[SOLVED] install4j support for code signing MacOS console launchers that load dyld libraries via System.loadLibrary

install4j support for code signing MacOS console launchers that load dyld libraries via System.loadLibrary

I have an issue with a MacOS folder DMG media file that I created with install4j 8.0.8. If I code sign the package, everything gets signed correctly including my *.dyld files that reside in a lib/ directory. Also, my GUI programs work fine and calls to System.loadLibrary() succeed and load the dyld files correctly. However, my command-line programs that call the same Java code as my GUI programs fail when they get to the System.loadLibrary() call with this message:

java.lang.UnsatisfiedLinkError: jhdf5 (Not found in java.library.path)
    at java.base/java.lang.ClassLoader.loadLibraryWithPath(ClassLoader.java:1745)
    at java.base/java.lang.ClassLoader.loadLibraryWithClassLoader(ClassLoader.java:1697)
    at java.base/java.lang.System.loadLibrary(System.java:591)

But, if I disable code signing when I build the media file for MacOS, which I do by passing disableSigning=true from Ant, both GUI and command-line programs work fine.

So possibly, I'm not understanding if I need to do something extra with the Java VM parameters when running a program from a console launcher versus a GUI launcher on MacOS (I'm running Big Sur). Or is it just not possible to run console launchers in a code signed media file where dyld files are loaded on demand? Maybe due to the fact that console launchers are implemented as scripts on MacOS. The install4j 8 documentation doesn't seem to mention this nuance that I can find.

The directory structure of the installed files looks like this:

Peters-MacBook-Pro-16:CoastWatch Utilities Signed phollema$ ll
total 4224
drwxr-xr-x  10 phollema  admin      320  9 Apr 17:25 .
drwxrwxr-x  37 root      admin     1184  9 Apr 17:24 ..
drwxr-xr-x  53 phollema  admin     1696  9 Apr 17:25 .install4j
drwxr-xr-x   3 phollema  admin       96  9 Apr 17:24 CoastWatch Utilities Uninstaller.app
drwxr-xr-x  25 phollema  admin      800  9 Apr 18:50 bin
drwxr-xr-x   3 phollema  admin       96  9 Apr 17:24 data
drwxr-xr-x   8 phollema  admin      256  9 Apr 17:25 doc
drwxr-xr-x   3 phollema  admin       96  9 Apr 17:24 extensions
drwxr-xr-x   4 phollema  admin      128  9 Apr 17:25 lib
-rw-r--r--   1 phollema  admin  1608406  9 Apr 17:12 src.zip
Peters-MacBook-Pro-16:CoastWatch Utilities Signed phollema$ ll bin
total 624
drwxr-xr-x  25 phollema  admin    800  9 Apr 18:50 .
drwxr-xr-x  10 phollema  admin    320  9 Apr 17:25 ..
-rw-r--r--@  1 phollema  admin   6148  9 Apr 18:50 .DS_Store
drwxr-xr-x   3 phollema  admin     96  9 Apr 17:24 CoastWatch Data Analysis Tool.app
drwxr-xr-x   3 phollema  admin     96  9 Apr 17:24 CoastWatch Master Tool.app
drwxr-xr-x   3 phollema  admin     96  9 Apr 17:24 CoastWatch Status Tool.app
-rwxr-xr-x   1 phollema  admin  14801  9 Apr 17:12 cwangles
-rwxr-xr-x   1 phollema  admin  14803  9 Apr 17:12 cwautonav
-rwxr-xr-x   1 phollema  admin  14829  9 Apr 17:12 cwcomposite
-rwxr-xr-x   1 phollema  admin  14827  9 Apr 17:12 cwcoverage
-rwxr-xr-x   1 phollema  admin  14805  9 Apr 17:12 cwdownload
-rwxr-xr-x   1 phollema  admin  14801  9 Apr 17:12 cwexport
-rwxr-xr-x   1 phollema  admin  14827  9 Apr 17:12 cwgraphics
-rwxr-xr-x   1 phollema  admin  14789  9 Apr 17:12 cwgscript
-rwxr-xr-x   1 phollema  admin  14823  9 Apr 17:12 cwimport
-rwxr-xr-x   1 phollema  admin  14797  9 Apr 17:12 cwinfo
-rwxr-xr-x   1 phollema  admin  14819  9 Apr 17:12 cwmath
-rwxr-xr-x   1 phollema  admin  14805  9 Apr 17:12 cwnavigate
-rwxr-xr-x   1 phollema  admin  14829  9 Apr 17:12 cwregister
-rwxr-xr-x   1 phollema  admin  14831  9 Apr 17:12 cwregister2
-rwxr-xr-x   1 phollema  admin  14823  9 Apr 17:12 cwrender
-rwxr-xr-x   1 phollema  admin  14801  9 Apr 17:12 cwsample
-rwxr-xr-x   1 phollema  admin  14841  9 Apr 17:12 cwscript
-rwxr-xr-x   1 phollema  admin  14799  9 Apr 17:12 cwstats
-rwxr-xr-x   1 phollema  admin  14763  9 Apr 17:12 hdatt
Peters-MacBook-Pro-16:CoastWatch Utilities Signed phollema$ ll lib/native/macosx_x86_64/
total 12544
drwxr-xr-x  4 phollema  admin      128  9 Apr 17:25 .
drwxr-xr-x  3 phollema  admin       96  9 Apr 17:25 ..
-rw-r--r--  1 phollema  admin  1748128  9 Apr 17:12 libjhdf.dylib
-rw-r--r--  1 phollema  admin  3536000  9 Apr 17:12 libjhdf5.dylib

Also, the console launcher scripts contain a line that adds to the DYLD_LIBRARY_PATH like this:

DYLD_LIBRARY_PATH="$app_home/lib/native/macosx_x86_64:$DYLD_LIBRARY_PATH"
export DYLD_LIBRARY_PATH

All of this works if I don't sign the media file, and the console launcher scripts are identical.

Solution

Notarization requires enabling the "Hardened runtime" which prevents the use of DYLD_LIBRARY_PATH unless a specific entitlement is set for the launcher executable. As of install4j 9.0.1, entitlements can only be set for GUI launchers and not for the java executable of a bundled JRE which is what would be needed for command line launchers.

However, setting -Djava.library.path is a good solution and preferable to setting entitlements.