-
Notifications
You must be signed in to change notification settings - Fork 97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot sign jar with .jnilib file inside it #229
Comments
@b-zurg The latest Since you're using {
"config": {
"forge": {
"electronPackagerConfig": {
"osxSign": {
"binaries": ["myapp.app/Contents/Resources/app.asar.unpacked/node_modules/elasticsearch/lib/jna-4.5.1.jar/com/sun/jna/darwin/libjnidispatch.jnilib"]
}
}
}
}
} |
Sorry I just realized that https://stackoverflow.com/questions/53439639/notarize-java-app-for-distribution-on-mac-app-store |
Ohhh interesting. How unfortunate 😆 I wonder if the following approach would work:
This could potentially be an optional process with an array of known |
@b-zurg Does this manual workaround work on your end? 🤔 |
I did figure it out. I used the following commands to test it out. mkdir .repackage
cp resources/elastic/lib/jna-4.5.1.jar .temp
cd .temp
unzip jna-4.5.1.jar
codesign --force --deep --sign "Developer ID Application: ...." com/sun/jna/darwin/lib/libjnidispatch.jnilib
zip -r -u jna-4.5.1.jar com META_INF
codesign --force --deep --sign "Developer ID Application: ...." jna-4.5.1.jar
cp jna-4.5.1.jar jna-4.5.1.zip
xcrun altool --notarize-app --primary-bundle-id "myapp.org" --username "user" --password "pass" --file jna-4.5.1.zip The reason I renamed it to a zip file was just for testing purposes as the notarization tool doesn't accept anything but zip, dmg, and pkg I think. So having the basics of the process down I was able to automate it using the following hook in my electron-forge config: prePackage: () => {
const run = (cmd, cwd) => execa.commandSync(cmd, { shell: true, cwd });
const jar = "jna-4.5.1.jar";
const jarDir = "resources/elastic/lib";
const workingDir = ".temp";
try {
if(process.platform === "darwin") {
run(`mkdir ${workingDir}`);
run(`cp ${jarDir}/${jar} ${workingDir}`);
run(`unzip ${jar}`, workingDir);
run(`codesign --force --deep --sign "${process.env.APPLE_CERT_IDENTITY}" com/sun/jna/darwin/libjnidispatch.jnilib`, workingDir);
run(`zip -r -u ${jar} com META-INF`, workingDir);
run(`/bin/cp ${workingDir}/${jar} ${jarDir}/${jar}`);
run(`rm -R ${workingDir}`);
console.log(`[forge/hooks/prePackage] - successfully repacked ${jarDir}/${jar} to handle signing inner native dependency.`);
}
} catch(error) {
run(`rm -R ${workingDir}`);
console.error(`Could not repackage ${jar}. Please check the "prePackage" hook in forge.config.js to ensure that it's working. This jar has to be treated specially because it has a native library and apple's codesign does not sign inner native libraries correctly for jar files`);
throw error;
}
}, It works pretty well. I think it would be good if others didn't have to go through the same journey I did, and I could imagine this coming up for anyone else who's packaging a java application alongside their electron app. I'm actually surprised it hasn't come up before but perhaps having native libs in a If you did want to automate it I could imagine a separate routine that took an array of What do you think? Would that be too much added code? |
@b-zurg Thanks for coming up with the automated script! ❤️ This is great! The latest changes are available here: https://github.com/electron/electron-osx-sign/tree/traverse-archives This should handle almost all zip-like archives (including jar files) and nested archives. All files in archives are treated mostly the same way as if they are not inside of an archive by Currently it's disabled by default but one can opt-in the automation with the added flag |
@sethlu Amazing! I'll give it a try in the coming days. |
Ok I came across something very interesting:
I tried out this file The best way to do this seems to be to run An example run:
In this we can see that the first file exits with code 9 and the valid zip-like What do you think? |
@b-zurg Ah yes, thanks for finding this! I think the case where some files begin like a zip file wasn't well handled. |
Every time I run electron-osx-sign (through electron-forge) and then the notarization process I get the following errors:
What's basically happening is that the .jar has this
.jnilib
file that's not being signed for some reason, but everything else is.I would really appreciate some help with this issue.
The .jar can be found here (I had to zip it to upload it to github)
jna-4.5.1.zip
The text was updated successfully, but these errors were encountered: