Search code examples
javamacosnotarize

Notarize existing Java application for MacOS Catalina

I distribute a Java application for MacOS, it is developer signed but not notarized. Not really sure where to start with this since the documentation is so biased towards creating apps with Xcode that I do not use, but I just want the simplest way to notarize my app and then move on.

Reading the documentation I have a few concerns already:

  • I am currently using Java 8, is it possible to notarize a Java 8 app or do I need to move to Java 11. I would rather not move to Java 11 because it would cause problem on some other platforms I support.

  • My dev Mac machine is an old MacBook Pro, and as such cannot be updated past OSX El Capitan 10.11.6, can I notarize with this machine or not? I do have a more recent machine but it is not setup for development and I have some concerns about transferring the Developer Id certificates to it because setting this up was problematic in first place.

  • I use the AppBundler fork https://github.com/TheInfiniteKind/appbundler/ to package my app

  • This is called by an ant script build file that does the signing etc, we eventually create a dmg using dmgCanvas

  • I post the ant script below, hoping someone can start me of with the basic steps

    #!/bin/bash
#set -x

cd /Users/paul/code/jthink/songkong/src/main/scripts
hiutil -C  -fapplehelpbook/SongKongHelp/SongKongHelp.helpindex applehelpbook/SongKongHelp/
cd /Users/paul/code/jthink/songkong
rm -fr /Applications/SongKong.app
mvn clean
mvn -DskipTests=true install
rm -fr target/songkong-6.6
unzip target/songkong-6.6-distribution.zip -d target
ant
sudo cp -r target/songkong-6.6/applehelpbook/SongKongHelp /Applications/SongKong.app/Contents/Resources
rm /Applications/SongKong.app/Contents/PlugIns/jdk1.8.0_192.jdk/Contents/MacOS/libjli.dylib
cp /Applications/SongKong.app/Contents/PlugIns/jdk1.8.0_192.jdk/Contents/Home/jre/lib/jli/libjli.dylib /Applications/SongKong.app/Contents/PlugIns/jdk1.8.0_192.jdk/Contents/MacOS
export CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate"

/usr/bin/codesign --sign "Developer ID Application: P Taylor" --force --deep --verbose /Applications/SongKong.app
/usr/bin/codesign --verify --deep  --verbose /Applications/SongKong.app

cd /Users/paul/code/jthink/SongKong
/usr/local/bin/dmgcanvas /Users/paul/code/jthink/SongKong/dmgCanvas_songkong.dmgCanvas /Users/paul/songkong-osx.dmg -v SongKong
Solution

  • Update as of 3rd Feb 2020 Apple have tightened the notarization requirements, answer rewritten.

    Note:I required the AdoptJdk Java 11.0.7 JRE, earlier versions did not work for me.

    These are my steps

    • Setup new machine (setup src code ectera)
    • Install XCode then go to Preferences:Downloads and select Install Command Line Tools
    • Using KeyChain Export Developer Id Certificate as .p12 format and import into new machine
    • Purchase and install DmgCanvas 3 ($30USD)
    • Renew Apple Developer Account
    • Setup two-step authorisation for my AppleId account (this is partly done on website and partly with iCloud app)
    • Create app specific password (make a note will need for dmgCanvas options)
    • Install AdoptJdk Java 11.0.7 for building
    • Install AdoptJdk Java 11.0.7 JRE for bundling inside app
    • Create songkong.entitlements file
    • Configure build.xml file used by Appbundler InfiniteKind fork to refer directly to the AdoptOpenJDK JRe build
    • Configure build script to sign the bundle created by appbundler, ensuring we use the new signing options required (e.g -runtime, --entitlements, --timestamp)
    • The build script then create a dmg using dmgCanvas, and this additionally signs the dmg and sends it to Apple for notarization

    build.xml includes:

    <runtime dir="/Library/Java/JavaVirtualMachines/adoptopenjdk-11.jre/Contents/Home"/>

    buildosx.sh is

    #!/bin/bash
#set -x

cd /Users/paul/code/jthink/songkong
sudo rm -fr /Applications/SongKong.app
mvn -f pommacos.xml -DskipTests=true install
rm -fr target/songkong-6.9
unzip target/songkong-6.9-distribution.zip -d target
ant
export CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate"
/usr/bin/codesign --timestamp --options runtime \
--entitlements /Users/paul/code/jthink/songkong/songkong.entitlements \
--sign "Developer ID Application: P Taylor" \
--force --deep --verbose /Applications/SongKong.app
/usr/bin/codesign -vvv --deep --strict /Applications/SongKong.app
spctl -a -t exec -vv /Applications/SongKong.app
cd /Users/paul/code/jthink/SongKong
/usr/local/bin/dmgcanvas /Users/paul/code/jthink/SongKong/dmgCanvas_songkong.dmgCanvas \
 /Users/paul/songkong-osx.dmg \
 -v SongKong -identity "Developer ID Application: P Taylor" \
 -notarizationAppleID paultaylor@jthink.net \
 -notarizationPassword password \
 -notarizationPrimaryBundleID songkong

    SongKong entitlements file is:

    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.cs.disable-executable-page-protection</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
    <true/>
</dict>
</plist>

    Note:I have also tried this with referring to AdoptJdk Java 11.0.7 JDK build.xml and that also builds without issue (although of course end up witha much larger dmg)