JavaPackager icon indicating copy to clipboard operation
JavaPackager copied to clipboard
verified publisher icon fvarrui

Question: Per OS examples with code signing

Open ilacc1 opened this issue 2 years ago • 3 comments

I'm submitting a…

  • [ ] bug report
  • [ ] feature request
  • [ *] other

Short description of the issue/suggestion: Are there code signing examples for linux / mac / windows? This can be rather complex for developers and examples in the documentation show the most basic use case without signing.

  • JavaPackager version: 1.7.5
  • OS version: Windows 10/11, MacOS (11.5+), Rocky 8 & 9, Ubuntu 20, 21, 22
  • JDK version: 17
  • Build tool:
    • [*] Maven
    • [ ] Gradle

Other information (e.g. related issues, suggestions how to fix, links for us to have context)

I was able to get windows signing to work fairly easily. On MacOS, I am scratching my head. A MacOS signing / deployment guide doc would be a huge help. Specifically more info about different launchers and how to handle different architectures would also help. Also why is JP replacing all signatures on all executables? On Linux, I have no idea where to start. JP doesn't seem to have signing options in the config file for linux so I am guessing this is something to be done after deb / rpms are built?

Thanks !

ilacc1 avatar Oct 29 '23 16:10 ilacc1

Hi @ilacc1!

macos

Sorry, but I'm not a MacOS proficient user and also haven't a signing key 😢 ... this feature was partially developed and tested by some contributors and based on Apple documetation. As you can see in JP docs, you must provide next info to sign your ".app":

<macConfig>
   ...
    <!-- signing properties -->
    <developerId>singning identity</developerId>
    <entitlements>path/to/entitlements.plist</entitlements>
    <codesignApp>true|false</codesignApp>
    <hardenedCodesign>true|false</hardenedCodesign>
    <notarizeApp>true|false</notarizeApp>
    <keyChainProfile>xcrun_notarytool_profile_name</keyChainProfile>
    ...
</macConfig>

AFAIK you have to register as an Apple developer to get a signing key ... then you should store/register this key on your Mac and specify the signing key's Developer ID, and then you set this ID in your POM: macConfig.developerId=XYZ.

Also, entitlements are the permissions your app need to run. For a Java app, JP provides a default entitlements file.

And notarization is a process where Apple verifies your application to make sure it has a Developer ID code signature and doesn't contain malicious content.

linux

No one has requested this feature, so it's not implemented in JP.

fvarrui avatar Feb 25 '24 22:02 fvarrui

I hope it helps 😃

fvarrui avatar Feb 25 '24 22:02 fvarrui

Can we close this issue?

fvarrui avatar Jul 08 '24 09:07 fvarrui