App is built using jdk21, jpackage to create dmg, pulls in the needed jre.
Been working fine until about a week ago when notarize start failing bad signing, which when examined it's complaining modified files - a handful of jre license and copyright text files.
DMGs built, signed and notarised successfully are now failing codesign verification.
Has a macOS 15.1.1 release or Xcode 16.1 patched something, is there new behaviour to be aware of plse?
It’s hard to answer this without a lot more details. In general, macOS and the notary service continue to tighten up their checking of code in order to close security holes. Some of those are big changes, when we tend to announce widely. I have a bunch of links to such things in Trusted Execution Resources and the other Resources posts that it links to. But some of them are relatively minor changes that don’t get widely advertised. And some changes are just implementation changes that happen to cause problems for code that’s not following the rules [1].
DMGs built, signed and notarised successfully are now failing codesign verification.
If you run syspolicy_check against such an app, what does it report?
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] Historically those rules were very poorly documented. That’s much better these days, but lots of code, and lots of tooling, was created before the documentation improved.
Oh, and some folks are aware of the rules and choose to bend them anyway )-:
Thank you for confirming that things continue to change on the back end of the notarization checks - I've found a workaround for now (for any other java devs scratching their heads - if you build the runtime using a separate call to jlink, instead of letting jpackage call it for you then it all works - will debug behaviours of jpackage signing when time permits).
There have been many "well this was ok last week" moments in the notarization journey - not least of which was now checking deep inside JAR files for executables - that caused so much hassle as 3rd party open source providers don't sign much, and rarely with apple sigs.
Thanks for the page of links, useful indeed. I didn't see any link to a release or change log for back end notarization checks, is there a way to see these as they happen to help with when something no longer works as it used to? Thanks!