User Profile

No, I have removed the --deep parameter but still get the same result. Notarisation complains about the Signature of the included JRE.Command used to ckeck the DMGs signature: codesign -vvv --strict ***.dmgxxx.dmg: valid on diskxxx.dmg: satisfies its Designated RequirementPart of the content of CodeResources file<key>jre/Contents/Home/bin/java</key><dict><key>hash</key><data>5BjtH+ZNNYHVRnm4n8ILT2Gp8R8=</data><key>hash2</key><data>NXhhFRQOUk58ttqAHMmkttxkc+4hvHjolDfS7ffxSyQ=</data></dict>Part of the notarisation log:{ "severity": "error", "code": null,"path": "***.dmg/***.app/Contents/jre/Contents/Home/bin/java","message": "The binary is not signed.","docUrl": null,"architecture": "x86_64"},{"severity": "error","code": null,"path": "***.dmg/***.app/Contents/jre/Contents/Home/bin/java","message": "The signature does not include a secure timestamp.","docUrl": null,"architecture": "x86_64"},{"severity": "error","code": null,"path": "***.dmg/***.app/Contents/jre/Contents/Home/bin/java","message": "The executable does not have the hardened runtime enabled.","docUrl": null, "architecture": "x86_64" },

Thanks for you answer!I've changed the structure of the app but the result stays the same.Checking with codesign says everything ok and the notarisation says the embedded JRE is not signed, although the hash values for all files are listed in the _CodeSignature.