Thanks for the feedback everyone. I guess, instead of encrypting my executables to evade Apple's notarization, I'll go the codesign route as well. The only question I'm asking myself is: why doesn't jpackage handle this? I feed it the --macsign and --mac-signing-key-user-name arguments, but it only seems to sign the actual package with that.
Best everyone - and sorry again for the off-topic thread. Tom > On Oct 4, 2024, at 11:35 AM, Eirik Bakke <eba...@ultorg.com> wrote: > > > But what to do about the JGit JNA dependency? I read sometime back that > > Netbeans also uses JGit - if that's true, how do the community members that > > provide the DMG installer of NB handle this notarization requirement? Or > > is there a version of JGit that's pure Java that I could use instead and > > avoid the issue altogether? > > For my own NetBeans Platform application [1] I have various GitHub Actions > scripts that assemble and sign the executables for Windows, MacOS, and Linux. > My MacOS notarization script includes running "codesign" on various > individual files inside the package. Sometimes that requires unzipping a JAR > file, signing a native library inside it, and zipping it back up again. > > E.g. currently I'm running codesign manually on... > platform/modules/lib/aarch64/libjnidispatch-nb.jnilib > platform/modules/lib/x86_64/libjnidispatch-nb.jnilib > platform/modules/lib/libflatlaf-macos-x86_64.dylib > platform/modules/lib/libflatlaf-macos-arm64.dylib > platform/modules/ext/flatlaf-3.5.1.jar (some specific files inside this one) > platform/modules/ext/jna-5.14.0.jar (some specific files inside this one) > > -- Eirik > [1] https://www.ultorg.com/ > > > From: Thomas Wolf <tjw...@gmail.com> > Date: Thursday, October 3, 2024 at 1:13 PM > To: NetBeans Mailing List <users@netbeans.apache.org> > Subject: [somewhat off-topic] need advice for new Mac notarization reqs. > > Hi, > I'll be up-front: this isn't strictly a Netbeans question, but I do wonder > how NB developers handle this situation and, hopefully, get some ideas about > what I can do myself. > > Recently, I went through my usual notarization process with my application (a > DMG installer produced by jpackage) only to see the submission fail. Looking > at the log, Apple is now complaining about the native macOS executables I'm > bundling in my application's jar file as well as the JNA jar that JGit's jar > depends on. It seems Apple is getting ever more watchful on what runs on > their Macs. > > I was able to get around the notarization failure on my native executables by > simply encrypting them. I know, the 'right' thing to do would be to actually > do the three things Apple now asks for (signing each executable, providing a > secure time stamp, and having them run in a hardened runtime environment), > but I have neither the time nor Mac-specific knowledge to go down that path. > Encrypting those executables will prevent future snooping by Apple as well. > > But what to do about the JGit JNA dependency? I read sometime back that > Netbeans also uses JGit - if that's true, how do the community members that > provide the DMG installer of NB handle this notarization requirement? Or is > there a version of JGit that's pure Java that I could use instead and avoid > the issue altogether? > > Thanks in advance, > Tom > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@netbeans.apache.org > <mailto:users-unsubscr...@netbeans.apache.org> > For additional commands, e-mail: users-h...@netbeans.apache.org > <mailto:users-h...@netbeans.apache.org> > > For further information about the NetBeans mailing lists, visit: > https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
