptible d’effectuer un traitement sur vos données
personnelles à des fins de gestion de notre relation commerciale. Pour
plus d’information, consultez https://www.cegid.com/fr/privacy-policy
Ce message et les pièces jointes sont confidentiels et établis à
l'attention exclusive de ses destinataires. Toute utilisation ou
diffusion, même partielle, non autorisée est interdite. Tout message
électronique est susceptible d'altération; Cegid décline donc toute
responsabilité au titre de ce message. Si vous n'êtes pas le
destinataire de ce message, merci de le détruire et d'avertir
l'expéditeur.
Cegid may process your personal data for the purpose of our business
relationship management. For more information, please visit our
website https://www.cegid.com/en/privacy-policy
This message and any attachments are confidential and intended solely
for the addressees. Any unauthorized use or disclosure, either whole
or partial is prohibited. E-mails are susceptible to alteration; Cegid
shall therefore not be liable for the content of this message. If you
are not the intended recipient of this message, please delete it and
notify the sender.
