MAS codesign requirements break Java app signing
It looks like Apple has changed its codesigning requirements for the Mac App Store. Thus far, I've been packaging my Java app using Oracle's appbundler tool and signing it with the following script: http://pastebin.com/BtLV9bur This worked fine even as recently as last month. This time, I get an email from them with the following: Invalid code signature - Signatures created with OS X version 10.8.5 or earlier [v1 signatures] are obsoleted and will no longer be recognized by Gatekeeper beginning with OS X version 10.9.5. To ensure your apps will run on updated versions of OS X they must be signed on OS X version 10.9 or later [v2 signatures]. For more information, see OS X Code Signing In Depth I think this error is incorrect, because I'm using 10.9.5 with the latest Xcode (6.1). I tried "codesign -dv MyApp.app" and it says "Sealed Resources version=2 rules=12 files=7", so I think I am using v2 signatures. My JDK version has not changed since last month (8u25), so I can rule that out. I would appreciate any help. Thank you. Zach
Re: MAS codesign requirements break Java app signing
What are your entitlements? For javapackager we sign only the master package with real user supplied entitlements, every other jar, dylib, and executable gets an entitlement with an entitlements that is just sandbox and inherit. We also don't put entitlements on the JRE package when it is signed under plugins. On Nov 9, 2014, at 2:26 PM, Zach Oakes wrote: > It looks like Apple has changed its codesigning requirements for the Mac > App Store. Thus far, I've been packaging my Java app using Oracle's > appbundler tool and signing it with the following script: > > http://pastebin.com/BtLV9bur > > This worked fine even as recently as last month. This time, I get an email > from them with the following: > > Invalid code signature - Signatures created with OS X version 10.8.5 or > earlier [v1 signatures] are obsoleted and will no longer be recognized by > Gatekeeper beginning with OS X version 10.9.5. To ensure your apps will run > on updated versions of OS X they must be signed on OS X version 10.9 or > later [v2 signatures]. For more information, see OS X Code Signing In Depth > > I think this error is incorrect, because I'm using 10.9.5 with the latest > Xcode (6.1). I tried "codesign -dv MyApp.app" and it says "Sealed Resources > version=2 rules=12 files=7", so I think I am using v2 signatures. My JDK > version has not changed since last month (8u25), so I can rule that out. > > I would appreciate any help. Thank you. > > Zach
Re: MAS codesign requirements break Java app signing
In the bash script I linked, everything but jspawnhelper gets the full (user-supplied) entitlements. Do you think that is the problem? On Sun, Nov 9, 2014 at 7:13 PM, Danno Ferrin wrote: > What are your entitlements? For javapackager we sign only the master > package with real user supplied entitlements, every other jar, dylib, and > executable gets an entitlement with an entitlements that is just sandbox > and inherit. We also don't put entitlements on the JRE package when it is > signed under plugins. > > > On Nov 9, 2014, at 2:26 PM, Zach Oakes wrote: > > > It looks like Apple has changed its codesigning requirements for the Mac > > App Store. Thus far, I've been packaging my Java app using Oracle's > > appbundler tool and signing it with the following script: > > > > http://pastebin.com/BtLV9bur > > > > This worked fine even as recently as last month. This time, I get an > email > > from them with the following: > > > > Invalid code signature - Signatures created with OS X version 10.8.5 or > > earlier [v1 signatures] are obsoleted and will no longer be recognized by > > Gatekeeper beginning with OS X version 10.9.5. To ensure your apps will > run > > on updated versions of OS X they must be signed on OS X version 10.9 or > > later [v2 signatures]. For more information, see OS X Code Signing In > Depth > > > > I think this error is incorrect, because I'm using 10.9.5 with the latest > > Xcode (6.1). I tried "codesign -dv MyApp.app" and it says "Sealed > Resources > > version=2 rules=12 files=7", so I think I am using v2 signatures. My JDK > > version has not changed since last month (8u25), so I can rule that out. > > > > I would appreciate any help. Thank you. > > > > Zach > >
Re: MAS codesign requirements break Java app signing
Not sure, but that is what is different from what I have that works. Everything else seemed to match up, including the forced overriding of the signatures. On Nov 9, 2014, at 5:23 PM, Zach Oakes wrote: > In the bash script I linked, everything but jspawnhelper gets the full > (user-supplied) entitlements. Do you think that is the problem? > > On Sun, Nov 9, 2014 at 7:13 PM, Danno Ferrin wrote: > What are your entitlements? For javapackager we sign only the master package > with real user supplied entitlements, every other jar, dylib, and executable > gets an entitlement with an entitlements that is just sandbox and inherit. > We also don't put entitlements on the JRE package when it is signed under > plugins. > > > On Nov 9, 2014, at 2:26 PM, Zach Oakes wrote: > > > It looks like Apple has changed its codesigning requirements for the Mac > > App Store. Thus far, I've been packaging my Java app using Oracle's > > appbundler tool and signing it with the following script: > > > > http://pastebin.com/BtLV9bur > > > > This worked fine even as recently as last month. This time, I get an email > > from them with the following: > > > > Invalid code signature - Signatures created with OS X version 10.8.5 or > > earlier [v1 signatures] are obsoleted and will no longer be recognized by > > Gatekeeper beginning with OS X version 10.9.5. To ensure your apps will run > > on updated versions of OS X they must be signed on OS X version 10.9 or > > later [v2 signatures]. For more information, see OS X Code Signing In Depth > > > > I think this error is incorrect, because I'm using 10.9.5 with the latest > > Xcode (6.1). I tried "codesign -dv MyApp.app" and it says "Sealed Resources > > version=2 rules=12 files=7", so I think I am using v2 signatures. My JDK > > version has not changed since last month (8u25), so I can rule that out. > > > > I would appreciate any help. Thank you. > > > > Zach > >
Re: MAS codesign requirements break Java app signing
On Nov 9, 2014, at 6:10 PM, Zach Oakes wrote: > Can you elaborate on what you are trying to say? As I mentioned, I already > ran "codesign -dv MyApp.app", and it does indeed show "version=2". Yet, I > still get the error from Apple after uploading. Sorry, I had read your poset a little while back and missed the significance of that until after I focused on the "so I think I am using v2 signatures. “ and did some checking myself to see how you would display that. Not sure, otherwise, the Mavericks section also has… • It records substantially all files by default. There are no default "holes" (omit rules). • It records nested code (frameworks, dylibs, helper tools and apps, plug-ins, etc.) by recording their code signature for verification. • It records symbolic links. Version 1 resource envelopes ignore symlinks. There was some mention awhile ago I think that a jli(?) lib used a symbolic link or something like that? That might of been mentioned on the old Apple java-dev list. Would cause a problem now. You could ‘ls’ all the files in your embedded jre checking for any sum > version=2 rules=12 files=7 Since it is now “all files” you could verify the file count in your bundle is actually 7? Michael Hall trz nio.2 for OS X http://www195.pair.com/mik3hall/index.html#trz HalfPipe Java 6/7 shell app http://www195.pair.com/mik3hall/index.html#halfpipe AppConverter convert Apple jvm to openjdk apps http://www195.pair.com/mik3hall/index.html#appconverter
Re: MAS codesign requirements break Java app signing
I made the changes you described and I received the same error from Apple. Below is the modified script I used. If you can see any other differences, please let me know. It's frustrating since the error Apple gives is seemingly irrelevant. http://pastebin.com/JD2XY7YE On Sun, Nov 9, 2014 at 7:24 PM, Danno Ferrin wrote: > Not sure, but that is what is different from what I have that works. > Everything else seemed to match up, including the forced overriding of the > signatures. > > On Nov 9, 2014, at 5:23 PM, Zach Oakes wrote: > > In the bash script I linked, everything but jspawnhelper gets the full > (user-supplied) entitlements. Do you think that is the problem? > > On Sun, Nov 9, 2014 at 7:13 PM, Danno Ferrin > wrote: > >> What are your entitlements? For javapackager we sign only the master >> package with real user supplied entitlements, every other jar, dylib, and >> executable gets an entitlement with an entitlements that is just sandbox >> and inherit. We also don't put entitlements on the JRE package when it is >> signed under plugins. >> >> >> On Nov 9, 2014, at 2:26 PM, Zach Oakes wrote: >> >> > It looks like Apple has changed its codesigning requirements for the Mac >> > App Store. Thus far, I've been packaging my Java app using Oracle's >> > appbundler tool and signing it with the following script: >> > >> > http://pastebin.com/BtLV9bur >> > >> > This worked fine even as recently as last month. This time, I get an >> email >> > from them with the following: >> > >> > Invalid code signature - Signatures created with OS X version 10.8.5 or >> > earlier [v1 signatures] are obsoleted and will no longer be recognized >> by >> > Gatekeeper beginning with OS X version 10.9.5. To ensure your apps will >> run >> > on updated versions of OS X they must be signed on OS X version 10.9 or >> > later [v2 signatures]. For more information, see OS X Code Signing In >> Depth >> > >> > I think this error is incorrect, because I'm using 10.9.5 with the >> latest >> > Xcode (6.1). I tried "codesign -dv MyApp.app" and it says "Sealed >> Resources >> > version=2 rules=12 files=7", so I think I am using v2 signatures. My JDK >> > version has not changed since last month (8u25), so I can rule that out. >> > >> > I would appreciate any help. Thank you. >> > >> > Zach >> >> > >
