Increase macOS build to at least 10.9 SDK

[tobihagemann]

When trying to notarize our app via Apple's notarization service, we get the following warning for libjffi-1.2.jnilib:

The binary uses an SDK older than the 10.9 SDK.

See official documentation on this warning: https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/resolving_common_notarization_issues#3087723

That means it's not an issue to keep the deployment target at 10.6 but it would be great if the linked SDK could be increased from 10.7 to 10.9. Would that be possible?

Actually, it wouldn't just be great, it will be necessary soon. If I'm not mistaken, beginning with January 2020, see: https://developer.apple.com/news/?id=09032019a

And also:

Notarisation requires the hardened runtime, the hardened runtime requires library validation, and library validation requires that you link with (at least) the 10.9 SDK.

(https://forums.developer.apple.com/thread/115679#357047)

[albertvaka]

Every binary should be notarized in MacOS Catalina, so jffi's libjffi-1.2.jnilib should both be signed and use a newer SDK. Otherwise apps depending on it can't be notarized.

[albertvaka]

@headius any chance the libjffi-1.2.jnilib can be rebuilt against a newer MacOS SDK?

[MSNexploder]

Happy to help with this one. Just as a heads up, rebuilding with the latest MacOS (10.15) would mean losing i386 and ppc arch support.

We should be able to keep i386 alive by using MacOS 10.14 for the rebuild. (But I'm unable to check that atm)

[kares]

@MSNexploder you might try to build a binary and report what notarization thought about it ...

[albertvaka]

@kares This is literally it:

The binary uses an SDK older than the 10.9 SDK.

[kares]

@albertvaka so if you re-generate using >= 10.9 no other warnings pop up? (sorry can not test as I do not have a Mac around)

[overheadhunter]

I think it is even reasonable to target El Capitan for new releases. According to this stats website the global market share of all versions >= 10.11 is 94% of all Macs.

I doubt that any new releases of desktop software is targeting older macOS versions, while mere maintenance releases can still use old versions of jffi.

Just as a hint for the repo owners if you like to create some margin to the approaching front of deprecated tools and APIs.

[kares]

not 100% sure about that ... let's try doing the minimal upgrade necessary (if doable).

I doubt that any new releases of desktop software is targeting older macOS versions

you'll also get the warning (on newer versions) if you just try running jruby -e 1 right? at least that is my understanding of the issue (wout being able to try it out myself).

if someone is on 10.9 upgrading a patch release JRuby 9.2.9 (-> 9.2.10) ideally should not break.

[headius]

Can someone rebuild the binary on MacOS 10.9? I'm not sure how to even do that since I'm on 10.14.

[headius]

Oh nevermind, I see now @MSNexploder started a PR. I'll comment there.