用于OS X Gatekeeper的代码签名Java应用程序
[英]Code sign Java app for OS X Gatekeeper
问题描述
I am trying to distribute a Java application to OS X users. 
我正在尝试将Java应用程序分发给OS X用户。 I am not using the Mac store - it is to be distributed through my own website. 我没有使用Mac商店 - 它将通过我自己的网站分发。 Whatever I try, OS X's Gatekeeper rejects the app. 无论我尝试什么,OS X的Gatekeeper拒绝该应用程序。
Here's my method: 这是我的方法:
(1) Build the app as usual, get a JAR file (1)像往常一样构建应用程序,获取一个JAR文件
(2) Use appbundler as described here: https://docs.oracle.com/javase/7/docs/technotes/guides/jweb/packagingAppsForMac.html . (2)使用如下所述的appbundler : https : appbundler 。 This creates a .app around my JAR which runs nicely, and contains the JVM in the MyApp.app/Contents/PlugIns directory. 这会在我的JAR周围创建一个运行良好的.app,并在MyApp.app/Contents/PlugIns目录中包含JVM。
(3) Sign the app with my Developer certificate: (3)使用我的开发者证书签署应用程序:
codesign -s 'Developer ID Application: MyCompany Ltd' --deep MyApp.app
...process completes successfully ...过程成功完成
(4) Verify that the .app will adhere to Gatekeeper's iron-fist laws: (4)确认.app将遵守关守的铁拳法则:
spctl --assess --verbose=4 --type execute MyApp.app
...and the result I get back is: ......我得到的结果是:
MyApp.app: a sealed resource is missing or invalid
Doesn't seem very verbose to me! 对我来说似乎不是很啰嗦! What could I be doing wrong? 我能做错什么? Or how can I get more information? 或者我怎样才能获得更多信息?
SO/Google searches around 'a sealed resource...' refer to signing frameworks (which I don't have) or suggest signing with the --force option (which I tried but doesn't work). SO / Google搜索“密封的资源......”是指签署框架(我没有)或建议使用--force选项进行签名(我尝试但不起作用)。
1 个解决方案
解决方案1
7 已采纳 2014-11-14 20:45:26
You can't use --deep . 你不能使用--deep 。 It sounds like the right option to use, since you also need to sign the embedded JRE, but it won't work. 这听起来像是正确的选项,因为您还需要对嵌入式JRE进行签名,但它不起作用。 From Apple's docs : 来自Apple的文档 :
Important: While the --deep option can be applied to a signing operation, this is not recommended.
After a lot of hair-pulling, I cobbled this together from various tutorials. 经过大量的拉扯,我从各种教程中拼凑出来。 This one was the most helpful. 这个是最有帮助的。 Here was my final solution as an Ant script: 这是我作为Ant脚本的最终解决方案:
<!-- code sign -->
<exec executable="chmod">
<arg line="a+w ${build.dir}/Mac/MyApp.app/Contents/PlugIns/jre"/>
</exec>
<apply executable="codesign"> <!-- note: this loops through the contents of dir -->
<arg line="-f -s 'Developer ID Application: My Organization'"/>
<fileset dir="${build.dir}/Mac/MyApp.app/Contents/PlugIns/jre" />
</apply>
<exec executable="codesign" dir="${build.dir}/Mac">
<arg line="-f -s 'Developer ID Application: My Organization' MyApp.app/Contents/PlugIns/jre"/>
</exec>
<exec executable="codesign" dir="${build.dir}/Mac">
<arg line="-f -s 'Developer ID Application: My Organization' MyApp.app/Contents/PlugIns/jre/Contents/_CodeSignature/CodeResources"/>
</exec>
<!-- also codesign anything else in _CodeSignature (see comments) -->
<exec executable="codesign" dir="${build.dir}/Mac">
<arg line="-f -s 'Developer ID Application: My Organization' MyApp.app"/>
</exec>
<!-- verify codesign -->
<exec executable="codesign" dir="${build.dir}/Mac" failonerror="true">
<arg line="-vv MyApp.app"/>
</exec>
<!-- verify gatekeeper -->
<exec executable="spctl" dir="${build.dir}/Mac" failonerror="true">
<arg line="-vv --assess --type execute MyApp.app"/>
</exec>
Another thing to look out for is not to use the command-line zip to package your app after signing, because it will break the codesign of the app. 需要注意的另一件事是不要使用命令行zip在签名后打包你的应用程序,因为它会破坏应用程序的协同设计。 You should package it using productbuild , PackageMaker, xip , or in a dmg. 您应该使用productbuild ,PackageMaker, xip或dmg打包它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.