Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [orbit-dev] [platform-releng-dev] Fwd: macOS Native libjnidispatch.jnilib in com.sun.jna_* jars not codesigned

Hi Sravan,

That does help a lot - thank you!

And indeed, the CDT team does not sign the native libraries it builds. Nor does Orbit AFAIU. For the 2021-03 M1 build that will mean the EPP project does not deliver notarized builds for some packages.

Out of curiosity* does the platform sign any Windows native libraries?

Thanks
Jonah

* the kind that kills the cat because it means that I have more work to do.


~~~
Jonah Graham
Kichwa Coders
www.kichwacoders.com


On Thu, 15 Apr 2021 at 06:33, Sravan K Lakkimsetti <sravankumarl@xxxxxxxxxx> wrote:

Hi Jonah,

 

The log indicates the following are not signed

 

org.eclipse.cdt.core.macosx_6.0.200.202104050118.jar/os/macosx/x86/libpty.jnilib

org.eclipse.cdt.core.macosx_6.0.200.202104050118.jar/os/macosx/x86/libspawner.jnilib

org.eclipse.cdt.core.macosx_6.0.200.202104050118.jar/os/macosx/x86_64/libpty.jnilib

org.eclipse.cdt.core.macosx_6.0.200.202104050118.jar/os/macosx/x86_64/libspawner.jnilib

org.eclipse.cdt.native.serial_1.2.200.202104050118.jar/os/macosx/x86_64/libserial.jnilib

 

In platform case we sign native libraries using these shell functions

Code snippets:

fn-mac-sign ()

{

    filename=$1

    mv ${filename} unsigned-${filename}

    curl -o ${filename} -F file=@unsigned-${filename} https://cbi.eclipse.org/macos/codesign/sign

    if [ $? -ne 0 ]

    then

          echo "Signing of ${filename} failed"

        exit 1

    else

          rm unsigned-${filename}

    fi

   

}

 

fn-mac-sign-exe ()

{

    filename=$1

    mv ${filename} unsigned-${filename}

    rm -f sdk.entitlement

    wget https://git.eclipse.org/c/platform/eclipse.platform.releng.aggregator.git/plain/eclipse.platform.releng.tychoeclipsebuilder/entitlement/sdk.entitlement

    curl -o ${filename} -F file=@unsigned-${filename} -F entitlements=@sdk.entitlement https://cbi.eclipse.org/macos/codesign/sign

    if [ $? -ne 0 ]

    then

          echo "Signing of ${filename} failed"

        exit 1

    else

          rm unsigned-${filename}

    fi

}

 

Most probably cdt team did not have this implemented. That might be the reason why you are seeing notarization issues with cdt.

 

Regarding the problem with jna libraries, I haven’t see this problem in platform. I had a review of the notarization log reproduced below

SDK Product for arm64

{

  "uuid":"0875adfd-7e13-4d97-9761-0e1bcffae634",

  "notarizationStatus":{

    "status":"COMPLETE",

    "message":"Notarization ticket has been stapled successfully to uploaded file. You can now download the stapled file",

    "moreInfo":"Notarization ticket has been stapled to the uploaded file successfully",

    "log":"{

      "logFormatVersion": 1,

      "jobId": "934151c1-f2b7-4436-920d-d3861d82e457",

      "status": "Accepted",

      "statusSummary": "Ready for distribution",

      "statusCode": 0,

      "archiveFilename": "eclipse-SDK-I20210415-0010-macosx-cocoa-arm64-326013019904053180.dmg",

      "uploadDate": "2021-04-15T06:26:04Z",

      "sha256": "d9e03d950106239ab82d9be40de6ffa1556def951e9052fbc21507a47c0b4dab",

      "ticketContents": [

        {

          "path": "eclipse-SDK-I20210415-0010-macosx-cocoa-arm64-326013019904053180.dmg",

          "digestAlgorithm": "SHA-256",

          "cdhash": "8fb39088b61f14afcb3534e1df5104636da58285"

        },

        {

          "path": "eclipse-SDK-I20210415-0010-macosx-cocoa-arm64-326013019904053180.dmg/Eclipse.app",

          "digestAlgorithm": "SHA-256",

          "cdhash": "eeb0720e99d4374982b0b1134e17087e47c874ab",

          "arch": "arm64"

        },

        {

          "path": "eclipse-SDK-I20210415-0010-macosx-cocoa-arm64-326013019904053180.dmg/Eclipse.app/Contents/Eclipse/p2/org.eclipse.equinox.p2.core/cache/binary/org.eclipse.sdk.ide.executable.cocoa.macosx.arm64_4.20.0.I20210415-0010/MacOS/eclipse",

          "digestAlgorithm": "SHA-256",

          "cdhash": "1fd82def0bceccd5323f58b364b5f9256dc428ce",

          "arch": "arm64"

        },

        {

          "path": "eclipse-SDK-I20210415-0010-macosx-cocoa-arm64-326013019904053180.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.core.filesystem.macosx_1.3.300.v20210323-1619.jar/os/macosx/libunixfile_1_0_0.jnilib",

          "digestAlgorithm": "SHA-256",

          "cdhash": "e37eb237e4687575f774c028e8aa4a4913e37a37",

          "arch": "x86_64"

        },

        {

          "path": "eclipse-SDK-I20210415-0010-macosx-cocoa-arm64-326013019904053180.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.core.filesystem.macosx_1.3.300.v20210323-1619.jar/os/macosx/libunixfile_1_0_0.jnilib",

          "digestAlgorithm": "SHA-256",

          "cdhash": "86006f61e0eadafeb935a0de05828ea98a6308e1",

          "arch": "arm64"

        },

        {

          "path": "eclipse-SDK-I20210415-0010-macosx-cocoa-arm64-326013019904053180.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.equinox.security.macosx_1.101.400.v20210326-2149.jar/libkeystoreNative.jnilib",

          "digestAlgorithm": "SHA-256",

          "cdhash": "ed40b217ecca26fd72ac7ee3e7abd8c4bc2596fa",

          "arch": "x86_64"

        },

        {

          "path": "eclipse-SDK-I20210415-0010-macosx-cocoa-arm64-326013019904053180.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.equinox.security.macosx_1.101.400.v20210326-2149.jar/libkeystoreNative.jnilib",

          "digestAlgorithm": "SHA-256",

          "cdhash": "f0724dea441043db4efe6f3bc27a34bc73e87439",

          "arch": "arm64"

        },

        {

          "path": "eclipse-SDK-I20210415-0010-macosx-cocoa-arm64-326013019904053180.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.swt.cocoa.macosx.arm64_3.116.100.v20210414-2208.jar/libswt-awt-cocoa-4944r16.jnilib",

          "digestAlgorithm": "SHA-256",

          "cdhash": "30398a50428da1528a2df7862c34e9faadcd6049",

          "arch": "arm64"

        },

        {

          "path": "eclipse-SDK-I20210415-0010-macosx-cocoa-arm64-326013019904053180.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.swt.cocoa.macosx.arm64_3.116.100.v20210414-2208.jar/libswt-cocoa-4944r16.jnilib",

          "digestAlgorithm": "SHA-256",

          "cdhash": "0d0ab568f652e89e5faaabdb52cb334f229937b5",

          "arch": "arm64"

        },

        {

          "path": "eclipse-SDK-I20210415-0010-macosx-cocoa-arm64-326013019904053180.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.swt.cocoa.macosx.arm64_3.116.100.v20210414-2208.jar/libswt-pi-cocoa-4944r16.jnilib",

          "digestAlgorithm": "SHA-256",

          "cdhash": "78b052a8654d114f5aa96ff0eae4a8a3df6371fd",

          "arch": "arm64"

        },

        {

          "path": "eclipse-SDK-I20210415-0010-macosx-cocoa-arm64-326013019904053180.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.equinox.launcher.cocoa.macosx.arm64_1.2.200.v20210409-2137/eclipse_11404.so",

          "digestAlgorithm": "SHA-256",

          "cdhash": "38d5acf197444cbb7717fea3dbfb2093623eb6e0",

          "arch": "arm64"

        },

        {

          "path": "eclipse-SDK-I20210415-0010-macosx-cocoa-arm64-326013019904053180.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.equinox.launcher.cocoa.macosx_1.2.200.v20210409-2137/eclipse_11404.so",

          "digestAlgorithm": "SHA-256",

          "cdhash": "38d5acf197444cbb7717fea3dbfb2093623eb6e0",

          "arch": "arm64"

        },

        {

          "path": "eclipse-SDK-I20210415-0010-macosx-cocoa-arm64-326013019904053180.dmg/Eclipse.app/Contents/MacOS/eclipse",

          "digestAlgorithm": "SHA-256",

          "cdhash": "eeb0720e99d4374982b0b1134e17087e47c874ab",

          "arch": "arm64"

       }

      ],

      "issues": null

    }"

  }

}

 

SDK Product for x86_64

{

  "uuid":"ac5ae3f9-69a2-40a6-9660-44e4c7f34a7d",

  "notarizationStatus":{

    "status":"COMPLETE",

    "message":"Notarization ticket has been stapled successfully to uploaded file. You can now download the stapled file",

    "moreInfo":"Notarization ticket has been stapled to the uploaded file successfully",

      "log":"{

      "logFormatVersion": 1,

      "jobId": "906f291a-5279-4fb4-b943-315533365178",

      "status": "Accepted",

      "statusSummary": "Ready for distribution",

      "statusCode": 0,

      "archiveFilename": "eclipse-SDK-I20210415-0010-macosx-cocoa-x86_64-4954633691489410390.dmg",

      "uploadDate": "2021-04-15T06:26:21Z",

      "sha256": "0678633ba773311739cf3811782e21e8dbe075dc73078e2ff033dd836b7975e4",

      "ticketContents": [

        {

          "path": "eclipse-SDK-I20210415-0010-macosx-cocoa-x86_64-4954633691489410390.dmg",

          "digestAlgorithm": "SHA-256",

          "cdhash": "19ac7d3a7e0c5c90eb22e6a746bcb45540afb25d"

        },

        {

          "path": "eclipse-SDK-I20210415-0010-macosx-cocoa-x86_64-4954633691489410390.dmg/Eclipse.app",

          "digestAlgorithm": "SHA-256",

          "cdhash": "99132c8fb1afb13dade48f4c7f88e509bcaa9fa3",

          "arch": "x86_64"

        },

        {

          "path": "eclipse-SDK-I20210415-0010-macosx-cocoa-x86_64-4954633691489410390.dmg/Eclipse.app/Contents/Eclipse/p2/org.eclipse.equinox.p2.core/cache/binary/org.eclipse.sdk.ide.executable.cocoa.macosx.x86_64_4.20.0.I20210415-0010/MacOS/eclipse",

          "digestAlgorithm": "SHA-256",

          "cdhash": "0c8645d95bc30c0d9442c79d149c20da71ddab5a",

          "arch": "x86_64"

        },

        {

          "path": "eclipse-SDK-I20210415-0010-macosx-cocoa-x86_64-4954633691489410390.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.core.filesystem.macosx_1.3.300.v20210323-1619.jar/os/macosx/libunixfile_1_0_0.jnilib",

          "digestAlgorithm": "SHA-256",

          "cdhash": "e37eb237e4687575f774c028e8aa4a4913e37a37",

          "arch": "x86_64"

        },

        {

          "path": "eclipse-SDK-I20210415-0010-macosx-cocoa-x86_64-4954633691489410390.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.core.filesystem.macosx_1.3.300.v20210323-1619.jar/os/macosx/libunixfile_1_0_0.jnilib",

          "digestAlgorithm": "SHA-256",

          "cdhash": "86006f61e0eadafeb935a0de05828ea98a6308e1",

          "arch": "arm64"

        },

        {

          "path": "eclipse-SDK-I20210415-0010-macosx-cocoa-x86_64-4954633691489410390.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.equinox.security.macosx_1.101.400.v20210326-2149.jar/libkeystoreNative.jnilib",

          "digestAlgorithm": "SHA-256",

          "cdhash": "ed40b217ecca26fd72ac7ee3e7abd8c4bc2596fa",

          "arch": "x86_64"

        },

        {

          "path": "eclipse-SDK-I20210415-0010-macosx-cocoa-x86_64-4954633691489410390.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.equinox.security.macosx_1.101.400.v20210326-2149.jar/libkeystoreNative.jnilib",

          "digestAlgorithm": "SHA-256",

          "cdhash": "f0724dea441043db4efe6f3bc27a34bc73e87439",

          "arch": "arm64"

        },

        {

          "path": "eclipse-SDK-I20210415-0010-macosx-cocoa-x86_64-4954633691489410390.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.swt.cocoa.macosx.x86_64_3.116.100.v20210414-2208.jar/libswt-awt-cocoa-4944r16.jnilib",

          "digestAlgorithm": "SHA-256",

          "cdhash": "1e8712079396137bc1acaade9a16bb63619c644e",

          "arch": "x86_64"

        },

        {

          "path": "eclipse-SDK-I20210415-0010-macosx-cocoa-x86_64-4954633691489410390.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.swt.cocoa.macosx.x86_64_3.116.100.v20210414-2208.jar/libswt-cocoa-4944r16.jnilib",

          "digestAlgorithm": "SHA-256",

          "cdhash": "aa3d46be45a68c6cd7f07311078689006c6b111f",

          "arch": "x86_64"

        },

        {

          "path": "eclipse-SDK-I20210415-0010-macosx-cocoa-x86_64-4954633691489410390.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.swt.cocoa.macosx.x86_64_3.116.100.v20210414-2208.jar/libswt-pi-cocoa-4944r16.jnilib",

          "digestAlgorithm": "SHA-256",

          "cdhash": "83369b80774681587d61a14e842fe218b56d4ac1",

          "arch": "x86_64"

        },

        {

          "path": "eclipse-SDK-I20210415-0010-macosx-cocoa-x86_64-4954633691489410390.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.equinox.launcher.cocoa.macosx.x86_64_1.2.200.v20210409-2137/eclipse_11404.so",

          "digestAlgorithm": "SHA-256",

          "cdhash": "576bca6d63b0a3e7542fe3d9d107f72af2c7be7d",

          "arch": "x86_64"

        },

        {

          "path": "eclipse-SDK-I20210415-0010-macosx-cocoa-x86_64-4954633691489410390.dmg/Eclipse.app/Contents/MacOS/eclipse",

          "digestAlgorithm": "SHA-256",

          "cdhash": "99132c8fb1afb13dade48f4c7f88e509bcaa9fa3",

          "arch": "x86_64"

        }

      ],

      "issues": null

    }"

  }

}

 

Jna libraries are not even logged here. Not sure on how this happened. I guess this is the reason we don’t see notarization errors.

 

Sorry If I am not of mush help here

 

Regards

Sravan

 

From: Jonah Graham <jonah@xxxxxxxxxxxxxxxx>
Sent: 14 April 2021 20:04
To: Eclipse platform release engineering list. <platform-releng-dev@xxxxxxxxxxx>; Orbit Developer discussion <orbit-dev@xxxxxxxxxxx>
Subject: [EXTERNAL] [platform-releng-dev] Fwd: [orbit-dev] macOS Native libjnidispatch.jnilib in com.sun.jna_* jars not codesigned

 

Hi Platform releng folk,

 

I can confirm similar failures that Martin reported when I tried to notarize the EPP packages. However I don't see the JNA failures, I do see CDT's native libraries failing to notarize.

 

Has the Platform done anything to handle such notarization for JNA that Orbit and/or EPP and/or CDT can do to resolve this?

 

 

Thanks

Jonah

 

 


~~~
Jonah Graham
Kichwa Coders
www.kichwacoders.com

 

---------- Forwarded message ---------
From: Martin D'Aloia <martindaloia@xxxxxxxxx>
Date: Wed, 14 Apr 2021 at 00:06
Subject: Re: [orbit-dev] macOS Native libjnidispatch.jnilib in com.sun.jna_* jars not codesigned
To: Orbit Developer discussion <orbit-dev@xxxxxxxxxxx>

 

Jonah,

 

Thanks for the quick response and pointing out the issue on the project (didn't know about that project). The full error log thrown to us by the Apple Notarization service is exactly the same as the one shown there.

 

[...] because the Orbit project does not build the natives

Really there is no need to (re)build the native libraries, it could be codesigned using the file present on the released jar. In fact it is what we ended up doing in our pipeline (using our Apple Developer certificate).

I'm not aware if there is already another bundle in Orbit that has a native library that is codesigned by the Eclipse project.

 

[...] the bug has a clue as to the problem with notarization, the version of macOS?

The version isn't really the problem as it is notarized on an Apple service. 

I think he mentioned it because from 10.14.5 it is required that the app is notarized as it is stated here: https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution

Beginning in macOS 10.14.5, software signed with a new Developer ID certificate and all new or updated kernel extensions must be notarized to run. 

Beginning in macOS 10.15, all software built after June 1, 2019, and distributed with Developer ID must be notarized.

 

I've downloaded the following https://www.eclipse.org/downloads/download.php?file=/eclipse/downloads/drops4/S-4.20M1-202104071800/eclipse-SDK-4.20M1-macosx-cocoa-x86_64.dmg and it seems that it only has the 5.8 version which includes a lib for 2 different darwin/macos architectures (aarch64 and x86-64). The first one seems to have a codesign but I'm not totally sure that it is valid (there is no Authority tag and the TeamIdentifier tag is not set). The second one is not codesigned at all.

I still don't know why the notarization of the Eclipse is not throwing an error about it.

 

 

$ spctl -a -vvv -t install Eclipse-4.20M1.app
Eclipse-4.20M1.app: accepted
source=Notarized Developer ID
origin=Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)

 

$ jar xf com.sun.jna_5.8.0.v20210406-1004.jar com/sun/jna/darwin-aarch64/libjnidispatch.jnilib com/sun/jna/darwin-x86-64/libjnidispatch.jnilib

 

$ codesign -vvv --display --deep --strict com/sun/jna/darwin-aarch64/libjnidispatch.jnilib
Executable=/Users/mdaloia/Downloads/notarization/eclipse-418/com/sun/jna/darwin-aarch64/libjnidispatch.jnilib
Identifier=libjnidispatch-aarch64.jnilib
Format=Mach-O universal (arm64)
CodeDirectory v=20400 size=1366 flags=0x20002(adhoc,???) hashes=39+0 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=0bbfc8b3d63d8668a4700838b2be6ae86ad03230
CandidateCDHashFull sha256=0bbfc8b3d63d8668a4700838b2be6ae86ad03230e927c6c0f7373bd9db98034f
Hash choices=sha256
CMSDigest=0bbfc8b3d63d8668a4700838b2be6ae86ad03230e927c6c0f7373bd9db98034f
CMSDigestType=2
CDHash=0bbfc8b3d63d8668a4700838b2be6ae86ad03230
Signature=adhoc
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements=none

 

$ codesign -vvv --display --deep --strict com/sun/jna/darwin-x86-64/libjnidispatch.jnilib
com/sun/jna/darwin-x86-64/libjnidispatch.jnilib: code object is not signed at all

 

 

Let me know if I can make any other test if needed.

 

Thanks,

Martin

 

On Tue, Apr 13, 2021 at 8:53 PM Jonah Graham <jonah@xxxxxxxxxxxxxxxx> wrote:

Hi Martin,

 

Thank you for bringing this to our collective attention. As far as I know the Eclipse platform notarizes every build available from https://download.eclipse.org/eclipse/downloads/ and I haven't heard of any recent notarization problems. I will be building and notarizing the EPP packages on Thursday so I will keep this in mind.

 

I don't have easy access to a macOS machine - can you see if the 4.20M1 bundle available from the above link has the same issue? If not, I suspect in someway the notarization is being run differently.

 

However, if this is a problem and the JNA needs to be signed for macOS then the problem probably needs to be resolved by the JNA project because the Orbit project does not build the natives. However, the project has recently made it clear that this won't happen - see https://github.com/java-native-access/jna/issues/1306. (BTW the bug has a clue as to the problem with notarization, the version of macOS?)

 

PS With any luck the final 4.20 (2021-06) release will not have JNA 4.5 in it and instead will be upgraded to JNA 5.8. Already 5.8 is used in some places.

 

Jonah

 

 

~~~
Jonah Graham
Kichwa Coders
www.kichwacoders.com

 

 

On Tue, 13 Apr 2021 at 19:31, Martin D'Aloia <martindaloia@xxxxxxxxx> wrote:

Hi,

We sent our product (based on Eclipse 4.18) to Apple Notarization service and it failed with the following errors for this native library: plugins/com.sun.jna_4.5.1.v20190425-1842.jar/com/sun/jna/darwin/libjnidispatch.jnilib

- The binary is not signed.
- The signature does not include a secure timestamp.

Shouldn't this dependency be codesigned in Orbit?
Should I open a bug?


What is odd is that Eclipse 4.19 seems to be notarized but verifying this lib on the shipped jar we could see that it is not codesigned. I have no other explanation than it is a recent requirement from Apple. If that is the case maybe the notarization of Eclipse 4.20 would face the same issue.

$ cat Eclipse.app/Contents/Eclipse/.eclipseproduct
name=Eclipse Platform
id=org.eclipse.platform
version=4.19.0

$ spctl -a -vvv -t install Eclipse.app
Eclipse.app: accepted
source=Notarized Developer ID
origin=Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)

$ jar xf Eclipse.app/Contents/Eclipse/plugins/com.sun.jna_4.5.1.v20190425-1842.jar com/sun/jna/darwin/libjnidispatch.jnilib

$ codesign -vvv --display --deep --strict com/sun/jna/darwin/libjnidispatch.jnilib
com/sun/jna/darwin/libjnidispatch.jnilib: code object is not signed at all

 

If needed I can provide expected output and full error json provided by the Apple Notarization service.

 

Thanks in advance,

Martin

_______________________________________________
orbit-dev mailing list
orbit-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/orbit-dev

_______________________________________________
orbit-dev mailing list
orbit-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/orbit-dev

_______________________________________________
orbit-dev mailing list
orbit-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/orbit-dev


_______________________________________________
platform-releng-dev mailing list
platform-releng-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/platform-releng-dev

Back to the top