对MacOS Catalina的现有Java应用程序进行公证 [英] Notarize existing Java application for MacOS Catalina

问题描述

我分发了适用于MacOS的Java应用程序，该应用程序经过开发人员签名，但未经公证.不确定从哪里开始，因为文档太偏向于使用我不使用的 Xcode 创建应用程序，但我只想要最简单的方法来公证我的应用程序，然后继续.

I distribute a Java application for MacOS, it is developer signed but not notarized. Not really sure where to start with this since the documentation is so biased towards creating apps with Xcode that I do not use, but I just want the simplest way to notarize my app and then move on.

阅读文档时，我已经有一些担忧:

Reading the documentation I have a few concerns already:

• 我当前正在使用Java 8，是否可以对Java 8应用程序进行公证，还是我需要迁移到Java 11?我宁愿不迁移到Java 11，因为这会在其他某些平台上引起问题支持.

• I am currently using Java 8, is it possible to notarize a Java 8 app or do I need to move to Java 11. I would rather not move to Java 11 because it would cause problem on some other platforms I support.

我的dev Mac机器是旧的MacBook Pro，因此无法通过OSX El Capitan 10.11.6进行更新，我是否可以对此机器进行公证?我确实有一台较新的机器，但是没有为开发而设置，而且我担心将开发者ID证书转移到该机器上，因为首先要进行设置是有问题的.

My dev Mac machine is an old MacBook Pro, and as such cannot be updated past OSX El Capitan 10.11.6, can I notarize with this machine or not? I do have a more recent machine but it is not setup for development and I have some concerns about transferring the Developer Id certificates to it because setting this up was problematic in first place.

我使用AppBundler分支 https://github.com/TheInfiniteKind/appbundler/打包我的应用

I use the AppBundler fork https://github.com/TheInfiniteKind/appbundler/ to package my app

这由执行签名等操作的ant脚本构建文件调用，我们最终使用dmgCanvas创建dmg

This is called by an ant script build file that does the signing etc, we eventually create a dmg using dmgCanvas

我在下面发布了ant脚本，希望有人可以从基本步骤入手

I post the ant script below, hoping someone can start me of with the basic steps

#!/bin/bash
#set -x

cd /Users/paul/code/jthink/songkong/src/main/scripts
hiutil -C  -fapplehelpbook/SongKongHelp/SongKongHelp.helpindex applehelpbook/SongKongHelp/
cd /Users/paul/code/jthink/songkong
rm -fr /Applications/SongKong.app
mvn clean
mvn -DskipTests=true install
rm -fr target/songkong-6.6
unzip target/songkong-6.6-distribution.zip -d target
ant
sudo cp -r target/songkong-6.6/applehelpbook/SongKongHelp /Applications/SongKong.app/Contents/Resources
rm /Applications/SongKong.app/Contents/PlugIns/jdk1.8.0_192.jdk/Contents/MacOS/libjli.dylib
cp /Applications/SongKong.app/Contents/PlugIns/jdk1.8.0_192.jdk/Contents/Home/jre/lib/jli/libjli.dylib /Applications/SongKong.app/Contents/PlugIns/jdk1.8.0_192.jdk/Contents/MacOS
export CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate"

/usr/bin/codesign --sign "Developer ID Application: P Taylor" --force --deep --verbose /Applications/SongKong.app
/usr/bin/codesign --verify --deep  --verbose /Applications/SongKong.app

cd /Users/paul/code/jthink/SongKong
/usr/local/bin/dmgcanvas /Users/paul/code/jthink/SongKong/dmgCanvas_songkong.dmgCanvas /Users/paul/songkong-osx.dmg -v SongKong

推荐答案

截至2020年2月3日的更新Apple收紧了公证要求，并重写了答案.

注意:我需要AdoptJdk Java 11.0.7 JRE，较早的版本对我不起作用.

Note:I required the AdoptJdk Java 11.0.7 JRE, earlier versions did not work for me.

这是我的步骤

• 设置新机器(设置src代码ectera)
• 安装XCode，然后转到偏好设置:下载"，然后选择安装命令行工具"
• 使用KeyChain导出开发人员ID证书作为.p12格式并导入到新计算机中
• 购买并安装DmgCanvas 3($ 30USD)
• 续订Apple开发者帐户
• 为我的AppleId帐户设置两步授权(这部分是在网站上完成，部分是通过iCloud应用程序完成的)
• 创建应用专用密码(记下dmgCanvas选项将需要记录)
• 安装AdoptJdk Java 11.0.7进行构建
• 安装AdoptJdk Java 11.0.7 JRE以便在应用程序内部进行捆绑
• 创建 songkong.entitlements 文件
• 配置Appbundler InfiniteKind分支使用的build.xml文件直接引用AdoptOpenJDK JRe构建
• 配置构建脚本以对appbundler创建的分发包进行签名，以确保我们使用所需的新签名选项(例如-runtime，-entitlements，-timestamp)
• 然后，构建脚本使用dmgCanvas创建dmg，这还会对dmg进行签名并将其发送给Apple进行公证

build.xml包括:

build.xml includes:

<runtime dir="/Library/Java/JavaVirtualMachines/adoptopenjdk-11.jre/Contents/Home"/>

buildosx.sh是

buildosx.sh is

#!/bin/bash
#set -x

cd /Users/paul/code/jthink/songkong
sudo rm -fr /Applications/SongKong.app
mvn -f pommacos.xml -DskipTests=true install
rm -fr target/songkong-6.9
unzip target/songkong-6.9-distribution.zip -d target
ant
export CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate"
/usr/bin/codesign --timestamp --options runtime \
--entitlements /Users/paul/code/jthink/songkong/songkong.entitlements \
--sign "Developer ID Application: P Taylor" \
--force --deep --verbose /Applications/SongKong.app
/usr/bin/codesign -vvv --deep --strict /Applications/SongKong.app
spctl -a -t exec -vv /Applications/SongKong.app
cd /Users/paul/code/jthink/SongKong
/usr/local/bin/dmgcanvas /Users/paul/code/jthink/SongKong/dmgCanvas_songkong.dmgCanvas \
 /Users/paul/songkong-osx.dmg \
 -v SongKong -identity "Developer ID Application: P Taylor" \
 -notarizationAppleID paultaylor@jthink.net \
 -notarizationPassword password \
 -notarizationPrimaryBundleID songkong

SongKong授权文件为:

SongKong entitlements file is:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.cs.disable-executable-page-protection</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
    <true/>
</dict>
</plist>

注意:我也尝试通过参考AdoptJdk Java 11.0.7 JDK build.xml来进行此操作，并且该构建也没有问题(尽管最终使用的是更大的dmg)

Note:I have also tried this with referring to AdoptJdk Java 11.0.7 JDK build.xml and that also builds without issue (although of course end up witha much larger dmg)

这篇关于对MacOS Catalina的现有Java应用程序进行公证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！