javafxcode-signinginstall4jmac-app-store

install4j stuck at password input during javafx application code-signing for Mac


Despite all our attempts, we could not get past the password entry popup. Usually, this is an issue with an incorrect password or a "head-space and timing issue", but we've confirmed the password to the KeyStore App is correct.

We are attempting to sign our javafx 17 application in order to submit it to the mac app store. We've followed the instructions from Apple to create the certificate, and from the docs on Install4j to upload the certificate. After attempting several times and checking the KeyChain password we still continue to fail - see image below. I've also allowed full access to the certificate in the keyChain app by double clicking the certificate -> Access Control and checking "Allow all applications to access the item". Despite the certificate being unrestricted, we could not get past the password entry.

Install4j Docs on code-signing: https://www.ej-technologies.com/resources/install4j/v/8.0/help/doc/concepts/codeSigning.html

Preparing your app for distribution: https://developer.apple.com/macos/distribution/

Signing you apps for GateKeeper -- Apple id for apps distributed outside the Mac Store: https://developer.apple.com/developer-id/

Install4j enter password popup

Has anyone had a similar issue with Install4j 9.0.7? What was the solution?

--update:

Upon further inspection, the EJ Technologies Install4j docs describe that the certificate "Subject Name" must be "Developer ID Application". I am not sure if this is an accurate description. The certificate's Subject Name, Common Name is "Developer ID Application:MyDeveloperName(123.....)". There is no option from apple to give the Certificate a Subject Name. I'm also not sure if this is related to the password problem.


Solution

  • If you have created the certificate signing request with a private key that uses elliptic curve cryptography, it will not work in 9.0.7. Contact support@ej-technologies.com for a build that will work in this case. Also, please make sure to select both the public and the private key before exporting from the KeyChain app.

    I've also allowed full access to the certificate in the keyChain app by double clicking the certificate -> Access Control and checking "Allow all applications to access the item"

    Don't do that, install4j does not access the KeyChain, it works with the PKCS#11 keystore that you export from it and you set a password during export for full access.

    The certificate's Subject Name, Common Name is "Developer ID Application:MyDeveloperName(123.....)". There is no option from apple to give the Certificate a Subject Name. I'm also not sure if this is related to the password problem.

    No, that is fine, "Developer ID Application" is the type of the certificate.

    However, regarding:

    We are attempting to sign our javafx 17 application in order to submit it to the mac app store.

    This will not work with a "Developer ID Application" certificate which is only suitable for standalone distribution. Submitting to the App Store will be supported in the upcoming install4j 10 (very soon). You need different certificates for that and it is not possible to create a signed artifact with install4j 9 that will be accepted by the App Store.