search

jline / jline3

JLine is a Java library for handling console input.
Other
1.45k stars 214 forks source link

libjlinenative.jnilib not signed #1033

Open davidcockbill opened 1 month ago

davidcockbill commented 1 month ago

I am trying to notarize a dmg and it is failing due to libjlinenative.jnilib not being signed.

For my application, jline is brought in as a transitive dependency by scala-compiler

Running mvn org.apache.maven.plugins:maven-dependency-plugin:3.4.0:tree:

Notarize works:

[INFO] +- org.scala-lang:scala-compiler:jar:2.13.13:compile
[INFO] |  +- org.scala-lang:scala-library:jar:2.13.13:compile
[INFO] |  +- org.scala-lang:scala-reflect:jar:2.13.13:compile
[INFO] |  \- org.jline:jline:jar:3.24.1:compile

Notarize broken:

[INFO] +- org.scala-lang:scala-compiler:jar:2.13.14:compile
[INFO] |  +- org.scala-lang:scala-library:jar:2.13.14:compile
[INFO] |  +- org.scala-lang:scala-reflect:jar:2.13.14:compile
[INFO] |  \- org.jline:jline:jar:3.25.1:compile

The error in questions is as follows (sensitive details changed to protect the guilty):

xcrun notarytool log 07fa4c77-ca9e-4132-943e-b89b1c987c01 --apple-id <apple id> --team-id <team> --password <pwd>
{
  "logFormatVersion": 1,
  "jobId": "07fa4c77-ca9e-4132-943e-b89b1c987c01",
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "archiveFilename": "Product.dmg",
  "uploadDate": "2024-07-11T05:34:21.588Z",
  "sha256": "9b159e1bd55fa61d5450f6861458a15113e103f61ef8370c8aa60888028cac49",
  "ticketContents": null,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "Product.dmg/Product.app/Contents/Java/lib/jline-3.25.1.jar/org/jline/nativ/Mac/x86/libjlinenative.jnilib",
      "message": "The binary is not signed.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
      "architecture": "i386"
    },

<SNIP>

Essential libjlinenative.jnilib is not signed. This occurs both on Intel and Arm.

If I override the transitive jline version to pull in the latest version (3.26.2) it still fails. If I pull in the latest scala-compiler and override jline with version 3.24.1 the notarize is a success.

gnodet commented 1 month ago

We've never signed anything on our side, maybe the Scala guys did sign JLine on their side somehow ?

davidcockbill commented 1 month ago

Hi gnodet,

Thanks for your reply. You are probably correct about Scala signing JLine. For now I have a workaround; but I guess the intent of the original bug still stands. If this artefact is to be built into a Mac application it should really be signed.

Thanks, Dave.

SethTisue commented 1 month ago

You are probably correct about Scala signing JLine

I don't think so, we don't do anything special with JLine, it's just an ordinary dependency. (I am the Scala 2 release manager.)

davidcockbill commented 4 weeks ago

Seth, thanks for your valued knowledge!