我们使用捆绑的 JRE 1.8.0_172 分发 Java 应用程序。我使用标志 -f --deep 和 --options 运行时对应用程序进行签名。查看捆绑的 JRE 的 _CodeSignature 目录中的 CodeResources 文件,JRE 中的每个文件都经过签名和说明。
但是,在将包含应用程序的 DMG 提交给 Apple 进行公证后,我们的软件被拒绝。JRE 中的所有 60 个 DYLIB 文件都列为未签名。这是一个例子:
从 CodeResources 文件:
<key>Home/jre/lib/libAppleScriptEngine.dylib</key>
<dict>
<key>hash</key>
<data>
oJjQQGky4LuYNhwuBu8zMLG4zbc=
</data>
<key>hash2</key>
<data>
grMACw0q7A9GJyPxlSBDGYEkZKrDusKLRRnXsW/bHGI=
</data>
</dict>
来自苹果的回复:
"severity": "error",
"code": null,
"path": "TheApplication.dmg/TheApplication.app/Contents/PlugIns/jdk1.8.0_172.jdk/Contents/Home/jre/lib/libAppleScriptEngine.dylib",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
除了 dylib 文件,文件 jspawnhelper 也被拒绝为未签名。
最后,文件 libjli.dylib 被拒绝,原因如下:“二进制文件使用的 SDK 早于 10.9 SDK。”
有没有人遇到过类似的问题,然后通过了公证程序?
January 14, 2020: The steps I used from this website http://www.zarkonnen.com/signing_notarizing_catalina do not work as of today. Apple changed their restrictions. I now have the same issues as I first asked about in this post.
February 21, 2020: It turned out the files listed as not signed were in fact not signed. I now use a shell script to recursively sign every file in our application. I follow that with overall signing of the bundled JRE, other internal apps, and lastly the entire app at the top level.
The remaining problem is Java 8 is not built with files that use the hardened runtime. Hopefully OpenJDK and/or AdoptOpenJDK will soon have new versions of Java 8 that satisfy Apple's hardened runtime requirements.