javamacosjpackage.appnotarize

jpackage is not finding certificates when using --mac- flags to sign before notarization on MacOS


I'm trying to build an app-image for macos with the following jpackage version:

openjdk 17.0.2 2022-01-18
OpenJDK Runtime Environment (build 17.0.2+8-86)
OpenJDK 64-Bit Server VM (build 17.0.2+8-86, mixed mode, sharing)

I'm using a bash file to build the command:

"$JDK/bin/jpackage" --type app-image --input "$INPUT/target/" --dest "$INPUT/target/output" --name "$NAME" \
  --main-jar my-jar.jar --main-class org.test.Launcher --add-modules "$JDK_MODULES" \
  --resource-dir "$RES" --copyright "$COPYRIGHT" --app-version "$VERSION" --description "$DESC" --vendor "$VENDOR" \
  --verbose --mac-package-identifier "$IDENTIFIER" --mac-sign --mac-package-signing-prefix "$IDENTIFIER" \
  --mac-signing-key-user-name "My Organization (USER_ID_OF_CERTIFICATE)" \
  --mac-signing-keychain "/Users/MyUser/Library/Keychains/login.keychain-db"

The complete output of this command is the following:

[16:59:06.497] Running /usr/bin/security
[16:59:06.527] Command [PID: 20771]:
    /usr/bin/security find-certificate -c Developer ID Application: My Organization (USER_ID_OF_CERTIFICATE) -a /Users/MyUser/Library/Keychains/login.keychain-db
[16:59:06.527] Output:
    keychain: "/Users/MyUser/Library/Keychains/login.keychain-db"
    version: 512
    class: 0x80001000 
    attributes:
        [omitted by me]
[16:59:06.530] Returned: 0

[16:59:06.531] jdk.jpackage.internal.ConfigException: Signature explicitly requested but no signing certificate found
    at jdk.jpackage/jdk.jpackage.internal.MacAppBundler.doValidate(MacAppBundler.java:136)
    at jdk.jpackage/jdk.jpackage.internal.AppImageBundler.validate(AppImageBundler.java:70)
    at jdk.jpackage/jdk.jpackage.internal.Arguments.generateBundle(Arguments.java:675)
    at jdk.jpackage/jdk.jpackage.internal.Arguments.processArguments(Arguments.java:550)
    at jdk.jpackage/jdk.jpackage.main.Main.execute(Main.java:91)
    at jdk.jpackage/jdk.jpackage.main.Main.main(Main.java:52)
[16:59:06.533] jdk.jpackage.internal.PackagerException: Bundler Mac Application Image skipped because of a configuration problem: Signature explicitly requested but no signing certificate found 
Advice to fix: Specify a valid mac-signing-key-user-name and mac-signing-keychain
    at jdk.jpackage/jdk.jpackage.internal.Arguments.generateBundle(Arguments.java:688)
    at jdk.jpackage/jdk.jpackage.internal.Arguments.processArguments(Arguments.java:550)
    at jdk.jpackage/jdk.jpackage.main.Main.execute(Main.java:91)
    at jdk.jpackage/jdk.jpackage.main.Main.main(Main.java:52)
Caused by: jdk.jpackage.internal.ConfigException: Signature explicitly requested but no signing certificate found
    at jdk.jpackage/jdk.jpackage.internal.MacAppBundler.doValidate(MacAppBundler.java:136)
    at jdk.jpackage/jdk.jpackage.internal.AppImageBundler.validate(AppImageBundler.java:70)
    at jdk.jpackage/jdk.jpackage.internal.Arguments.generateBundle(Arguments.java:675)
    ... 3 more
[16:59:06.531] No certificate found matching [Developer ID Application: My Organization (USER_ID_OF_CERTIFICATE)] using keychain [/Users/MyUser/Library/Keychains/login.keychain-db]

In addition, the requested Developer ID Application is at the keychain:

security find-identity -v -p codesigning
  1) HASH_ID_HERE "Developer ID Application: My Organization (USER_ID_OF_CERTIFICATE)"
     1 valid identities found

Can anyone help with this issue? I already found some articles about, but without success.

This issue relates with this one here, I was not using the --mac- flags but then I was having problems with notarization with the same libjli.dylib. This post is me trying the solution of the old one.

{
  "logFormatVersion": 1,
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "path/to/my/APP.app/Contents/runtime/Contents/MacOS/libjli.dylib",
      "message": "The signature of the binary is invalid.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
      "architecture": "x86_64"
    }
  ]
}

Solution

  • I found an issue in jpackage's code. My organization certificates have accentuation in the name. I'm from Brasil, so we use a lot of accentuations here, like "João" and "Informática", etc..

    The option --mac-sign tells that jpackage should assign the package according with the certificates available in the keychain.

    When jpackage tries to find the certificates installed in the system with the command /usr/bin/security find-certificate -c Developer ID Application: My Informática Organization the output is something like this:

    [12:12:45.999] Output:
        keychain: "/Users/MyUser/Library/Keychains/login.keychain-db"
        version: 512
        class: 0x80001000 
        attributes:
            "alis"<blob>=0x446576656C6F7065722049443A20416E696D6174692053697374656D617320646520496E666F726DC3A174696361204C746461202D20455050202836355A3444  "Developer ID Application: My Inform\303\241tica Organization (USER_ID)"
            "cenc"<uint32>=0x00000003 
            "ctyp"<uint32>=0x00000001 
            "hpky"<blob>=0x85815880BCCB6724HASH199EE84FE26B0C9F  "\205\201X\200\274\313g$\002\016\014d\031\342k\014\237"
    

    Then, the MacBaseInstallerBundler.java class from JDK tries to match the output with the given --mac-signing-key-user-name parameter (in my case My Informática Organization)

    Pattern p = Pattern.compile("\"alis\"<blob>=\"([^\"]+)\"");
    Matcher m = p.matcher(baos.toString());
    if (!m.find()) {
       Log.error(MessageFormat.format(I18N.getString("error.cert.not.found"), key, keychainName));
       return null;
    }
    

    The matcher doesn't find my developer certificate because it is looking for My Informática Organization but the output returns My Inform\303\241tica Organization.

    And we see the message in the logs: No certificate found matching [{0}] using keychain [{1}]

    All of that is at jpackage's code from openJDK17

    enter image description here

    I really don't known if there is an option in Mac system or in Java that returns the output from security find-certificate in UTF-8. As I was running out of time, the easiest solution was to make another apple account.

    Solution: I had to make another apple account WITHOUT accentuation in my name (My Informatica Organization) and ask again to enroll in the apple's developer program.

    [EDIT] I already sent an e-mail to jdk bug report, but no response.