如何为OSX和Gatekeeper签署（动态）JNLP文件 [英] How to sign (dynamic) JNLP files for OSX and Gatekeeper

问题描述

我的公司为服务器生成Java应用程序并提供JNLP文件以启动本地应用程序。从OSX 10.8.4开始，需要使用开发者ID对JNLP文件进行签名，以保持Gatekeeper的满意度（实际上是在发行说明中在最底层。）

My company produces Java Applications for Servers and delivers JNLP files to start local Applications. Since OSX 10.8.4 it is required to sign JNLP files with a Developer ID to keep Gatekeeper happy (it's actually in the release notes at the very bottom).

问题是：如何做到这一点？ AFAIK你可以签署应用程序（我们有一些使用开发者ID签名的Java应用程序） - 但是JNLP - 文件只是：文件。

The question is: how to accomplish this? AFAIK you can sign Apps (we have some Java Apps signed with Developer IDs) - but JNLP - Files are just that: files.

下一步：如何使用生成的方式执行此操作JNLP文件。我们必须修改它们来自服务器 - 例如属性，基本URL等。

Next: how to do this with generated JNLP files. We have to modify them as they come from a server - e.g. properties, base URL and so forth.

AFAIK Java有一定的机制说JNLP文件是通过各自的JAR文件（持有主类的文件）签署的 - 但是：Jar文件使用不同的证书签名，他们也不会满足Gatekeeper。

AFAIK Java has a certain mechanism to say JNLP files are signed via their respective JAR file (the one that holds the main class) - but: Jar files are signed with a different certificate they will not satisfy Gatekeeper as well.

我确实找到了关于如何签署工具和东西的一个参考，但它不适用于动态文件的场景。

I did find one reference on how to sign tools and stuff, but it does not apply the scenario of dynamic files.

我不想要的答案：右键单击并打开以覆盖关守或更改系统或Java设置。这不是一个选择。

What I do not want as answers: Right-Click and Open to override the Gatekeeper or change the System- or Java settings. This is not an option.

[更新]
从OSX 10.9.5起，您还必须使用OSX 10.9+进行签名并拥有有效的版本2签名。如何做到这一点？

[UPDATE] Since OSX 10.9.5 you also have to sign using OSX 10.9+ and have valid version 2 signatures. How will this be done?

推荐答案

我想我找到了一个解决方案。我目前唯一能想到的。我们基本上需要用自定义应用程序启动器包装JNLP，签署应用程序，确保我们可以在服务器上动态修改JNLP然后让它运行。

I think I found a solution. The only one I can currently think up. We basically need to wrap the JNLP with a custom app launcher, sign the app, make sure we can modify the JNLP on the fly on a server and then have it run.

您可能知道，有一个应用程序捆绑项目可以将任何JAR文件包装到OSX可执行文件中。这可以签名，交付，也不会失败Gatekeeper。我创建了一个自定义分支（主要用于主分叉），它可以获取JNLP文件，将其包装起来，并且您有一个自定义应用程序，只执行JNLP应该执行的所有操作。

As you may be aware, there is an app bundler project which can wrap up any JAR files into an OSX executable. This can be signed, delivered and will not fail Gatekeeper. I made a custom fork (which is up for a pull int o the main fork) that can take an JNLP file, wrap it up and you have a custom application doing just all the stuff a JNLP should do.

但要求是，您确实拥有有效的开发者身份证申请证书

A Requirement is, however, that you do have a valid "Developer ID Application" certificate

1. Head到 bitbucket.org 并下载当前版本


2. 运行ant任务并构建appbundler包。


3. 查看将创建应用程序容器的示例构建脚本的文档。
   
   
   
   
   • 该示例现在不将JNLP包含到应用程序中。
   
   
   • 应用程序签名以某种方式创建以便稍后可以修改JNLP文件。
   
   
   • 将应用程序放入zip文件中。这对于下载应用程序很重要，因为它们只是目录
   
   

1. Head over to bitbucket.org and download the current version
2. Run the ant task and build the appbundler package.
3. Have a look at the documentation for an example build script that will create the app container.
   • The example does not include the JNLP into the application right now.
   • The applications signature is created in a way so that the JNLP file can be modified later.
   • The application is being put into a zip file. This is important for downloading an application since they are only directories

现在，如果一切顺利，zip文件应自动解压缩到Download文件夹中，你应该会看到你的应用程序图标。如果你真的没有弄错，你可以执行应用程序，就像它是正常的一样。

Now, if everything went fine, the zip file should automatically be unpacked in the Download folder and you should see your application icon. If you really made no mistake, you can execute the application as if it was a normal one.

我希望这可以帮助很多开发人员修复破坏的JNLP行为OSX。

I hope this will help a lot of developers fixing the broken JNLP behavior with OSX.

[可修改JNLP的更新]
自OSX 10.9.5起，它需要在您的应用上拥有有效的版本2签名。这意味着应用程序捆绑器以前使用的技巧（设置资源列表文件）不再起作用。现在必须签署所有内容和任何内容，之后几乎不可能更改已签名的应用程序。

[UPDATE for modifiable JNLPs] Since OSX 10.9.5 it is required to have valid version 2 signatures on your app. This means that it the trick that was previously used by the app bundler (set a resource list file) does not work anymore. Everything and anything has to be signed now and it is virtually impossible to change the signed app afterwards.

但我确实找到了一种方法：使用应用程序捆绑器。将JNLP设置为 Contents / _CodeSignature 目录中的文件。还没有在那里复制你可修改的JNLP，但这样做，例如稍后在修补zip时使用Java（无论如何你都需要一些代码）。

I did however find a way: Use the app bundler. Set the JNLP to a file inside the Contents/_CodeSignature directory. Do not yet copy your modifiable JNLP in there but do this e.g. using Java later on when patching the zip (you'll need some code here anyway).

请注意：如果您必须将另一个JNLP文件动态地放入应用程序容器中（这就是问题所在），这真的只需要这样做。

Please note: this should really only be needed if you have to put another JNLP file dynamically into the app container (thats is what the questions was about)

更新（08-2017）

Oracle将于9月底发布Java 9 。 appbundler没有正确处理java9 vm。他们改变了很多API以及javaws的工作方式。我需要说：如果你想使用包装的JNLP应用程序，坚持使用java8。

Oracle will be releasing Java 9 by the end of September. The appbundler does not handle the java9 vm correctly. They changed a whole lot of the API and the way that javaws works. For I need to say: stick with java8 if you want to use wrapped JNLP apps.

这篇关于如何为OSX和Gatekeeper签署（动态）JNLP文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！