Hello! As a long time Java developer, I've only ever had to deal with signing jar files. I can obviously sign jar files once on whatever platform I choose to use to build the code, and then distribute the jars to all platforms. Build once, run everywhere, etc.
However, now that jlink exists, as a developer I have to deal with signing platform-specific executables. For example, if I distribute a macOS application produced with jlink, that executable will produce a large warning message: http://ataxia.io7m.com/2018/02/12/warning.png Now obviously in the past, the system JRE was signed and so I'd give my users a jar file, they'd run the jar file using the signed JRE, and everything would work. With jlink, it's now my responsibility to sign the executables I produce. The code signing tools for macOS are evidently not available for any platform other than macOS, meaning that I now can't just build the code for all platforms on Linux if I want to use jlink (even though jlink is capable of producing embedded JREs for all of the platforms I want to support); at least part of the build would have to take place on macOS to sign the final result. This is pretty awful! Are there any plans to implement anything that's capable of signing macOS binaries and resources in a platform-independent way so that jlink-produced distributions can work without warnings? Is that even a reasonable thing to request? I've no idea how "private" Apple keep their signing implementation. -- Mark Raynsford | http://www.io7m.com
