search

google / conscrypt

Conscrypt is a Java Security Provider that implements parts of the Java Cryptography Extension and Java Secure Socket Extension.
Apache License 2.0
1.28k stars 274 forks source link

Sign native macOS binaries so that they can be embedded in macOS desktop apps #1026

Open ylexus opened 3 years ago

ylexus commented 3 years ago

My project https://github.com/ylexus/jiotty-photos-uploader uses https://github.com/google/java-photoslibrary which transitively depends on conscrypt jars. When I use openjdk jpackage utility to create a distributable package (.dmg in case of macOS), it fails to get notarized by Apple with these errors:

    {
      "severity": "error",
      "code": null,
      "path": "Jiotty_Photos_Uploader-2.0.3.dmg/Jiotty Photos Uploader.app/Contents/app/conscrypt-openjdk-uber-2.5.1.jar/META-INF/native/libconscrypt_openjdk_jni-osx-x86_64.dylib",
      "message": "The binary is not signed.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "Jiotty_Photos_Uploader-2.0.3.dmg/Jiotty Photos Uploader.app/Contents/app/conscrypt-openjdk-uber-2.5.1.jar/META-INF/native/libconscrypt_openjdk_jni-osx-x86_64.dylib",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": null,
      "architecture": "x86_64"
    },

It makes jpackage tool's sign functionality unusable as is. I have to apply complex workarounds during build time like unpacking conscrypt jar, signing binaries, re-packing, and re-packaging.

it would be very convenient if conscrypt jars contained native libraries that were properly signed by Apple in the first place.

prbprbprb commented 3 years ago

Sounds eminently sensible but we'll probably need to figure out some bureaucracy first as I think we'll need to sign it with a Google owned key rather than any personally owned one.

dwhitla commented 2 years ago

Is there any movement on this? One of my transitive dependencies uses conscrypt (itself a transitive dependency) and I have to unpack multiple layers of jars to resign the dylibs in this artefact. To say it is a massive PITA is putting it mildly.

ylexus commented 2 years ago

MacOS is not a server platform. This means majority of apps using conscrypt will be desktop apps. You can’t distribute a desktop app without it being signed. This means that releasing an unsigned conscrypt macOS binary makes it unusable in the majority of use cases. This must be a high-priority fix.