JDK-8237490 : [macos] Add support notarizing jpackage app-image and dmg
  • Type: Enhancement
  • Component: tools
  • Sub-Component: jpackage
  • Affected Version: 14,15
  • Priority: P2
  • Status: Resolved
  • Resolution: Fixed
  • OS: os_x_10.15
  • Submitted: 2020-01-18
  • Updated: 2020-09-09
  • Resolved: 2020-04-08
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 15
15 b18Fixed
Related Reports
Duplicate :  
Duplicate :  
Duplicate :  
Duplicate :  
Relates :  
Relates :  
Relates :  
Relates :  
Sub Tasks
JDK-8242390 :  
Add support for ability to notarize jpackage packages. Currently, jpackage produced bundles (app-image and pkg) will be rejected for notarization due to missing hardening options and timestamp. We need to investigate and modified our signing implementation, so users can easy notarized bundles produced by jpackage without need to re-sign them.
URL: https://hg.openjdk.java.net/jdk/jdk/rev/6aa5b72029bb User: herrick Date: 2020-04-08 14:49:14 +0000

the latest version only signs 1.) Individual libraries (.dylib) or executables found in the application that are not already signed. 2.) The whole runtime XXX.app/Contents/runtime 3.) The entire app XXX.app the app itself, and all the executables and libraries in the runtime are already individually signed by the java build. The only place an entitlements file is used is if there is an unsigned executable in the application. In this case we use a default entitlements file, the user can override this either using the resources override mechanism or by signing the executable(s) as they are built. webrev: http://cr.openjdk.java.net/~herrick/8237490/webrev.07

webrev at:http://cr.openjdk.java.net/~herrick/8237490/

There are several issues here to be resolved that may require separate CR's. Proper signing for notarization requires 2 entitlement files (one for jars and librarys, and a different one for executables). We can rename and re-purpose the resources MacAppStore.entitlements and MacAppStore_Inherit.entitlements (removing the AppStore) but should we add --mac-entitlements and --mac-inherit-entitlements CLI options to simplify overriding ? adding related CR: JDK-8241448 Notarizing an app-image or dmg is one thing (this issue) Signing a pkg for notarization requires a different certificate and is done in different code, so I am adding related CR: JDK-8241451