JDK-8238184 : [macos] jpackage cannot produce an .app that meets Apple's notarization criteria
  • Type: Bug
  • Component: tools
  • Sub-Component: jpackage
  • Affected Version: 14
  • Priority: P3
  • Status: Closed
  • Resolution: Duplicate
  • OS: os_x
  • CPU: x86
  • Submitted: 2020-01-20
  • Updated: 2020-04-04
  • Resolved: 2020-03-27
Related Reports
Duplicate :  
JDK-8237490 - [macos] Add support notarizing jpackage app-image and dmg
Description
ADDITIONAL SYSTEM INFORMATION :
macOS 10.15.2
OpenJDK version 14-ea


A DESCRIPTION OF THE PROBLEM :
jpackage ran with --mac-sign cannot produce an .app that meets Apple's notarization criteria. In particular, when it runs the codesign tool, it does not add --timestamp parameter which is required as per https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution. 

This is a blocker for distributing signed macOS apps, because, quoting the page above:

Important
Beginning in macOS 10.14.5, software signed with a new Developer ID certificate and all new or updated kernel extensions must be notarized to run. Beginning in macOS 10.15, all software built after June 1, 2019, and distributed with Developer ID must be notarized. However, you aren������������t required to notarize software that you distribute through the Mac App Store because the App Store submission process already includes equivalent security checks.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
When jpackage is started in a similar fashion:
/Library/Java/JavaVirtualMachines/jdk-14.jdk/Contents/Home/bin/jpackage --type app-image --input /Users/alexey/java/github/jiotty-photos-uploader/build/install/Jiotty Photos Uploader/lib --main-jar Jiotty Photos Uploader-1.0.0-beta2.jar --main-class net.yudichev.googlephotosupload.ui.Launcher --dest /Users/alexey/java/github/jiotty-photos-uploader/build/jpackage --name Jiotty Photos Uploader --app-version 1.0.0-beta2 --runtime-image /Users/alexey/java/github/jiotty-photos-uploader/build/jre --resource-dir /Users/alexey/java/github/jiotty-photos-uploader/src/main/ui-resources/macOS/out --java-options -Dprism.verbose=true --verbose --mac-sign --mac-signing-key-user-name "<censored>"

it runs codesign tool like this:

Running [codesign, -s, Developer ID Application: Alexey Yudichev (J4R72JZQ9P), --prefix, net.yudichev.googlephotosupload.ui., -vvvv, /Users/alexey/java/github/jiotty-photos-uploader/build/jpackage/Jiotty Photos Uploader.app/Contents/MacOS/libapplauncher.dylib]


EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
jpackage runs "codesign" with --timestamp option, or at least provides the caller of jpackage an ability to choose whether to add or not add this parameter and the value of its argument.
ACTUAL -
jpackage runs "codesign" without --timestamp option, and does not provide the caller of jpackage an ability to choose whether to add or not add this parameter and the value of its argument.

CUSTOMER SUBMITTED WORKAROUND :
There is no known workaround.

FREQUENCY : always