We switch to using jpackage to sign the AppImage rather than signing the files manually. We also switch from altool, which is now deprecated for notarization, to notarytool.
What are the changes implemented in this PR?
JVM17 jpackage, unlike before, always attempts to sign Home/runtime when assembling an AppImage. In the absence of credentials, it uses ad-hoc signing, in the process stripping the Oracle signatures from the JVM runtime files, which causes the notary to reject the submitted app. This behaviour does not appear to be configurable outside of being able to provide credentials to the signing process, which we now do instead of running codesign ourselves.
The altool deprecation appears to have been a red herring, but upgrading to notarytool was past due regardless.
What is the goal of this PR?
We switch to using
jpackage
to sign the AppImage rather than signing the files manually. We also switch fromaltool
, which is now deprecated for notarization, tonotarytool
.What are the changes implemented in this PR?
JVM17
jpackage
, unlike before, always attempts to signHome/runtime
when assembling an AppImage. In the absence of credentials, it uses ad-hoc signing, in the process stripping the Oracle signatures from the JVM runtime files, which causes the notary to reject the submitted app. This behaviour does not appear to be configurable outside of being able to provide credentials to the signing process, which we now do instead of runningcodesign
ourselves.The
altool
deprecation appears to have been a red herring, but upgrading tonotarytool
was past due regardless.