Notarisation of Java Application with embedded JRE

Question

We have a Java Application with an embedded JRE. It is distributed as a DMG File.After signing this DMG file, including nested context using the --deep flag, the check of the signature using codesign command is successful.The Upload to the notarisation service is also successful.The result of the notarisation is “Your Mac software was not notarized.” The reason logged in the report is that the JRE is not signed.We are using AdoptOpenJDK current 1.8 version. But tests with java 11 also led to the same result.Checking the notarisation documentation did not bring new findings.https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/resolving_common_notarization_issuesIs there anything else to do when notarisation an application like ours?

john daniel · Answer

Sure. Don&#x27;t ever use "--deep". Virtually every post about notarization problems involves someone using "--deep" and/or "--force". I&#x27;m not joking here - virtually every single one.So don&#x27;t use that. Chances are, your bundle will then fail to sign properly. Perhaps that is why everyone was hacking it with "--deep". But the correct course of action is to contruct your bundle properly. Then you don&#x27;t need "--deep" and your notarization will work.In most cases, you are stuffing binaries in the Resources folder. Stand-alone binaries need to go in Contents/Helpers. Something more complex than that should go into Frameworks. This is all assuming Apple&#x27;s notarization servers are running that day. I&#x27;m still a little ticked about yesterday. Not even a "sorry &#x27;bout that!" from Apple. Sorry. I digress.

ThomasOettl · Answer

Thanks for you answer!I&#x27;ve changed the structure of the app but the result stays the same.Checking with codesign says everything ok and the notarisation says the embedded JRE is not signed, although the hash values for all files are listed in the _CodeSignature.

john daniel · Answer

Aare you still using "--deep"? Can you post your notarization log?

ThomasOettl · Answer

No, I have removed the --deep parameter but still get the same result. Notarisation complains about the Signature of the included JRE.Command used to ckeck the DMGs signature: codesign -vvv --strict ***.dmgxxx.dmg: valid on diskxxx.dmg: satisfies its Designated RequirementPart of the content of CodeResources file&amp;lt;key&amp;gt;jre/Contents/Home/bin/java&amp;lt;/key&amp;gt;&amp;lt;dict&amp;gt;&amp;lt;key&amp;gt;hash&amp;lt;/key&amp;gt;&amp;lt;data&amp;gt;5BjtH+ZNNYHVRnm4n8ILT2Gp8R8&#x3D;&amp;lt;/data&amp;gt;&amp;lt;key&amp;gt;hash2&amp;lt;/key&amp;gt;&amp;lt;data&amp;gt;NXhhFRQOUk58ttqAHMmkttxkc+4hvHjolDfS7ffxSyQ&#x3D;&amp;lt;/data&amp;gt;&amp;lt;/dict&amp;gt;Part of the notarisation log:{      "severity": "error",      "code": null,"path": "***.dmg/***.app/Contents/jre/Contents/Home/bin/java","message": "The binary is not signed.","docUrl": null,"architecture": "x86_64"},{"severity": "error","code": null,"path": "***.dmg/***.app/Contents/jre/Contents/Home/bin/java","message": "The signature does not include a secure timestamp.","docUrl": null,"architecture": "x86_64"},{"severity": "error","code": null,"path": "***.dmg/***.app/Contents/jre/Contents/Home/bin/java","message": "The executable does not have the hardened runtime enabled.","docUrl": null,      "architecture": "x86_64"    },

john daniel · Answer

I don&#x27;t know what to tell you that would be more informative than the messages that notarization has already provided. I would suggest keeping things like a JRE in the "Frameworks" folder. I don&#x27;t know if "Contents" is causing the problem, but "Frameworks" is better suited as a dumping ground of binaries that don&#x27;t fit elsewhere.

CasaDelGato · Answer

Is there any documentation on just what should go in which folders of the app?

Notarisation of Java Application with embedded JRE

Replies