I'm trying to build an app-image for macos with the following jpackage
version:
openjdk 17.0.2 2022-01-18
OpenJDK Runtime Environment (build 17.0.2+8-86)
OpenJDK 64-Bit Server VM (build 17.0.2+8-86, mixed mode, sharing)
I'm using a bash file to build the command:
"$JDK/bin/jpackage" --type app-image --input "$INPUT/target/" --dest "$INPUT/target/output" --name "$NAME" \
--main-jar my-jar.jar --main-class org.test.Launcher --add-modules "$JDK_MODULES" \
--resource-dir "$RES" --copyright "$COPYRIGHT" --app-version "$VERSION" --description "$DESC" --vendor "$VENDOR" \
--verbose --mac-package-identifier "$IDENTIFIER" --mac-sign --mac-package-signing-prefix "$IDENTIFIER" \
--mac-signing-key-user-name "My Organization (USER_ID_OF_CERTIFICATE)" \
--mac-signing-keychain "/Users/MyUser/Library/Keychains/login.keychain-db"
The complete output of this command is the following:
[16:59:06.497] Running /usr/bin/security
[16:59:06.527] Command [PID: 20771]:
/usr/bin/security find-certificate -c Developer ID Application: My Organization (USER_ID_OF_CERTIFICATE) -a /Users/MyUser/Library/Keychains/login.keychain-db
[16:59:06.527] Output:
keychain: "/Users/MyUser/Library/Keychains/login.keychain-db"
version: 512
class: 0x80001000
attributes:
[omitted by me]
[16:59:06.530] Returned: 0
[16:59:06.531] jdk.jpackage.internal.ConfigException: Signature explicitly requested but no signing certificate found
at jdk.jpackage/jdk.jpackage.internal.MacAppBundler.doValidate(MacAppBundler.java:136)
at jdk.jpackage/jdk.jpackage.internal.AppImageBundler.validate(AppImageBundler.java:70)
at jdk.jpackage/jdk.jpackage.internal.Arguments.generateBundle(Arguments.java:675)
at jdk.jpackage/jdk.jpackage.internal.Arguments.processArguments(Arguments.java:550)
at jdk.jpackage/jdk.jpackage.main.Main.execute(Main.java:91)
at jdk.jpackage/jdk.jpackage.main.Main.main(Main.java:52)
[16:59:06.533] jdk.jpackage.internal.PackagerException: Bundler Mac Application Image skipped because of a configuration problem: Signature explicitly requested but no signing certificate found
Advice to fix: Specify a valid mac-signing-key-user-name and mac-signing-keychain
at jdk.jpackage/jdk.jpackage.internal.Arguments.generateBundle(Arguments.java:688)
at jdk.jpackage/jdk.jpackage.internal.Arguments.processArguments(Arguments.java:550)
at jdk.jpackage/jdk.jpackage.main.Main.execute(Main.java:91)
at jdk.jpackage/jdk.jpackage.main.Main.main(Main.java:52)
Caused by: jdk.jpackage.internal.ConfigException: Signature explicitly requested but no signing certificate found
at jdk.jpackage/jdk.jpackage.internal.MacAppBundler.doValidate(MacAppBundler.java:136)
at jdk.jpackage/jdk.jpackage.internal.AppImageBundler.validate(AppImageBundler.java:70)
at jdk.jpackage/jdk.jpackage.internal.Arguments.generateBundle(Arguments.java:675)
... 3 more
[16:59:06.531] No certificate found matching [Developer ID Application: My Organization (USER_ID_OF_CERTIFICATE)] using keychain [/Users/MyUser/Library/Keychains/login.keychain-db]
In addition, the requested Developer ID Application is at the keychain:
security find-identity -v -p codesigning
1) HASH_ID_HERE "Developer ID Application: My Organization (USER_ID_OF_CERTIFICATE)"
1 valid identities found
Can anyone help with this issue? I already found some articles about, but without success.
This issue relates with this one here, I was not using the --mac-
flags but then I was having problems with notarization with the same libjli.dylib
. This post is me trying the solution of the old one.
{
"logFormatVersion": 1,
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"issues": [
{
"severity": "error",
"code": null,
"path": "path/to/my/APP.app/Contents/runtime/Contents/MacOS/libjli.dylib",
"message": "The signature of the binary is invalid.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
"architecture": "x86_64"
}
]
}
I found an issue in jpackage's code. My organization certificates have accentuation in the name. I'm from Brasil, so we use a lot of accentuations here, like "João" and "Informática", etc..
The option --mac-sign
tells that jpackage should assign the package according with the certificates available in the keychain.
When jpackage tries to find the certificates installed in the system with the command /usr/bin/security find-certificate -c Developer ID Application: My Informática Organization
the output is something like this:
[12:12:45.999] Output:
keychain: "/Users/MyUser/Library/Keychains/login.keychain-db"
version: 512
class: 0x80001000
attributes:
"alis"<blob>=0x446576656C6F7065722049443A20416E696D6174692053697374656D617320646520496E666F726DC3A174696361204C746461202D20455050202836355A3444 "Developer ID Application: My Inform\303\241tica Organization (USER_ID)"
"cenc"<uint32>=0x00000003
"ctyp"<uint32>=0x00000001
"hpky"<blob>=0x85815880BCCB6724HASH199EE84FE26B0C9F "\205\201X\200\274\313g$\002\016\014d\031\342k\014\237"
Then, the MacBaseInstallerBundler.java
class from JDK tries to match the output with the given --mac-signing-key-user-name
parameter (in my case My Informática Organization
)
Pattern p = Pattern.compile("\"alis\"<blob>=\"([^\"]+)\"");
Matcher m = p.matcher(baos.toString());
if (!m.find()) {
Log.error(MessageFormat.format(I18N.getString("error.cert.not.found"), key, keychainName));
return null;
}
The matcher doesn't find my developer certificate because it is looking for My Informática Organization
but the output returns My Inform\303\241tica Organization
.
And we see the message in the logs: No certificate found matching [{0}] using keychain [{1}]
All of that is at jpackage's code from openJDK17
I really don't known if there is an option in Mac system or in Java that returns the output from security find-certificate
in UTF-8. As I was running out of time, the easiest solution was to make another apple account.
Solution: I had to make another apple account WITHOUT accentuation in my name (My Informatica Organization) and ask again to enroll in the apple's developer program.
[EDIT] I already sent an e-mail to jdk bug report, but no response.