MAS codesign requirements break Java app signing
It looks like Apple has changed its codesigning requirements for the Mac App Store. Thus far, I've been packaging my Java app using Oracle's appbundler tool and signing it with the following script: http://pastebin.com/BtLV9bur This worked fine even as recently as last month. This time, I get an email from them with the following: Invalid code signature - Signatures created with OS X version 10.8.5 or earlier [v1 signatures] are obsoleted and will no longer be recognized by Gatekeeper beginning with OS X version 10.9.5. To ensure your apps will run on updated versions of OS X they must be signed on OS X version 10.9 or later [v2 signatures]. For more information, see OS X Code Signing In Depth I think this error is incorrect, because I'm using 10.9.5 with the latest Xcode (6.1). I tried codesign -dv MyApp.app and it says Sealed Resources version=2 rules=12 files=7, so I think I am using v2 signatures. My JDK version has not changed since last month (8u25), so I can rule that out. I would appreciate any help. Thank you. Zach
Re: MAS codesign requirements break Java app signing
In the bash script I linked, everything but jspawnhelper gets the full (user-supplied) entitlements. Do you think that is the problem? On Sun, Nov 9, 2014 at 7:13 PM, Danno Ferrin danno.fer...@oracle.com wrote: What are your entitlements? For javapackager we sign only the master package with real user supplied entitlements, every other jar, dylib, and executable gets an entitlement with an entitlements that is just sandbox and inherit. We also don't put entitlements on the JRE package when it is signed under plugins. On Nov 9, 2014, at 2:26 PM, Zach Oakes zsoa...@gmail.com wrote: It looks like Apple has changed its codesigning requirements for the Mac App Store. Thus far, I've been packaging my Java app using Oracle's appbundler tool and signing it with the following script: http://pastebin.com/BtLV9bur This worked fine even as recently as last month. This time, I get an email from them with the following: Invalid code signature - Signatures created with OS X version 10.8.5 or earlier [v1 signatures] are obsoleted and will no longer be recognized by Gatekeeper beginning with OS X version 10.9.5. To ensure your apps will run on updated versions of OS X they must be signed on OS X version 10.9 or later [v2 signatures]. For more information, see OS X Code Signing In Depth I think this error is incorrect, because I'm using 10.9.5 with the latest Xcode (6.1). I tried codesign -dv MyApp.app and it says Sealed Resources version=2 rules=12 files=7, so I think I am using v2 signatures. My JDK version has not changed since last month (8u25), so I can rule that out. I would appreciate any help. Thank you. Zach
Re: MAS codesign requirements break Java app signing
Not sure, but that is what is different from what I have that works. Everything else seemed to match up, including the forced overriding of the signatures. On Nov 9, 2014, at 5:23 PM, Zach Oakes zsoa...@gmail.com wrote: In the bash script I linked, everything but jspawnhelper gets the full (user-supplied) entitlements. Do you think that is the problem? On Sun, Nov 9, 2014 at 7:13 PM, Danno Ferrin danno.fer...@oracle.com wrote: What are your entitlements? For javapackager we sign only the master package with real user supplied entitlements, every other jar, dylib, and executable gets an entitlement with an entitlements that is just sandbox and inherit. We also don't put entitlements on the JRE package when it is signed under plugins. On Nov 9, 2014, at 2:26 PM, Zach Oakes zsoa...@gmail.com wrote: It looks like Apple has changed its codesigning requirements for the Mac App Store. Thus far, I've been packaging my Java app using Oracle's appbundler tool and signing it with the following script: http://pastebin.com/BtLV9bur This worked fine even as recently as last month. This time, I get an email from them with the following: Invalid code signature - Signatures created with OS X version 10.8.5 or earlier [v1 signatures] are obsoleted and will no longer be recognized by Gatekeeper beginning with OS X version 10.9.5. To ensure your apps will run on updated versions of OS X they must be signed on OS X version 10.9 or later [v2 signatures]. For more information, see OS X Code Signing In Depth I think this error is incorrect, because I'm using 10.9.5 with the latest Xcode (6.1). I tried codesign -dv MyApp.app and it says Sealed Resources version=2 rules=12 files=7, so I think I am using v2 signatures. My JDK version has not changed since last month (8u25), so I can rule that out. I would appreciate any help. Thank you. Zach
Re: MAS codesign requirements break Java app signing
On Nov 9, 2014, at 6:10 PM, Zach Oakes zsoa...@gmail.com wrote: Can you elaborate on what you are trying to say? As I mentioned, I already ran codesign -dv MyApp.app, and it does indeed show version=2. Yet, I still get the error from Apple after uploading. Sorry, I had read your poset a little while back and missed the significance of that until after I focused on the so I think I am using v2 signatures. “ and did some checking myself to see how you would display that. Not sure, otherwise, the Mavericks section also has… • It records substantially all files by default. There are no default holes (omit rules). • It records nested code (frameworks, dylibs, helper tools and apps, plug-ins, etc.) by recording their code signature for verification. • It records symbolic links. Version 1 resource envelopes ignore symlinks. There was some mention awhile ago I think that a jli(?) lib used a symbolic link or something like that? That might of been mentioned on the old Apple java-dev list. Would cause a problem now. You could ‘ls’ all the files in your embedded jre checking for any sum version=2 rules=12 files=7 Since it is now “all files” you could verify the file count in your bundle is actually 7? Michael Hall trz nio.2 for OS X http://www195.pair.com/mik3hall/index.html#trz HalfPipe Java 6/7 shell app http://www195.pair.com/mik3hall/index.html#halfpipe AppConverter convert Apple jvm to openjdk apps http://www195.pair.com/mik3hall/index.html#appconverter