JDK-8251892 : [macos] DMG is not signed at all although mac sign option is provided
  • Type: Bug
  • Component: tools
  • Sub-Component: jpackage
  • Affected Version: 15
  • Priority: P4
  • Status: Closed
  • Resolution: Not an Issue
  • OS: os_x
  • CPU: x86_64
  • Submitted: 2020-08-16
  • Updated: 2020-09-01
  • Resolved: 2020-08-27
Related Reports
Relates :  
JDK-8237607 - [macos] Signing app bundle with jpackage fails if runtime is already signed
Description
ADDITIONAL SYSTEM INFORMATION :
Mac OX Catalina 10.15 6
openjdk version "15" 2020-09-15
OpenJDK Runtime Environment (build 15+36-1562)
OpenJDK 64-Bit Server VM (build 15+36-1562, mixed mode, sharing)

A DESCRIPTION OF THE PROBLEM :
The dmg is not signed and therefore cannot submitted for notarization.
codesign -dvvvv JabRef-100.0.0.dmg  reports:
JabRef-100.0.0.dmg: code object is not signed at all


STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Build a modularized app for mac os both dmg and pkgc and test it for singing.

 /Library/Java/JavaVirtualMachines/jdk-15.jdk/Contents/Home/bin/jpackage --type pkg --dest /Users/christophs/workspace/jabref/build/distribution --name JabRef --app-version 100.0.0 --app-image /Users/christophs/workspace/jabref/build/distribution/JabRef.app --verbose --type dmg --vendor JabRef --app-version 100.0.0 --file-associations /Users/christophs/workspace/jabref/buildres/mac/bibtexAssociations.properties --resource-dir /Users/christophs/workspace/jabref/buildres/mac --mac-sign --mac-package-signing-prefix org.jabref --mac-signing-key-user-name "<redacted>"

codesign -dvvvv JabRef-100.0.0.dmg

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The dmg is signed correclty and can be notarized.

ACTUAL -
Codesign reports that the dmg is not signed at all.
Notarization returns error message:
     "path": "JabRef-100.0.0.dmg/JabRef.app/Contents/runtime/Contents/MacOS/libjli.dylib",
      "message": "The signature of the binary is invalid.",

FREQUENCY : always
Comments
Additional Information from submitter: =========================== I now added the signing to the app as well. However, the dmg in the end can't be notarized. The only valid way I found is to manually sign the app image as in the workaround. Source code: https://github.com/JabRef/jabref 1.build signed app image (works, valid signature) /Library/Java/JavaVirtualMachines/jdk-15.jdk/Contents/Home/bin/jpackage --type app-image --dest /Users/christophs/workspace/jabref/build/distribution --name JabRef --module org.jabref/org.jabref.JabRefLauncher --app-version 100.0.0 --runtime-image /Users/christophs/workspace/jabref/build/image --verbose --icon /Users/christophs/workspace/jabref/src/main/resources/icons/jabref.icns --resource-dir /Users/christophs/workspace/jabref/buildres/mac --mac-sign --mac-package-signing-prefix org.jabref --mac-signing-key-user-name XXXXX 1.1 Check signature codesign -dvvv build/distribution/JabRef.app 2. Build signed dmg /Library/Java/JavaVirtualMachines/jdk-15.jdk/Contents/Home/bin/jpackage --type dmg --dest /Users/christophs/workspace/jabref/build/distribution --name JabRef --app-version 100.0.0 --app-image /Users/christophs/workspace/jabref/build/distribution/JabRef.app --verbose --vendor JabRef --app-version 100.0.0 --file-associations /Users/christophs/workspace/jabref/buildres/mac/bibtexAssociations.properties --resource-dir /Users/christophs/workspace/jabref/buildres/mac --mac-sign --mac-package-signing-prefix org.jabref --mac-signing-key-user-name XXXX 2.1 codesign -dvvv build/distribution/JabRef.dmg => Check signaturem DMG is not signed at all. Sign it manually. 3. codesign -s "Developer ID Application: XXXX" --options runtime --entitlements buildres/mac/JabRef.entitlements -vvvv --deep build/distribution/JabRef-100.0.0.dmg 3.1 codesign -dvvv build/distribution/JabRef.dmg => Check signature, now signed 4. xcrun altool --verbose --notarize-app ... I also tried the codesign step in 3 for the dmg without the deep option. Same result Notarization fails then: Package invalid "severity": "error", "code": null, "path": "JabRef-100.0.0.dmg/JabRef.app/Contents/MacOS/JabRef", "message": "The signature of the binary is invalid.", "docUrl": null, "architecture": "x86_64" Entitlement file: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.app-sandbox</key> <false/> <key>com.apple.security.network.server</key> <true/> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.files.user-selected.read-write</key> <true/> <key>com.apple.security.cs.allow-jit</key> <true/> <key>com.apple.security.cs.allow-unsigned-executable-memory</key> <true/> <key>com.apple.security.cs.disable-executable-page-protection</key> <true/> <key>com.apple.security.cs.disable-library-validation</key> <true/> <key>com.apple.security.cs.allow-dyld-environment-variables</key> <true/> </dict> </plist>
01-09-2020
I tried with app image which was signed with jpackage and notarization worked fine. So, I do not think it an issue, looks like app image was not signed when it was generated. jpackage with --app-image uses app image as is without any modifications, so you will need to provide app image which is signed correctly.
27-08-2020
I cannot reproduce this issue when app image is generated with DMG and signing is enabled. How JabRef.app was generated? Did you enable signing when JabRef.app was generated?
27-08-2020
Additional information received from the submitter: ================================ I found a workaround: 1. Just build the app image (type app-image) unsigned 2. Resign the app image codesign --entitlements buildres/mac/myapp.entitlements --options runtime -vvv -f --sign "Developer ID Application: XXXX build/distribution/JabRef.app/Contents/runtime/Contents/MacOS/libjli.dylib codesign --entitlements buildres/mac/myapp.entitlements --options runtime -vvv -f --sign "Developer ID Application: XXXX" build/distribution/JabRef.app/Contents/MacOS/JabRef codesign --entitlements buildres/mac/myapp.entitlements --options runtime -vvv -f --sign "Developer ID Application: XXXX" build/distribution/JabRef.app 3. Build the dmg jpackage --type pkg --dest build/distribution --name JabRef --app-version 100 --app-image build/distribution/JabRef.app --verbose --type dmg --vendor JabRef --app-version 100 --file-associations buildres/mac/bibtexAssociations.properties --resource-dir buildres/mac 4. Sign the dmg codesign -s "Developer ID Application: XXXX" --options runtime --entitlements buildres/mac/myapp.entitlements -vvvv --deep "build/distribution/JabRef-100.dmg" 5. Notarize the app xcrun altool --verbose --notarize-app .... and the verification succeeds and the dmg can be stapled
25-08-2020
Same issue is being discussed at https://stackoverflow.com/questions/60953329/code-signing-notarization-using-jpackage-utility-isnt-working-on-macos
18-08-2020
As far as I know we do not sign DMG itself. According to bug report issue with signed app image inside DMG, which we do sign.
17-08-2020
The issue is related to https://bugs.openjdk.java.net/browse/JDK-8237607
17-08-2020