> But what to do about the JGit JNA dependency? I read sometime back that > Netbeans also uses JGit - if that's true, how do the community members that > provide the DMG installer of NB handle this notarization requirement? Or is > there a version of JGit that's pure Java that I could use instead and avoid > the issue altogether?
For my own NetBeans Platform application [1] I have various GitHub Actions scripts that assemble and sign the executables for Windows, MacOS, and Linux. My MacOS notarization script includes running "codesign" on various individual files inside the package. Sometimes that requires unzipping a JAR file, signing a native library inside it, and zipping it back up again. E.g. currently I'm running codesign manually on... platform/modules/lib/aarch64/libjnidispatch-nb.jnilib platform/modules/lib/x86_64/libjnidispatch-nb.jnilib platform/modules/lib/libflatlaf-macos-x86_64.dylib platform/modules/lib/libflatlaf-macos-arm64.dylib platform/modules/ext/flatlaf-3.5.1.jar (some specific files inside this one) platform/modules/ext/jna-5.14.0.jar (some specific files inside this one) -- Eirik [1] https://www.ultorg.com/ From: Thomas Wolf <tjw...@gmail.com> Date: Thursday, October 3, 2024 at 1:13 PM To: NetBeans Mailing List <users@netbeans.apache.org> Subject: [somewhat off-topic] need advice for new Mac notarization reqs. Hi, I'll be up-front: this isn't strictly a Netbeans question, but I do wonder how NB developers handle this situation and, hopefully, get some ideas about what I can do myself. Recently, I went through my usual notarization process with my application (a DMG installer produced by jpackage) only to see the submission fail. Looking at the log, Apple is now complaining about the native macOS executables I'm bundling in my application's jar file as well as the JNA jar that JGit's jar depends on. It seems Apple is getting ever more watchful on what runs on their Macs. I was able to get around the notarization failure on my native executables by simply encrypting them. I know, the 'right' thing to do would be to actually do the three things Apple now asks for (signing each executable, providing a secure time stamp, and having them run in a hardened runtime environment), but I have neither the time nor Mac-specific knowledge to go down that path. Encrypting those executables will prevent future snooping by Apple as well. But what to do about the JGit JNA dependency? I read sometime back that Netbeans also uses JGit - if that's true, how do the community members that provide the DMG installer of NB handle this notarization requirement? Or is there a version of JGit that's pure Java that I could use instead and avoid the issue altogether? Thanks in advance, Tom --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@netbeans.apache.org<mailto:users-unsubscr...@netbeans.apache.org> For additional commands, e-mail: users-h...@netbeans.apache.org<mailto:users-h...@netbeans.apache.org> For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
