Hi Jonah,
The log indicates the following are not signed
org.eclipse.cdt.core.macosx_6.0.200.202104050118.jar/os/macosx/x86/libpty.jnilib
org.eclipse.cdt.core.macosx_6.0.200.202104050118.jar/os/macosx/x86/libspawner.jnilib
org.eclipse.cdt.core.macosx_6.0.200.202104050118.jar/os/macosx/x86_64/libpty.jnilib
org.eclipse.cdt.core.macosx_6.0.200.202104050118.jar/os/macosx/x86_64/libspawner.jnilib
org.eclipse.cdt.native.serial_1.2.200.202104050118.jar/os/macosx/x86_64/libserial.jnilib
In platform case we sign native libraries using these shell functions
Code snippets:
fn-mac-sign ()
{
filename=$1
mv ${filename} unsigned-${filename}
curl -o ${filename} -F file=@unsigned-${filename} https://cbi.eclipse.org/macos/codesign/sign
if [ $? -ne 0 ]
then
echo "Signing of ${filename} failed"
exit 1
else
rm unsigned-${filename}
fi
}
fn-mac-sign-exe ()
{
filename=$1
mv ${filename} unsigned-${filename}
rm -f sdk.entitlement
wget https://git.eclipse.org/c/platform/eclipse.platform.releng.aggregator.git/plain/eclipse.platform.releng.tychoeclipsebuilder/entitlement/sdk.entitlement
curl -o ${filename} -F file=@unsigned-${filename} -F entitlements=@sdk.entitlement https://cbi.eclipse.org/macos/codesign/sign
if [ $? -ne 0 ]
then
echo "Signing of ${filename} failed"
exit 1
else
rm unsigned-${filename}
fi
}
Most probably cdt team did not have this implemented. That might be the reason why you are seeing notarization issues with cdt.
Regarding the problem with jna libraries, I haven’t see this problem in platform. I had a review of the notarization log reproduced below
SDK Product for arm64
{
"uuid":"0875adfd-7e13-4d97-9761-0e1bcffae634",
"notarizationStatus":{
"status":"COMPLETE",
"message":"Notarization ticket has been stapled successfully to uploaded file. You can now download the stapled file",
"moreInfo":"Notarization ticket has been stapled to the uploaded file successfully",
"log":"{
"logFormatVersion": 1,
"jobId": "934151c1-f2b7-4436-920d-d3861d82e457",
"status": "Accepted",
"statusSummary": "Ready for distribution",
"statusCode": 0,
"archiveFilename": "eclipse-SDK-I20210415-0010-macosx-cocoa-arm64-326013019904053180.dmg",
"uploadDate": "2021-04-15T06:26:04Z",
"sha256": "d9e03d950106239ab82d9be40de6ffa1556def951e9052fbc21507a47c0b4dab",
"ticketContents": [
{
"path": "eclipse-SDK-I20210415-0010-macosx-cocoa-arm64-326013019904053180.dmg",
"digestAlgorithm": "SHA-256",
"cdhash": "8fb39088b61f14afcb3534e1df5104636da58285"
},
{
"path": "eclipse-SDK-I20210415-0010-macosx-cocoa-arm64-326013019904053180.dmg/Eclipse.app",
"digestAlgorithm": "SHA-256",
"cdhash": "eeb0720e99d4374982b0b1134e17087e47c874ab",
"arch": "arm64"
},
{
"path": "eclipse-SDK-I20210415-0010-macosx-cocoa-arm64-326013019904053180.dmg/Eclipse.app/Contents/Eclipse/p2/org.eclipse.equinox.p2.core/cache/binary/org.eclipse.sdk.ide.executable.cocoa.macosx.arm64_4.20.0.I20210415-0010/MacOS/eclipse",
"digestAlgorithm": "SHA-256",
"cdhash": "1fd82def0bceccd5323f58b364b5f9256dc428ce",
"arch": "arm64"
},
{
"path": "eclipse-SDK-I20210415-0010-macosx-cocoa-arm64-326013019904053180.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.core.filesystem.macosx_1.3.300.v20210323-1619.jar/os/macosx/libunixfile_1_0_0.jnilib",
"digestAlgorithm": "SHA-256",
"cdhash": "e37eb237e4687575f774c028e8aa4a4913e37a37",
"arch": "x86_64"
},
{
"path": "eclipse-SDK-I20210415-0010-macosx-cocoa-arm64-326013019904053180.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.core.filesystem.macosx_1.3.300.v20210323-1619.jar/os/macosx/libunixfile_1_0_0.jnilib",
"digestAlgorithm": "SHA-256",
"cdhash": "86006f61e0eadafeb935a0de05828ea98a6308e1",
"arch": "arm64"
},
{
"path": "eclipse-SDK-I20210415-0010-macosx-cocoa-arm64-326013019904053180.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.equinox.security.macosx_1.101.400.v20210326-2149.jar/libkeystoreNative.jnilib",
"digestAlgorithm": "SHA-256",
"cdhash": "ed40b217ecca26fd72ac7ee3e7abd8c4bc2596fa",
"arch": "x86_64"
},
{
"path": "eclipse-SDK-I20210415-0010-macosx-cocoa-arm64-326013019904053180.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.equinox.security.macosx_1.101.400.v20210326-2149.jar/libkeystoreNative.jnilib",
"digestAlgorithm": "SHA-256",
"cdhash": "f0724dea441043db4efe6f3bc27a34bc73e87439",
"arch": "arm64"
},
{
"path": "eclipse-SDK-I20210415-0010-macosx-cocoa-arm64-326013019904053180.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.swt.cocoa.macosx.arm64_3.116.100.v20210414-2208.jar/libswt-awt-cocoa-4944r16.jnilib",
"digestAlgorithm": "SHA-256",
"cdhash": "30398a50428da1528a2df7862c34e9faadcd6049",
"arch": "arm64"
},
{
"path": "eclipse-SDK-I20210415-0010-macosx-cocoa-arm64-326013019904053180.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.swt.cocoa.macosx.arm64_3.116.100.v20210414-2208.jar/libswt-cocoa-4944r16.jnilib",
"digestAlgorithm": "SHA-256",
"cdhash": "0d0ab568f652e89e5faaabdb52cb334f229937b5",
"arch": "arm64"
},
{
"path": "eclipse-SDK-I20210415-0010-macosx-cocoa-arm64-326013019904053180.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.swt.cocoa.macosx.arm64_3.116.100.v20210414-2208.jar/libswt-pi-cocoa-4944r16.jnilib",
"digestAlgorithm": "SHA-256",
"cdhash": "78b052a8654d114f5aa96ff0eae4a8a3df6371fd",
"arch": "arm64"
},
{
"path": "eclipse-SDK-I20210415-0010-macosx-cocoa-arm64-326013019904053180.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.equinox.launcher.cocoa.macosx.arm64_1.2.200.v20210409-2137/eclipse_11404.so",
"digestAlgorithm": "SHA-256",
"cdhash": "38d5acf197444cbb7717fea3dbfb2093623eb6e0",
"arch": "arm64"
},
{
"path": "eclipse-SDK-I20210415-0010-macosx-cocoa-arm64-326013019904053180.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.equinox.launcher.cocoa.macosx_1.2.200.v20210409-2137/eclipse_11404.so",
"digestAlgorithm": "SHA-256",
"cdhash": "38d5acf197444cbb7717fea3dbfb2093623eb6e0",
"arch": "arm64"
},
{
"path": "eclipse-SDK-I20210415-0010-macosx-cocoa-arm64-326013019904053180.dmg/Eclipse.app/Contents/MacOS/eclipse",
"digestAlgorithm": "SHA-256",
"cdhash": "eeb0720e99d4374982b0b1134e17087e47c874ab",
"arch": "arm64"
}
],
"issues": null
}"
}
}
SDK Product for x86_64
{
"uuid":"ac5ae3f9-69a2-40a6-9660-44e4c7f34a7d",
"notarizationStatus":{
"status":"COMPLETE",
"message":"Notarization ticket has been stapled successfully to uploaded file. You can now download the stapled file",
"moreInfo":"Notarization ticket has been stapled to the uploaded file successfully",
"log":"{
"logFormatVersion": 1,
"jobId": "906f291a-5279-4fb4-b943-315533365178",
"status": "Accepted",
"statusSummary": "Ready for distribution",
"statusCode": 0,
"archiveFilename": "eclipse-SDK-I20210415-0010-macosx-cocoa-x86_64-4954633691489410390.dmg",
"uploadDate": "2021-04-15T06:26:21Z",
"sha256": "0678633ba773311739cf3811782e21e8dbe075dc73078e2ff033dd836b7975e4",
"ticketContents": [
{
"path": "eclipse-SDK-I20210415-0010-macosx-cocoa-x86_64-4954633691489410390.dmg",
"digestAlgorithm": "SHA-256",
"cdhash": "19ac7d3a7e0c5c90eb22e6a746bcb45540afb25d"
},
{
"path": "eclipse-SDK-I20210415-0010-macosx-cocoa-x86_64-4954633691489410390.dmg/Eclipse.app",
"digestAlgorithm": "SHA-256",
"cdhash": "99132c8fb1afb13dade48f4c7f88e509bcaa9fa3",
"arch": "x86_64"
},
{
"path": "eclipse-SDK-I20210415-0010-macosx-cocoa-x86_64-4954633691489410390.dmg/Eclipse.app/Contents/Eclipse/p2/org.eclipse.equinox.p2.core/cache/binary/org.eclipse.sdk.ide.executable.cocoa.macosx.x86_64_4.20.0.I20210415-0010/MacOS/eclipse",
"digestAlgorithm": "SHA-256",
"cdhash": "0c8645d95bc30c0d9442c79d149c20da71ddab5a",
"arch": "x86_64"
},
{
"path": "eclipse-SDK-I20210415-0010-macosx-cocoa-x86_64-4954633691489410390.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.core.filesystem.macosx_1.3.300.v20210323-1619.jar/os/macosx/libunixfile_1_0_0.jnilib",
"digestAlgorithm": "SHA-256",
"cdhash": "e37eb237e4687575f774c028e8aa4a4913e37a37",
"arch": "x86_64"
},
{
"path": "eclipse-SDK-I20210415-0010-macosx-cocoa-x86_64-4954633691489410390.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.core.filesystem.macosx_1.3.300.v20210323-1619.jar/os/macosx/libunixfile_1_0_0.jnilib",
"digestAlgorithm": "SHA-256",
"cdhash": "86006f61e0eadafeb935a0de05828ea98a6308e1",
"arch": "arm64"
},
{
"path": "eclipse-SDK-I20210415-0010-macosx-cocoa-x86_64-4954633691489410390.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.equinox.security.macosx_1.101.400.v20210326-2149.jar/libkeystoreNative.jnilib",
"digestAlgorithm": "SHA-256",
"cdhash": "ed40b217ecca26fd72ac7ee3e7abd8c4bc2596fa",
"arch": "x86_64"
},
{
"path": "eclipse-SDK-I20210415-0010-macosx-cocoa-x86_64-4954633691489410390.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.equinox.security.macosx_1.101.400.v20210326-2149.jar/libkeystoreNative.jnilib",
"digestAlgorithm": "SHA-256",
"cdhash": "f0724dea441043db4efe6f3bc27a34bc73e87439",
"arch": "arm64"
},
{
"path": "eclipse-SDK-I20210415-0010-macosx-cocoa-x86_64-4954633691489410390.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.swt.cocoa.macosx.x86_64_3.116.100.v20210414-2208.jar/libswt-awt-cocoa-4944r16.jnilib",
"digestAlgorithm": "SHA-256",
"cdhash": "1e8712079396137bc1acaade9a16bb63619c644e",
"arch": "x86_64"
},
{
"path": "eclipse-SDK-I20210415-0010-macosx-cocoa-x86_64-4954633691489410390.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.swt.cocoa.macosx.x86_64_3.116.100.v20210414-2208.jar/libswt-cocoa-4944r16.jnilib",
"digestAlgorithm": "SHA-256",
"cdhash": "aa3d46be45a68c6cd7f07311078689006c6b111f",
"arch": "x86_64"
},
{
"path": "eclipse-SDK-I20210415-0010-macosx-cocoa-x86_64-4954633691489410390.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.swt.cocoa.macosx.x86_64_3.116.100.v20210414-2208.jar/libswt-pi-cocoa-4944r16.jnilib",
"digestAlgorithm": "SHA-256",
"cdhash": "83369b80774681587d61a14e842fe218b56d4ac1",
"arch": "x86_64"
},
{
"path": "eclipse-SDK-I20210415-0010-macosx-cocoa-x86_64-4954633691489410390.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.equinox.launcher.cocoa.macosx.x86_64_1.2.200.v20210409-2137/eclipse_11404.so",
"digestAlgorithm": "SHA-256",
"cdhash": "576bca6d63b0a3e7542fe3d9d107f72af2c7be7d",
"arch": "x86_64"
},
{
"path": "eclipse-SDK-I20210415-0010-macosx-cocoa-x86_64-4954633691489410390.dmg/Eclipse.app/Contents/MacOS/eclipse",
"digestAlgorithm": "SHA-256",
"cdhash": "99132c8fb1afb13dade48f4c7f88e509bcaa9fa3",
"arch": "x86_64"
}
],
"issues": null
}"
}
}
Jna libraries are not even logged here. Not sure on how this happened. I guess this is the reason we don’t see notarization errors.
Sorry If I am not of mush help here
Regards
Sravan
Hi Platform releng folk,
I can confirm similar failures that Martin reported when I tried to notarize the EPP packages. However I don't see the JNA failures, I do see CDT's native libraries failing to notarize.
Has the Platform done anything to handle such notarization for JNA that Orbit and/or EPP and/or CDT can do to resolve this?
---------- Forwarded message ---------
From: Martin D'Aloia <martindaloia@xxxxxxxxx>
Date: Wed, 14 Apr 2021 at 00:06
Subject: Re: [orbit-dev] macOS Native libjnidispatch.jnilib in com.sun.jna_* jars not codesigned
To: Orbit Developer discussion <orbit-dev@xxxxxxxxxxx>
Jonah,
Thanks for the quick response and pointing out the issue on the project (didn't know about that project). The full error log thrown to us by the Apple Notarization service is exactly the same as the one shown there.
[...] because the Orbit project does not build the natives
Really there is no need to (re)build the native libraries, it could be codesigned using the file present on the released jar. In fact it is what we ended up doing in our pipeline (using our Apple Developer certificate).
I'm not aware if there is already another bundle in Orbit that has a native library that is codesigned by the Eclipse project.
[...] the bug has a clue as to the problem with notarization, the version of macOS?
The version isn't really the problem as it is notarized on an Apple service.
Beginning in macOS 10.14.5, software signed with a new Developer ID certificate and all new or updated kernel extensions must be notarized to run.
Beginning in macOS 10.15, all software built after June 1, 2019, and distributed with Developer ID must be notarized.
I still don't know why the notarization of the Eclipse is not throwing an error about it.
$ spctl -a -vvv -t install Eclipse-4.20M1.app
Eclipse-4.20M1.app: accepted
source=Notarized Developer ID
origin=Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)
$ jar xf com.sun.jna_5.8.0.v20210406-1004.jar com/sun/jna/darwin-aarch64/libjnidispatch.jnilib com/sun/jna/darwin-x86-64/libjnidispatch.jnilib
$ codesign -vvv --display --deep --strict com/sun/jna/darwin-aarch64/libjnidispatch.jnilib
Executable=/Users/mdaloia/Downloads/notarization/eclipse-418/com/sun/jna/darwin-aarch64/libjnidispatch.jnilib
Identifier=libjnidispatch-aarch64.jnilib
Format=Mach-O universal (arm64)
CodeDirectory v=20400 size=1366 flags=0x20002(adhoc,???) hashes=39+0 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=0bbfc8b3d63d8668a4700838b2be6ae86ad03230
CandidateCDHashFull sha256=0bbfc8b3d63d8668a4700838b2be6ae86ad03230e927c6c0f7373bd9db98034f
Hash choices=sha256
CMSDigest=0bbfc8b3d63d8668a4700838b2be6ae86ad03230e927c6c0f7373bd9db98034f
CMSDigestType=2
CDHash=0bbfc8b3d63d8668a4700838b2be6ae86ad03230
Signature=adhoc
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements=none
$ codesign -vvv --display --deep --strict com/sun/jna/darwin-x86-64/libjnidispatch.jnilib
com/sun/jna/darwin-x86-64/libjnidispatch.jnilib: code object is not signed at all
Let me know if I can make any other test if needed.
Hi Martin,
Thank you for bringing this to our collective attention. As far as I know the Eclipse platform notarizes every build available from https://download.eclipse.org/eclipse/downloads/ and I haven't heard of any recent notarization problems. I will be building and notarizing the EPP packages on Thursday so I will keep this in mind.
I don't have easy access to a macOS machine - can you see if the 4.20M1 bundle available from the above link has the same issue? If not, I suspect in someway the notarization is being run differently.
However, if this is a problem and the JNA needs to be signed for macOS then the problem probably needs to be resolved by the JNA project because the Orbit project does not build the natives. However, the project has recently made it clear that this won't happen - see https://github.com/java-native-access/jna/issues/1306. (BTW the bug has a clue as to the problem with notarization, the version of macOS?)
PS With any luck the final 4.20 (2021-06) release will not have JNA 4.5 in it and instead will be upgraded to JNA 5.8. Already 5.8 is used in some places.
Hi,
We sent our product (based on Eclipse 4.18) to Apple Notarization service and it failed with the following errors for this native library: plugins/com.sun.jna_4.5.1.v20190425-1842.jar/com/sun/jna/darwin/libjnidispatch.jnilib
- The binary is not signed.
- The signature does not include a secure timestamp.
Shouldn't this dependency be codesigned in Orbit?
Should I open a bug?
What is odd is that Eclipse 4.19 seems to be notarized but verifying this lib on the shipped jar we could see that it is not codesigned. I have no other explanation than it is a recent requirement from Apple. If that is the case maybe the notarization of Eclipse 4.20 would face the same issue.
$ cat Eclipse.app/Contents/Eclipse/.eclipseproduct
name=Eclipse Platform
id=org.eclipse.platform
version=4.19.0
$ spctl -a -vvv -t install Eclipse.app
Eclipse.app: accepted
source=Notarized Developer ID
origin=Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)
$ jar xf Eclipse.app/Contents/Eclipse/plugins/com.sun.jna_4.5.1.v20190425-1842.jar com/sun/jna/darwin/libjnidispatch.jnilib
$ codesign -vvv --display --deep --strict com/sun/jna/darwin/libjnidispatch.jnilib
com/sun/jna/darwin/libjnidispatch.jnilib: code object is not signed at all
If needed I can provide expected output and full error json provided by the Apple Notarization service.
_______________________________________________
orbit-dev mailing list
orbit-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/orbit-dev
_______________________________________________
orbit-dev mailing list
orbit-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/orbit-dev
_______________________________________________
orbit-dev mailing list
orbit-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/orbit-dev