I've successfully shipped Java apps on the MAS using an embedded JRE, but with the stricter signing requirements now in place, I'm having a problem. My script now signs all the binaries, including the JRE's jspawnhelper executable, which my app relies on to spawn new processes via Runtime.exec.
The sandboxed app launches correctly, but when it tries launching a new process, I get a dialog saying "OS X needs to repair your Library to run applications". It then fails to spawn the process, and the console says "Sandbox creation failed: Container object initialization failed: failed to get bundleid for app "<snip>/Contents/PlugIns/jdk1.7.0_60.jdk/Contents/Home/jre/lib/jspawnhelper". I can't figure out why it is failing to get the bundleid for jspawnhelper. It is definitely being signed with codesign, and I've tried explicitly setting an --identifier to no avail. I would appreciate advice on how to resolve this.