Open ylexus opened 3 years ago
Sounds eminently sensible but we'll probably need to figure out some bureaucracy first as I think we'll need to sign it with a Google owned key rather than any personally owned one.
Is there any movement on this? One of my transitive dependencies uses conscrypt (itself a transitive dependency) and I have to unpack multiple layers of jars to resign the dylibs in this artefact. To say it is a massive PITA is putting it mildly.
MacOS is not a server platform. This means majority of apps using conscrypt will be desktop apps. You can’t distribute a desktop app without it being signed. This means that releasing an unsigned conscrypt macOS binary makes it unusable in the majority of use cases. This must be a high-priority fix.
My project https://github.com/ylexus/jiotty-photos-uploader uses https://github.com/google/java-photoslibrary which transitively depends on conscrypt jars. When I use openjdk jpackage utility to create a distributable package (.dmg in case of macOS), it fails to get notarized by Apple with these errors:
It makes jpackage tool's sign functionality unusable as is. I have to apply complex workarounds during build time like unpacking conscrypt jar, signing binaries, re-packing, and re-packaging.
it would be very convenient if conscrypt jars contained native libraries that were properly signed by Apple in the first place.