用于OS X Gatekeeper的代码签名Java应用程序 [英] Code sign Java app for OS X Gatekeeper

问题描述

我正在尝试将Java应用程序分发给OS X用户。我没有使用Mac商店 - 它将通过我自己的网站分发。无论我尝试什么，OS X的Gatekeeper拒绝该应用程序。

这是我的方法：

（1）构建应用程序像往常一样，获取一个JAR文件

（2）使用 appbundler ，如下所述： https://docs.oracle.com/javase/7/docs/technotes/导游/ JWEB / packagingAppsForMac.html 。这会在我的JAR周围创建一个运行良好的.app，并在 MyApp.app/Contents/PlugIns 目录中包含JVM。

（3）使用我的开发者证书签署应用程序：

codesign -s'开发者ID应用程序：MyCompany Ltd' - 我的成功完成

（4）验证.app是否符合Gatekeeper的铁拳法则：

spctl --assess --verbose = 4 - type execute MyApp。 app

...我得到的结果是：

  MyApp.app：密封资源丢失或无效
  

不会对我来说似乎非常冗长！我能做错什么？或者我怎样才能获得更多信息？

SO / Google搜索密封资源......是指签署框架（我没有）或建议使用 - 强制选项进行签名（我试过但不起作用）。

解决方案

您不能使用 - 深。这听起来像是正确的选项，因为您还需要对嵌入式JRE进行签名，但它不起作用。来自 Apple的文档：

重要提示：虽然--deep选项可以应用于签名
操作，但不建议这样做。我们建议您在各个阶段内部签署代码
（因为Xcode会自动执行）。使用--deep签署
仅用于紧急维修和临时调整。

经过大量的拉动，我从各种教程中拼凑出来。 这一个是最有帮助的。这是我作为Ant脚本的最终解决方案：

 <！ -  code sign  - > 
< exec executable =chmod> 
< arg line =a + w $ {build.dir} /Mac/MyApp.app/Contents/PlugIns/jre/> 
< / exec> 
 
< apply executable =codesign> < ;!  - 注意：这循环遍历dir的内容 - > 
< arg line = -  f -s'开发者ID申请：我的组织'/> 
< fileset dir =$ {build.dir} /Mac/MyApp.app/Contents/PlugIns/jre/> 
< / apply> 
 
< exec executable =codesigndir =$ {build.dir} / Mac> 
< arg line = -  f -s'开发者ID申请：我的组织'MyApp.app/Contents/PlugIns/jre\"/> 
< / exec> 
 
< exec executable =codesigndir =$ {build.dir} / Mac> 
< arg line = -  f -s'开发者ID申请：我的组织'MyApp.app/Contents/PlugIns/jre/Contents/_CodeSignature/CodeResources\"/> 
< / exec> 
 
<！ - 还编码_CodeSignature中的任何其他内容（参见评论） - > 
 
< exec executable =codesigndir =$ {build.dir} / Mac> 
< arg line = -  f -s'开发者ID申请：我的组织'MyApp.app/> 
< / exec> 
 
 
<！ - 验证代码签名 - > 
< exec executable =codesigndir =$ {build.dir} / Macfailonerror =true> 
< arg line = -  vv MyApp.app/> 
< / exec> 
 
 
<！ - 验证网守 - > 
< exec executable =spctldir =$ {build.dir} / Macfailonerror =true> 
< arg line = -  vv --assess --type execute MyApp.app/> 
< / exec> 
  

要注意的另一件事是不要使用命令行 zip 在签名后打包您的应用程序，因为它会破坏应用程序的协同设计。您应该使用 productbuild ，PackageMaker， xip 或dmg包装它。

I am trying to distribute a Java application to OS X users. I am not using the Mac store - it is to be distributed through my own website. Whatever I try, OS X's Gatekeeper rejects the app.

Here's my method:

(1) Build the app as usual, get a JAR file

(2) Use appbundler as described here: https://docs.oracle.com/javase/7/docs/technotes/guides/jweb/packagingAppsForMac.html. This creates a .app around my JAR which runs nicely, and contains the JVM in the MyApp.app/Contents/PlugIns directory.

(3) Sign the app with my Developer certificate:

codesign -s 'Developer ID Application: MyCompany Ltd' --deep MyApp.app

...process completes successfully

(4) Verify that the .app will adhere to Gatekeeper's iron-fist laws:

spctl --assess --verbose=4 --type execute MyApp.app

...and the result I get back is:

MyApp.app: a sealed resource is missing or invalid

Doesn't seem very verbose to me! What could I be doing wrong? Or how can I get more information?

SO/Google searches around 'a sealed resource...' refer to signing frameworks (which I don't have) or suggest signing with the --force option (which I tried but doesn't work).

解决方案

You can't use --deep. It sounds like the right option to use, since you also need to sign the embedded JRE, but it won't work. From Apple's docs:

Important: While the --deep option can be applied to a signing operation, this is not recommended. We recommend that you sign code inside out in individual stages (as Xcode does automatically). Signing with --deep is for emergency repairs and temporary adjustments only.

After a lot of hair-pulling, I cobbled this together from various tutorials. This one was the most helpful. Here was my final solution as an Ant script:

<!-- code sign -->
<exec executable="chmod">
    <arg line="a+w ${build.dir}/Mac/MyApp.app/Contents/PlugIns/jre"/>
</exec>

<apply executable="codesign"> <!-- note: this loops through the contents of dir -->
    <arg line="-f -s 'Developer ID Application: My Organization'"/>
    <fileset dir="${build.dir}/Mac/MyApp.app/Contents/PlugIns/jre" />
</apply>

<exec executable="codesign" dir="${build.dir}/Mac"> 
    <arg line="-f -s 'Developer ID Application: My Organization' MyApp.app/Contents/PlugIns/jre"/>
</exec>

<exec executable="codesign" dir="${build.dir}/Mac"> 
    <arg line="-f -s 'Developer ID Application: My Organization' MyApp.app/Contents/PlugIns/jre/Contents/_CodeSignature/CodeResources"/>
</exec>

<!-- also codesign anything else in _CodeSignature (see comments) -->

<exec executable="codesign" dir="${build.dir}/Mac">
    <arg line="-f -s 'Developer ID Application: My Organization' MyApp.app"/>
</exec>


<!-- verify codesign -->
<exec executable="codesign" dir="${build.dir}/Mac" failonerror="true">
    <arg line="-vv MyApp.app"/>
</exec>


<!-- verify gatekeeper -->
<exec executable="spctl" dir="${build.dir}/Mac" failonerror="true">
    <arg line="-vv --assess --type execute MyApp.app"/>
</exec>

Another thing to look out for is not to use the command-line zip to package your app after signing, because it will break the codesign of the app. You should package it using productbuild, PackageMaker, xip, or in a dmg.

这篇关于用于OS X Gatekeeper的代码签名Java应用程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！