search

adoptium / adoptium-support

For end-user problems reported with our binary distributions
Apache License 2.0
45 stars 15 forks source link

macOS Notarization issues with jdk 20 (temurin) and jpackage #829

Open Siedlerchr opened 1 year ago

Siedlerchr commented 1 year ago

Please provide a brief summary of the bug

I am building an application with jpackage and notarization fails. The last time I got it working was on jdk17. JDK 19 also fails and jdk 20 as well: I don't know whether this is a jdk bug in jpackage or something at temurin is not signed at all correctly.

Signing works etc. codesign reports all fine, but on submitting for notarization I get errros (I also tested with a simple zip file of the app)

Please provide steps to reproduce where possible

I have set up a sample application for reproducing the case: https://github.com/Siedlerchr/testnotarization

  1. Add the signing key username is build.gradle
  2. Run ./gradlew jpackage --info
  3. xcrun notarytool store-credentials "notarytool-profile" --apple-id "xxxx@xxxx.xx" --team-id "12345667" --password "xxxxx"
  4. Run xcrun notarytool submit build/distribution/JabRef-1.0.0.dmg --keychain-profile "notarytool-profile" --wait
  5. App is rejected, check xcrun notarytool log --keychain-profile "notarytool-profile"

Expected Results

Notarization is successful

Actual Results

Notarization fails

What Java Version are you using?

openjdk version "20.0.1" 2023-04-18 OpenJDK Runtime Environment Temurin-20.0.1+9 (build 20.0.1+9) OpenJDK 64-Bit Server VM Temurin-20.0.1+9 (build 20.0.1+9, mixed mode)

What is your operating system and platform?

macos Ventura 13.4 (22F66) on arm64

How did you install Java?

sdkman

Did it work before?

jdk 17

Did you test with the latest update version?

No response

Did you test with other Java versions?

yes, tested with temurin 19 as well

Relevant log output

"logFormatVersion": 1,
  "jobId": "245c7a47-f605-4943-a1da-11f7320a35a3",
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "archiveFilename": "JabRef.zip",
  "uploadDate": "2023-06-24T16:28:21.836Z",
  "sha256": "7d9d8d185cff905f4c2edfbacf8ec2edd6124e591989c2b35ce3bfdb1f791d0d",
  "ticketContents": null,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "JabRef.zip/JabRef.app/Contents/MacOS/JabRef",
      "message": "The binary is not signed with a valid Developer ID certificate.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
      "architecture": "arm64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "JabRef.zip/JabRef.app/Contents/MacOS/JabRef",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
      "architecture": "arm64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "JabRef.zip/JabRef.app/Contents/MacOS/JabRef",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087724",
      "architecture": "arm64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "JabRef.zip/JabRef.app/Contents/runtime/Contents/Home/bin/jarsigner",
      "message": "The binary is not signed with a valid Developer ID certificate.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
      "architecture": "arm64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "JabRef.zip/JabRef.app/Contents/runtime/Contents/Home/bin/jarsigner",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
      "architecture": "arm64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "JabRef.zip/JabRef.app/Contents/runtime/Contents/Home/bin/jarsigner",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087724",
      "architecture": "arm64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "JabRef.zip/JabRef.app/Contents/runtime/Contents/Home/bin/jfr",
      "message": "The binary is not signed with a valid Developer ID certificate.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
      "architecture": "arm64"
}
karianna commented 1 year ago

CC @gdams as our resident signing expert

Siedlerchr commented 1 year ago

Sorry for the delay. I found the core issue. I used jlink in a separare step before to generate the runtime app image. And used that as input for jpackage. Turns out that jpackage then does not do any signing. And jlink neither.

Instead I needed to call jpackage to create the image with all the jlink options. Then code sign is run and notarization works.

That was not really understandable from the docs @koppor can you post the command we now use

koppor commented 1 year ago

Our jpackage call:

         /jpackage \
          --module org.jabref/org.jabref.cli.Launcher \
          --module-path ${{env.JDK21}}/Contents/Home/jmods/:build/jlinkbase/jlinkjars \
          --add-modules org.jabref,org.jabref.merged.module  \
          --dest build/distribution \
          --name JabRef \
          --app-version ${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }} \
          --verbose \
          --mac-sign \
          --vendor JabRef \
          --mac-package-identifier Jabref \
          --mac-package-name JabRef \
          --type dmg --mac-signing-key-user-name "JabRef e.V. (6792V39SK3)" \
          --mac-package-signing-prefix org.jabref \
          --mac-entitlements buildres/mac/jabref.entitlements \
          --icon src/main/resources/icons/jabref.icns \
          --resource-dir buildres/mac \
          --file-associations buildres/mac/bibtexAssociations.properties \
          --jlink-options --bind-services

Source: https://github.com/JabRef/jabref/blob/fix-notary-tool/.github/workflows/deployment-arm64.yml - Note that in the concrete setting, we use a self-compiled JDK (which integrates https://github.com/openjdk/jdk/pull/14408). Howver, @Siedlerchr used Temurin on his local machine.

karianna commented 1 year ago

@Siedlerchr Which docs were you following?

Siedlerchr commented 1 year ago

I was following https://docs.oracle.com/en/java/javase/20/jpackage/support-application-features.html#GUID-8D9F0607-91F4-4070-8823-02FCAB12238D

github-actions[bot] commented 1 year ago

We are marking this issue as stale because it has not been updated for a while. This is just a way to keep the support issues queue manageable. It will be closed soon unless the stale label is removed by a committer, or a new comment is made.

karianna commented 1 year ago

@Siedlerchr & @koppor - I think this is a case of sending Oracle a note to improve their docs. I'll see if I can raise an issue with them.