search

adoptium / adoptium-support

For end-user problems reported with our binary distributions
Apache License 2.0
45 stars 15 forks source link

Fail to notarize embedded AdoptOpenJDK JRE 8u265b01 with install4j #186

Closed AndreasEhret closed 4 years ago

AndreasEhret commented 4 years ago

we want to embed the lastest AdoptOpenJDK JRE 8u265b01 (macOS) in my software that is build by install4j. Unfortunately the macOS build notarization fails with the following error:

logFormatVersion    1
jobId   "6d366297-24f5-4cf4-a4ee-5470d3849a64"
status  "Invalid"
statusSummary   "Archive contains critical validation errors"
statusCode  4000
archiveFilename "MyTestApp_macos_1_2_0-SNAPSHOT.dmg"
uploadDate  "2020-09-18T10:21:14Z"
sha256  "a7b77b3d5d1a1ad73ade0ef8dfe75eb165079c7ce0ef741d4dae803738b4262b"
ticketContents  null
issues  
0   
severity    "error"
code    null
path    "MyTestApp_macos_1_2_0-SNAPSHOT.dmg/MyTestApp Installer.app/Contents/Resources/app/jre.tar.gz/jre.tar/Contents/MacOS/libjli.dylib"
message "The signature of the binary is invalid."
docUrl  null
architecture    "x86_64"

Based on this article we unsign the JRE archive before starting the install4j build:

$ xattr -cr jdk8u265-b01-jre

repack and build again, ending up with the same error.

Any ideas and help would be appreciated.

aahlenst commented 4 years ago

@gdams Your help is needed here.

hendrikebbers commented 4 years ago

@gdams @aahlenst this is the mentioned issue about notarization with Install4J

hendrikebbers commented 4 years ago

I will ping a contact at Install4J and send him the issue.

gdams commented 4 years ago

okay this should fix it:

xattr -cr jdk8u265-b01-jre
codesign --verbose=4 --deep --force -s "Developer ID Application: <application ID>" jdk8u265-b01-jre

In order to notarize you normally have to deep sign the runtime first. This prevents it from being modified further

AndreasEhret commented 4 years ago

ok, I thought signing together with my software would be enough. I will go for it then and give feedback.

AndreasEhret commented 4 years ago

could solve the problem. I found an option in install4j that allows me to configure AdoptOpenJDK as my preferred JDK provider and select my required release and then select install4j "generate the JRE bundle" option (instead of providing and referencing the downloaded .tar.gz package. With this configuration install4j is doing the above described steps for me on the build system (where the certificates are around), and notarization finally works.