Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Eclipse JustJ » JustJ.openJDK signed and hardened(Apple app notarization requires embedded JRE to be signed and hardened runtime)
JustJ.openJDK signed and hardened [message #1843289] Thu, 22 July 2021 19:37 Go to next message
Ralph Bosson is currently offline Ralph BossonFriend
Messages: 16
Registered: July 2009
Junior Member
First - thank you for JustJ, it has made creating multi-platform RCP apps via Tycho a straight forward process. As expected our RCP-3 app finds the JRE as advertised. Our problem arises when we attempt to get application notarization from Apple. The errors returned are The signature algorithm used is too weak and The executable does not have the hardened runtime enabled. The errors are generated through-out the bin folder. A typical error will look like.
{
0835/jre/bin/jarsigner",
"message": "The signature algorithm used is too weak.",
"docUrl": null,
"architecture": "x86_64"
}, {
0835/jre/bin/jarsigner",
"message": "The executable does not have the hardened runtime enabled.",
"docUrl": null,
"architecture": "x86_64"
},
I have tested this with version 14.0.2.v20200815-0932 and version 11.0.2. Both return the same errors. Is there a hardened/signed version available or is there an approach/workaround that I'm not seeing.
Thanks again
Re: JustJ.openJDK signed and hardened [message #1843301 is a reply to message #1843289] Fri, 23 July 2021 04:28 Go to previous messageGo to next message
Ed Merks is currently offline Ed MerksFriend
Messages: 33085
Registered: July 2009
Senior Member
The eclipse installer and the several of the packages from here use these JREs for the Mac and are notarized without a problem:

https://www.eclipse.org/downloads/packages/

Likely there is some issue with the entitlements used for signing. For the installer, the signing is done like this:

https://git.eclipse.org/c/oomph/org.eclipse.oomph.git/tree/products/org.eclipse.oomph.setup.installer.product/pom.xml#n184

It uses these entitlements:

https://git.eclipse.org/c/oomph/org.eclipse.oomph.git/tree/releng/org.eclipse.oomph.releng/hudson/installer.entitlements



Ed Merks
Professional Support: https://www.macromodeling.com/
Re: JustJ.openJDK signed and hardened [message #1843321 is a reply to message #1843301] Fri, 23 July 2021 13:07 Go to previous messageGo to next message
Ralph Bosson is currently offline Ralph BossonFriend
Messages: 16
Registered: July 2009
Junior Member
Thanks for the near instant reply - can't tell you how much I appreciate it. I will work with the information you supplied and will post my result just in case someone else has the same issue.

Be well
Re: JustJ.openJDK signed and hardened [message #1843331 is a reply to message #1843321] Fri, 23 July 2021 15:47 Go to previous message
Ralph Bosson is currently offline Ralph BossonFriend
Messages: 16
Registered: July 2009
Junior Member
Can claim the pattern below will work for anyone but me. But just in case it helps another. Thanks again for you help.

Step #1 Check entitlements of binary
codesign -d --entitlements :- [path-to-app]
Result: listed the expected entitlements - Although the entitlements list they were not recognized when notarizing.

Step #2 Check signature of binary
codesign --verify --verbose /[path-to-app]
Result: code has no resources but signature indicates they must be present (this message prompted the use of --force when signing the app and setting entitlements)

Step #3 Sign JRE
codesign --verbose=4 -s "[Developer ID Application Cert. ID]" "[path-to-app]/Contents/Eclipse/plugins/org.eclipse.justj.openjdk.hotspot.jre.full_14.0.2.v20200815-0932.jar"

Step #4 Sign App
codesign --verbose=4 --force -s "[Developer ID Application Cert. ID]" [path-to-app]

Step #5 Enable hardened runtime (the --sign command here is possibly redundant)
codesign --verbose=4 --force --entitlements "[path-to]/Entitlements.plist" --options runtime --timestamp --sign "Developer ID Application Cert. ID]" "[path-to-app]"

Step #6 Zip up app

Step #7 Upload to Apple
xcrun altool --notarize-app -primary-bundle-id "some arbitrary version value" --username "[Apple ID]" -password "@keychain:[app specific password]" --file "[path-to-app.zip]"
password: [app specific password]

Result: No errors uploading '[path-to-app.zip]'.
RequestUUID = [notarization job UUID]

Step #7 Get notarization log
xcrun altool --notarization-info [notarization job UUID] -u [Apple ID] -p [app specific password]
Previous Topic:Legal Obligations when including a JRE from JustJ
Next Topic:How to get JDK sources from JustJ
Goto Forum:
  


Current Time: Tue Mar 05 00:06:12 GMT 2024

Powered by FUDForum. Page generated in 0.02659 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top