使用jpackage实用程序进行代码签名+公证在macOS上不起作用 [英] Code signing + notarization using jpackage utility isn't working on macOS

问题描述

在某些情况下，我使用jpackage实用程序尝试创建一个已签名的DMG文件以传递给我的用户.我需要签署此DMG的原因是因为我想对软件进行公证.顺便说一句，我不确定是否可以使用jpackage进行公证，但是我我仍在尝试.

For some context, I'm using the jpackage utility to try to create a signed DMG file to deliver to my users. The reason I need to sign this DMG is because I would like to notarize the software. By the way, I'm not sure if notarization is possible (yet) using jpackage but I'm trying it anyway.

但是，我在使用jpackage的内置代码签名选项时遇到了麻烦，这是成功进行公证的前提.

However, I am having trouble using jpackage's inbuilt code signing options, which is a prerequisite to successful notarization.

我正在使用选项-mac-sign --mac-package-signing-prefix CardrDebate --mac-signing-key-user-name"Developer ID Application:******运行jpackage****(*******)" (我已经编辑了实际的开发人员ID，因为它在StackOverflow上是公开的).

I am running jpackage using the options --mac-sign --mac-package-signing-prefix CardrDebate --mac-signing-key-user-name "Developer ID Application: ********** (*******)" (I've redacted the actual developer ID since this is public on StackOverflow).

创建jpackage应用程序映像后，我通过导航到几个生成的.dylib文件并尝试 codesign -vvv {filename} .dylib 来测试生成的代码是否真正签名，并且codesign说该对象根本没有签名(不是没有正确签名，而是完全没有签名).

After creating the jpackage app image, I tested whether the generated code was actually signed by navigating to several of the generated .dylib files and trying codesign -vvv {filename}.dylib, and codesign said that the objectwas not signed at all (NOT that it was incorrectly signed, but that it just wasn't signed at all).

因此，我认为我的问题出在(可能)我在macOS上错误地使用了jpackage的签名选项.我应该如何使用这些?

Thus, I believe that my problem is from my (potentially) incorrect usage of jpackage's signing options on macOS. How should I be using these?

推荐答案

我将继续回答我自己的问题，因为我最终弄清楚了如何签名我的应用程序，并成功地从Apple公证服务中对它进行了公证.产品为 http://cardr.x10.bz ).

I'll go ahead and answer my own question because I ended up figuring out how to sign my application and get it successfully notarized from the Apple notarization service (my product is http://cardr.x10.bz).

1. 使用jpackage的app-image选项生成未签名的应用包.

1. Use jpackage's app-image option to generate an unsigned app bundle.

使用自动化代码bash脚本对应用程序包中的所有dylib和可执行文件进行代码签名，使用 codesign -vvv --options runtime --deep --force --sign开发人员ID应用程序:********< filename> .

Use an automated bash script to codesign all dylib and executable files inside of the app bundle, using codesign -vvv --options runtime --deep --force --sign "Developer ID Application: ********" <filename>.

这是一个多步骤过程，因此我将其分为A/B/C.

This is a multi-step procedure, so I'll just split it up into A/B/C.

3A)在MyApp.app/Contents/mods/中查找包含嵌入式.dylib文件的所有jar文件，然后将这些文件提取到特定文件夹中(或编写一个小程序来为您完成此操作).对我而言，我的应用程序依赖JavaFX，因此许多JavaFX库在jar文件中都包含.dylib文件.但是，如果您仅使用默认的Java库，则应该可以跳至步骤4，因为默认的Java库不包含.dylib文件.我们需要执行此步骤的原因是因为Apple的公证服务也检查了这些嵌入式.dylib文件是否进行了代码签名.

3A) Find all jar files within the MyApp.app/Contents/mods/ that contain embedded .dylib files, and extract those files to a specific folder (or write a small program to do this for you). For me, my app relied on JavaFX, so many of the JavaFX libraries contained .dylib files within the jar files. However, if you're just using the default Java libraries, you should be able to skip to step 4, since the default Java libraries don't contain .dylib files. The reason we need to do this step is becuase Apple's notarization service checks these embedded .dylib files for codesigning as well.

3B)使用自动化的bash脚本，使用 codesign -vvv --options runtime --deep --force --sign开发人员ID应用程序:********< filename> .

3B) Use an automated bash script to codesign all dylib files that you just extracted, using codesign -vvv --options runtime --deep --force --sign "Developer ID Application: ********" <filename>.

3C)将每个已签名的.dylib文件重新添加到其各自的jar文件中，以替换原始的未签名的嵌入式.dylib文件.这是一个可能派上用场的命令: jar uf< jar文件的路径>< dylib文件的路径> .请注意，指定的第二个路径，即dylib文件的路径，也应是dylib在档案中的相对位置.在这里查看更多详细信息- https://docs.oracle.com/javase/tutorial/deployment/jar/update.html .

3C) Add each of signed .dylib files back into their respective jar files to replace the original unsigned embedded .dylib files. Here's a command that may come in handy: jar uf <path to jar file> <path to dylib file>. Keep note that the second path specified, the path to the dylib file, should also be the dylib's relative location within the archive. Take a look here for more details - https://docs.oracle.com/javase/tutorial/deployment/jar/update.html.

1. 现在，您已经对.app中的每个可执行文件和dylib文件进行了签名，是时候对.app本身进行签名了.运行 codesign -vvv --force --sign开发人员ID应用程序:********" MyApp.app .

现在，您已经对.app进行了签名，您需要在应用程序捆绑包上运行jpackage才能从中创建DMG或PKG.随意使用jpackage mac签名功能，它将对外部DMG/PKG进行签名.请注意，属性-mac-signing-key-user-name我的开发人员帐户名称(*******)" 不应包含"Developer ID应用程序/安装程序"部分证书.

Now that you have signed the .app, you need to run jpackage on the app bundle to create either a DMG or a PKG out of it. Feel free to use the jpackage mac signing features, which will sign the outer DMG/PKG. Take note that the property --mac-signing-key-user-name "My Developer Account Name (*******)" should NOT include the "Developer ID Application/Installer" part of the certificate.

最后，您已经创建了签名的PKG/DMG，可以进行公证.使用 xcrun altool --notarize-app --username< apple-id>--password< app-specific-password>< MyApp.dmg或MyApp.pkg> .等待公证完成并确保已批准.

Finally, you have created a signed PKG/DMG ready for notarization. Use xcrun altool --notarize-app --username <apple-id> --password <app-specific-password> <MyApp.dmg or MyApp.pkg>. Wait for notarization to complete and make sure it is approved.

如果公证成功(应该成功)，则可以使用 xcrun装订器装钉MyApp.pkg 将应用的票证装订到PKG安装程序.

If notarization succeeded (it should), you can staple your app's ticket to the PKG installer using xcrun stapler staple MyApp.pkg.

希望这会有所帮助！

这篇关于使用jpackage实用程序进行代码签名+公证在macOS上不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！